stunnel-5.03

Introduction to stunnel

The stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.

This package is known to build and work properly using an LFS-7.6 systemd platform.

Package Information

stunnel Dependencies

Required

OpenSSL-1.0.1i

Optional

tcpwrappers

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel

Installation of stunnel

The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user and group using the following commands as the root user:

groupadd -g 51 stunnel &&
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel
[Note]

Note

A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. Further below, after make ... install, we include instructions to generate them. However, if you own, or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access). The .pem file must be formatted as shown below:

-----BEGIN PRIVATE KEY-----
<many encrypted lines of private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<encrypted lines of dh parms>
-----END DH PARAMETERS-----

Fix the bundled systemd unit so it does not use a deprecated dependency:

sed -i /syslog.target/d tools/stunnel.service.in

Install stunnel by running the following commands:

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var &&
make

This package does not come with a test suite.

Now, as the root user:

make docdir=/usr/share/doc/stunnel-5.03 install

Install the systemd unit by running the following command as the root user:

install -v -m644 tools/stunnel.service /lib/systemd/system/stunnel.service

To create the stunnel.pem in the /etc/stunnel directory, you need to create one. The following command prompts you for the necessary information. Ensure you reply to the

Common Name (FQDN of your server) [localhost]:

prompt with the name or IP address you will be using to access the service(s).

To generate a certificate, as the root user, run:

make cert

Command Explanations

make docdir=... install: This command installs the package, changes the documentation installation directory to standard naming conventions.

Configuring stunnel

Config Files

/etc/stunnel/stunnel.conf

Configuration Information

As the root user, create the directory used for the .pid file that is created when the stunnel daemon starts:

install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &&
chown stunnel:stunnel /var/lib/stunnel

Next, create a basic /etc/stunnel/stunnel.conf configuration file using the following commands as the root user:

cat >/etc/stunnel/stunnel.conf << "EOF" &&
; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

EOF
chmod -v 644 /etc/stunnel/stunnel.conf

Finally, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:

[<service>]
accept  = <hostname:portnumber>
connect = <hostname:portnumber>

If you use stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding <service>_stunnel service. You may have to add an appropriate entry in /etc/services as well.

For a full explanation of the commands and syntax used in the configuration file, run man stunnel.

Systemd Units

To start the stunnel daemon at boot, enable the previously installed systemd unit by running the following command as the root user:

systemctl enable stunnel

Contents

Installed Programs: stunnel and stunnel3
Installed Library: libstunnel.so
Installed Directories: /etc/stunnel, /usr/lib/stunnel, /usr/share/doc/stunnel-5.03, and /var/lib/stunnel

Short Descriptions

stunnel

is a program designed to work as an SSL encryption wrapper between remote clients and local ({x}inetd-startable) or remote servers.

stunnel3

is a Perl wrapper script to use stunnel 3.x syntax with stunnel >=4.05.

libstunnel.so

contains the API functions required by stunnel.

Last updated on 2014-08-25 13:50:07 -0700