The stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. stunnel can also be used to tunnel PPP over network sockets without changes to the server package source code.
This package is known to build and work properly using an LFS 11.3 platform.
Download (FTP): ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.68.tar.gz
Download MD5 sum: c5197ffc5424af6063be530634f487e4
Download size: 868 KB
Estimated disk space required: 6.9 MB
Estimated build time: 0.1 SBU
libnsl-2.0.0, netcat (required for tests), tcpwrappers, and TOR
User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/stunnel
The stunnel daemon will be run in a
chroot jail by an unprivileged user. Create the
new user and group using the following commands as the
root
user:
groupadd -g 51 stunnel && useradd -c "stunnel Daemon" -d /var/lib/stunnel \ -g stunnel -s /bin/false -u 51 stunnel
A signed SSL Certificate and a Private Key is necessary to run the
stunnel daemon. After the package is installed,
there are instructions to generate them. However, if you own or have
already created a signed SSL Certificate you wish to use, copy it to
/etc/stunnel/stunnel.pem
before starting the
build (ensure only root
has
read and write access). The .pem
file must be formatted as shown below:
-----BEGIN PRIVATE KEY-----
<many encrypted lines of private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<encrypted lines of dh parms>
-----END DH PARAMETERS-----
Install stunnel by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --disable-systemd && make
If you have installed the optional netcat application, the regression tests can be run with make check.
Now, as the root
user:
make docdir=/usr/share/doc/stunnel-5.68 install
If you do not already have a signed SSL Certificate and Private Key,
create the stunnel.pem
file in the
/etc/stunnel
directory using the
command below. You will be prompted to enter the necessary
information. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the service(s).
To generate a certificate, as the
root
user, issue:
make cert
--disable-systemd
: This switch disables systemd
socket activation support which is not available in BLFS.
make docdir=... install: This command installs the package and changes the documentation installation directory to standard naming conventions.
As the root
user,
create the directory used for the
.pid
file created
when the stunnel daemon starts:
install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run && chown stunnel:stunnel /var/lib/stunnel
Next, create a basic /etc/stunnel/stunnel.conf
configuration file using the following commands as the
root
user:
cat > /etc/stunnel/stunnel.conf << "EOF"
; File: /etc/stunnel/stunnel.conf
; Note: The pid and output locations are relative to the chroot location.
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/stunnel.pem
;debug = 7
;output = stunnel.log
;[https]
;accept = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
EOF
Finally, add the service(s) you wish to encrypt to the configuration file. The format is as follows:
[<service>
]
accept = <hostname:portnumber>
connect = <hostname:portnumber>
For a full explanation of the commands and syntax used in the configuration file, issue man stunnel.
To automatically start the stunnel daemon when the
system is booted, install the
/etc/rc.d/init.d/stunnel
bootscript from the
blfs-bootscripts-20230101 package.
make install-stunnel