%general-entities; ]> $LastChangedBy: bdubbs $ $Date: 2015-02-26 23:16:43 -0500 (Thu, 26 Feb 2015) $ stunnel The stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. stunnel can be used to add SSL functionality to commonly used Inetd daemons such as POP-2, POP-3, and IMAP servers, along with standalone daemons such as NNTP, SMTP, and HTTP. stunnel can also be used to tunnel PPP over network sockets without changes to the server package source code. &lfs77_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &stunnel-md5sum; Download size: &stunnel-size; Estimated disk space required: &stunnel-buildsize; Estimated build time: &stunnel-time; stunnel Dependencies Required Optional tcpwrappers and TOR User Notes: The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user and group using the following commands as the root user: groupadd -g 51 stunnel && useradd -c "stunnel Daemon" -d /var/lib/stunnel \ -g stunnel -s /bin/false -u 51 stunnel A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. After the package is installed, there are instructions to generate them. However, if you own or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access). The .pem file must be formatted as shown below: -----BEGIN PRIVATE KEY----- <many encrypted lines of private key> -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- <many encrypted lines of certificate> -----END CERTIFICATE----- -----BEGIN DH PARAMETERS----- <encrypted lines of dh parms> -----END DH PARAMETERS----- Install stunnel by running the following commands: For some systems with binutils versions prior to 2.25, configure may fail. If necessary, fix it either with: sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure or, if with Clang is installed, you can replace ./configure ... with CC=clang ./configure ... in the first command below. ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --disable-systemd && make This package does not come with a test suite. Now, as the root user: make docdir=/usr/share/doc/stunnel-&stunnel-version; install If you do not already have a signed SSL Certificate and Private Key, create the stunnel.pem file in the /etc/stunnel directory using the command below. You will be prompted to enter the necessary information. Ensure you reply to the Common Name (FQDN of your server) [localhost]: prompt with the name or IP address you will be using to access the service(s). To generate a certificate, as the root user, issue: make cert --disable-systemd: This switch disables systemd socket activation support which is not available in BLFS. make docdir=... install: This command installs the package and changes the documentation installation directory to standard naming conventions. /etc/stunnel/stunnel.conf /etc/stunnel/stunnel.conf As the root user, create the directory used for the .pid file created when the stunnel daemon starts: install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run && chown stunnel:stunnel /var/lib/stunnel Next, create a basic /etc/stunnel/stunnel.conf configuration file using the following commands as the root user: cat >/etc/stunnel/stunnel.conf << "EOF" && ; File: /etc/stunnel/stunnel.conf ; Note: The pid and output locations are relative to the chroot location. pid = /run/stunnel.pid chroot = /var/lib/stunnel client = no setuid = stunnel setgid = stunnel cert = /etc/stunnel/stunnel.pem ;debug = 7 ;output = stunnel.log ;[https] ;accept = 443 ;connect = 80 ;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL ;; Microsoft implementations do not use SSL close-notify alert and thus ;; they are vulnerable to truncation attacks ;TIMEOUTclose = 0 EOF chmod -v 644 /etc/stunnel/stunnel.conf Finally, add the service(s) you wish to encrypt to the configuration file. The format is as follows: [<service>] accept = <hostname:portnumber> connect = <hostname:portnumber> If you use stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding <service>_stunnel service. You may have to add an appropriate entry in /etc/services as well. For a full explanation of the commands and syntax used in the configuration file, issue man stunnel. To automatically start the stunnel daemon when the system is booted, install the /etc/rc.d/init.d/stunnel bootscript from the package. stunnel make install-stunnel Installed Programs Installed Library Installed Directories stunnel and stunnel3 libstunnel.so /etc/stunnel, /usr/lib/stunnel, /usr/share/doc/stunnel-&stunnel-version;, and /var/lib/stunnel Short Descriptions stunnel is a program designed to work as an SSL encryption wrapper between remote clients and local ({x}inetd-startable) or remote servers. stunnel stunnel3 is a Perl wrapper script to use stunnel 3.x syntax with stunnel >=4.05. stunnel3 libstunnel.so contains the API functions required by stunnel. libstunnel.so