stunnel {-c} [-p pemfile] [-v level] [-a directory] [-t timeout] [-u username] [-n protocol] -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ]
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the source code.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
default: server mode
-T transparent proxy mode (on hosts that support it)
-p pemfile certificate (*.pem) file name
default: /usr/local/ssl/certs/stunnel.pem for server mode, none for client mode
-v level verify peer certificate
level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default: no verify
-a directory client certificate directory for -v 3 option
default: /usr/local/ssl/certs/trusted
-t timeout session cache timeout
default: 300 s.
-u user Use IDENT (RFC 1413) username checking
-n proto Negotiate SSL with specified protocol
currenty supported: smtp
-d [ip:]port daemon mode (ip defaults to INADDR_ANY)
default: inetd mode
-f foreground mode (don't fork, log to stderr)
default: background in daemon mode
-l program [-- args]
execute local inetd-type program
-L program [-- args]
open local pty and execute program
-s username
setuid() to username in daemon mode
-g groupname
setgid() to groupname in daemon mode. Clears all other groups.-r [ip:]port connect to remote service
(ip defaults to INADDR_LOOPBACK)EXAMPLES
- In order to provide SSL encapsulation to your local imapd service, use
stunnel -d 993 -l /usr/sbin/imapd -- imapdIf you want to provide tunneling to your pppd daemon on port 2020, use something like
stunnel -d 2020 -L /usr/sbin/pppd -- pppd localCERTIFICATES
- Each SSL enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free openssl package. You can find more information on certificates generation on pages listed below.
Two things are important when generating certificate-key pairs for stunnel. The private key cannot be encrypted, because the server has no way to obtain the password from the user. To produce an unencrypted key add the -nodes option when running the req command from the openssl kit.
The order of contents of the .pem file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:
-----BEGIN RSA PRIVATE KEY----- [encoded key] -----END RSA PRIVATE KEY----- [empty line] -----BEGIN CERTIFICATE----- [encoded certificate] -----END CERTIFICATE----- [empty line]LIMITATIONS
- stunnel cannot be used for the FTP daemon because of the nature of the FTP protocol which utilizes multiple ports for data transfers. There are available SSL enabled versions of FTP and telnet daemons, however.
SEE ALSO
- tcpd (8), inetd (8)
http://mike.daewoo.com.pl/computer/stunnel Stunnel homepage
http://www.openssl.org OpenSSL project website
AUTHORS
- Michal Trojnara <Michal.Trojnara@centertel.pl>
Adam Hernik <adas@infocentrum.com>
Pawel Krawczyk <kravietz@ceti.com.pl>
PTY support by Dirk O. Siebnich <dok@vossnet.de>