Introduction to stunnel
The stunnel package contains a
program that allows you to encrypt arbitrary TCP connections inside
SSL (Secure Sockets Layer) so you can easily communicate with
clients over secure channels. stunnel can be used to add SSL functionality
to commonly used Inetd daemons
like POP-2, POP-3, and IMAP servers, to standalone daemons like
NNTP, SMTP and HTTP, and in tunneling PPP over network sockets
without changes to the server package source code.
This package is known to build and work properly using an LFS-7.6
systemd platform.
Package Information
stunnel Dependencies
Required
OpenSSL-1.0.1i
Optional
tcpwrappers
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel
Installation of stunnel
The stunnel daemon
will be run in a chroot jail by an unprivileged
user. Create the new user and group using the following commands as
the root
user:
groupadd -g 51 stunnel &&
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
-g stunnel -s /bin/false -u 51 stunnel
Note
A signed SSL Certificate and a Private Key is necessary to run
the stunnel daemon.
Further below, after make ...
install, we include instructions to generate
them. However, if you own, or have already created a signed SSL
Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem
before starting the
build (ensure only root
has read
and write access). The .pem
file
must be formatted as shown below:
-----BEGIN PRIVATE KEY-----
<many encrypted lines of private key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<encrypted lines of dh parms>
-----END DH PARAMETERS-----
Fix the bundled systemd unit so it does not use a deprecated
dependency:
sed -i /syslog.target/d tools/stunnel.service.in
Install stunnel by running the
following commands:
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var &&
make
This package does not come with a test suite.
Now, as the root
user:
make docdir=/usr/share/doc/stunnel-5.03 install
Install the systemd unit by running the following command as the
root
user:
install -v -m644 tools/stunnel.service /lib/systemd/system/stunnel.service
To create the stunnel.pem
in the
/etc/stunnel
directory, you need to
create one. The following command prompts you for the necessary
information. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the
service(s).
To generate a certificate, as the root
user, run:
make cert
Configuring stunnel
Config Files
/etc/stunnel/stunnel.conf
Configuration Information
As the root
user, create the
directory used for the .pid
file
that is created when the stunnel
daemon starts:
install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &&
chown stunnel:stunnel /var/lib/stunnel
Next, create a basic /etc/stunnel/stunnel.conf
configuration file
using the following commands as the root
user:
cat >/etc/stunnel/stunnel.conf << "EOF" &&
; File: /etc/stunnel/stunnel.conf
; Note: The pid and output locations are relative to the chroot location.
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert = /etc/stunnel/stunnel.pem
;debug = 7
;output = stunnel.log
;[https]
;accept = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
EOF
chmod -v 644 /etc/stunnel/stunnel.conf
Finally, you need to add the service(s) you wish to encrypt to
the configuration file. The format is as follows:
[<service>
]
accept = <hostname:portnumber>
connect = <hostname:portnumber>
If you use stunnel to encrypt a
daemon started from [x]inetd, you may need to
disable that daemon in the /etc/[x]inetd.conf
file and enable a
corresponding <service>
_stunnel service.
You may have to add an appropriate entry in /etc/services
as well.
For a full explanation of the commands and syntax used in the
configuration file, run man
stunnel.
Systemd Units
To start the stunnel daemon at boot, enable
the previously installed systemd unit by running the following
command as the root
user:
systemctl enable stunnel