Stunnel

From Notes_Wiki

Home > CentOS > CentOS 6.x > Security tools > stunnel

About stunnel

Stunnel can be used to encrypt communication between network programs which normally do not support encryption. Stunnel listens on a port and forwards requests to actual daemon. When it is run in server mode, it listens for encrypted connections from client and forwards plain-text connections to local server via loop-back. When it runs in client mode, clients can connect to stunnel via localhost which connects to remote server using SSL. In some cases we can run stunnel at both ends and encrypt plain-text communication between two normal programs while it is travelling over network.

Stunnel also supports very advanced certificate options so that we can supply our own certificates for clients requesting SSL connection or verify remote SSL certificate when we are connecting to remote server as client. stunnel man page has good detailed information about various options supported by stunnel and how they can be used.

One good use of stunnel is to encrypt connection between browser and proxy server as browsers do not support SSL HTTP proxy servers yet. Example of this use case is explained at Using encrypted channels to communicate with squid proxy server.

This works better than

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25 

as it is hard to ignore self-signed certificates with openssl which is very easily achieved using verify=0 with stunnel


Example stunnel configuration

Create file mymailserver.conf (or any other name) with following contents:

fips=no

[mail]
accept=2525
client=yes
verify=0
connect=mymailserver.com:465

Then use:

stunnel <config-file>

command to start tunnel.

Verify tunnel is started using:

netstat -anlp | grep 2525

where 2525 is the accept port specified in the config file.


Home > CentOS > CentOS 6.x > Security tools > stunnel