stunnel {-c} [-p pemfile] [-v level] [-a directory] [-t timeout] [-u username] [-n protocol] -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ]
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the source code.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
default: server mode
-T transparent proxy mode (on hosts that support it)
-p pemfile certificate (*.pem) file name
default: /usr/local/ssl/certs/stunnel.pem for server mode, none for client mode
-v level verify peer certificate
level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default: no verify
-a directory client certificate directory for -v 3 option
default: /usr/local/ssl/certs/trusted
-t timeout session cache timeout
default: 300 s.
-u user Use IDENT (RFC 1413) username checking
-n proto Negotiate SSL with specified protocol
currenty supported: smtp
-d [ip:]port daemon mode (ip defaults to INADDR_ANY)
default: inetd mode
-f foreground mode (don't fork, log to stderr)
default: background in daemon mode
-l program [-- args]
execute local inetd-type program
-L program [-- args]
open local pty and execute program
-s username
setuid() to username in daemon mode
-r [ip:]port connect to remote service
(ip defaults to INADDR_LOOPBACK)
stunnel -d 993 -l /usr/sbin/imapd -- imapd
If you want to provide tunneling to your pppd daemon on port 2020, use something like
stunnel -d 2020 -L /usr/sbin/pppd -- pppd local
Two things are important when generating certificate-key pairs for stunnel. The private key cannot be encrypted, because the server has no way to obtain the password from the user. To produce an unencrypted key add the -nodes option when running the req command from the openssl kit.
The order of contents of the .pem file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:
-----BEGIN RSA PRIVATE KEY----- [encoded key] -----END RSA PRIVATE KEY----- [empty line] -----BEGIN CERTIFICATE----- [encoded certificate] -----END CERTIFICATE----- [empty line]
http://mike.daewoo.com.pl/computer/stunnel Stunnel homepage
http://www.openssl.org OpenSSL project website
Adam Hernik <adas@infocentrum.com>
Pawel Krawczyk <kravietz@ceti.com.pl>
PTY support by Dirk O. Siebnich <dok@vossnet.de>