39. stunnel

39.1 Overview

1. Provides encryption services for applications without modifying the application.

2. Uses public key encryption.

3. Packages

   stunnel

39.2 Configuration

1. Create stunnel.pem

   # Generate private key and certificate
   
   openssl req -new -newkey rsa:1024 -nodes -x509 -keyout /tmp/key -out /tmp/cert
   
   # Create stunnel.pem
   
   echo >> /tmp/key
   cat /tmp/cert >> /tmp/key
   echo >> /tmp/key
   rm /tmp/cert
   mv /tmp/key /usr/share/ssl/certs/stunnel.pem
   chmod 600 /usr/share/ssl/certs/stunnel.pem
   

   -OR-

   cd /usr/share/ssl/certs
   make stunnel.pem
   

2. Sample IMAPS Configuration

   stunnel -d 192.168.1.20:993 -r localhost:143
   

   This starts stunnel in daemon mode (-d) and causes it to listen on port 993 of interface 192.168.1.20. Incoming connections received on port 993 are then redirected to port 143.

   libwrap NOTE: - Because stunnel uses libwrap, you need to configure access via /etc/hosts.allow and /etc/hosts.deny. When stunnel starts, it will write the name of the service to /var/log/messages that it will be checking for via tcp wrappers. For example, the above stunnel configuration created the following log entry:

   stunnel[1128]: Using 'localhost.143' as tcpwrapper service name
   

   You will need to use "localhost.143" as the service name in /etc/hosts.allow and /etc/hosts.deny.