4.9. Using stunnel

The stunnel program is an encryption wrapper between a client and a server. It listens on the port specified in its configuration file, encrypts the communitation with the client, and forwards the data to the original daemon listening on its usual port. This way, you can secure any service that itself does not support any type of encryption, or improve the security of a service that uses a type of encryption that you want to avoid for security reasons, such as SSL versions 2 and 3, affected by the POODLE SSL vulnerability (CVE-2014-3566). See https://access.redhat.com/solutions/1234773 for details. CUPS is an example of a component that does not provide a way to disable SSL in its own configuration.

4.9.1. Installing stunnel

Install the stunnel package by running the following command as root:
~]# yum install stunnel

4.9.2. Configuring stunnel as a TLS Wrapper

To configure stunnel, follow these steps:
  1. You need a valid certificate for stunnel regardless of what service you use it with. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one, or you can create a self-signed certificate.

    Warning

    Always use certificates signed by a Certificate Authority for servers running in a production environment. Self-signed certificates are only appropriate for testing purposes or private networks.
    See Section 4.8.2.1, “Creating a Certificate Signing Request” for more information about certificates granted by a Certificate Authority. On the other hand, to create a self-signed certificate for stunnel, enter the /etc/pki/tls/certs/ directory and type the following command as root:
    certs]# make stunnel.pem
    Answer all of the questions to complete the process.
  2. When you have a certificate, create a configuration file for stunnel. It is a text file in which every line specifies an option or the beginning of a service definition. You can also keep comments and empty lines in the file to improve its legibility, where comments start with a semicolon.
    The stunnel RPM package contains the /etc/stunnel/ directory, in which you can store the configuration file. Although stunnel does not require any special format of the file name or its extension, use /etc/stunnel/stunnel.conf. The following content configures stunnel as a TLS wrapper:
    cert = /etc/pki/tls/certs/stunnel.pem
    ; Allow only TLS, thus avoiding SSL
    sslVersion = TLSv1
    chroot = /var/run/stunnel
    setuid = nobody
    setgid = nobody
    pid = /stunnel.pid
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    
    [service_name]
    accept = port
    connect = port
    TIMEOUTclose = 0
    Alternatively, you can avoid SSL by replacing the line containing sslVersion = TLSv1 with the following lines:
    options = NO_SSLv2
    options = NO_SSLv3
    The purpose of the options is as follows:
    • cert — the path to your certificate
    • sslVersion — the version of SSL; note that you can use TLS here even though SSL and TLS are two independent cryptographic protocols
    • chroot — the changed root directory in which the stunnel process runs, for greater security
    • setuid, setgid — the user and group that the stunnel process runs as; nobody is a restricted system account
    • pid — the file in which stunnel saves its process ID, relative to chroot
    • socket — local and remote socket options; in this case, disable Nagle's algorithm to improve network latency
    • [service_name] — the beginning of the service definition; the options used below this line apply to the given service only, whereas the options above affect stunnel globally
    • accept — the port to listen on
    • connect — the port to connect to; this must be the port that the service you are securing uses
    • TIMEOUTclose — how many seconds to wait for the close_notify alert from the client; 0 instructs stunnel not to wait at all
    • options — OpenSSL library options

    Example 4.10. Securing CUPS

    To configure stunnel as a TLS wrapper for CUPS, use the following values:
    [cups]
    accept = 632
    connect = 631
    Instead of 632, you can use any free port that you prefer. 631 is the port that CUPS normally uses.
  3. Create the chroot directory and give the user specified by the setuid option write access to it. To do so, enter the following commands as root:
    ~]# mkdir /var/run/stunnel
    ~]# chown nobody:nobody /var/run/stunnel
    This allows stunnel to create the PID file.
  4. If your system is using firewall settings that disallow access to the new port, change them accordingly. See Section 4.5.3.1.6, “Opening Ports in the Firewall” for details.
  5. When you have created the configuration file and the chroot directory, and when you are sure that the specified port is accessible, you are ready to start using stunnel.

4.9.3. Starting, Stopping, and Restarting stunnel

To start stunnel, enter the following command as root:
~]# stunnel /etc/stunnel/stunnel.conf
By default, stunnel uses /var/log/secure to log its output.
To terminate stunnel, kill the process by running the following command as root:
~]# kill `cat /var/run/stunnel/stunnel.pid`
If you edit the configuration file while stunnel is running, terminate stunnel and start it again for your changes to take effect.