3.6.2. Configuring stunnel as a TLS Wrapper
- You need a valid certificate for stunnel regardless of what service you use it with. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one, or you can create a self-signed cerfiticate.
WarningAlways use certificates signed by a Certificate Authority for servers running in a production environment. Self-signed certificates are only appropriate for testing purposes or private networks.To create a self-signed certificate for stunnel, enter the
/etc/pki/tls/certs/directory and type the following command as
make stunnel.pemAnswer all of the questions to complete the process.
- When you have a certificate, create a configuration file for stunnel. It is a text file in which every line specifies an option or the beginning of a service definition. You can also keep comments and empty lines in the file to improve its legibility, where comments start with a semicolon.The stunnel RPM package contains the
/etc/stunnel/directory, in which you can store the configuration file. Although stunnel does not require any special format of the file name or its extension, use
/etc/stunnel/stunnel.conf. The following content configures stunnel as a TLS wrapper:
cert = /etc/pki/tls/certs/stunnel.pem ; Allow only TLS, thus avoiding SSL sslVersion = TLSv1 chroot = /var/run/stunnel setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [service_name] accept = port connect = port TIMEOUTclose = 0Alternatively, you can avoid SSL by replacing the line containing
sslVersion = TLSv1with the following lines:
options = NO_SSLv2 options = NO_SSLv3The purpose of the options is as follows:
cert— the path to your certificate
sslVersion— the version of SSL; note that you can use
TLShere even though SSL and TLS are two independent cryptographic protocols
chroot— the changed root directory in which the stunnel process runs, for greater security
setgid— the user and group that the stunnel process runs as;
nobodyis a restricted system account
pid— the file in which stunnel saves its process ID, relative to
socket— local and remote socket options; in this case, disable Nagle's algorithm to improve network latency
[service_name]— the beginning of the service definition; the options used below this line apply to the given service only, whereas the options above affect stunnel globally
accept— the port to listen on
connect— the port to connect to; this must be the port that the service you are securing uses
TIMEOUTclose— how many seconds to wait for the close_notify alert from the client;
0instructs stunnel not to wait at all
options— OpenSSL library options
Example 3.1. Securing OpenLDAPTo configure stunnel as a TLS wrapper for OpenLDAP older than 2.4.39, use the following values:
[openldap] accept = 636 connect = 389
636is the standard port for secure LDAP.
389is the port that the OpenLDAP daemon listens on.
Example 3.2. Securing CUPSSimilarly, to configure stunnel as a TLS wrapper for CUPS, use the following values:
[cups] accept = 632 connect = 631Instead of
632, you can use any free port that you prefer.
631is the port that CUPS normally uses.
- Create the
chrootdirectory and give the user specified by the
setuidoption write access to it. To do so, run the following commands as
chown nobody:nobody /var/run/stunnelThis allows stunnel to create the PID file.
- When you have created the configuration file and the
chrootdirectory, and when you are sure that the specified port is accessible, you are ready to start using stunnel.