The Stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. Stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.
Download (HTTP): http://www.stunnel.org/download/stunnel/src/stunnel-4.20.tar.gz
Download (FTP): ftp://stunnel.mirt.net/stunnel/stunnel-4.20.tar.gz
Download MD5 sum: cf9940395d3503018f721c962528d2ec
Download size: 513 KB
Estimated disk space required: 4.5 MB
Estimated build time: 0.1 SBU
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel
The stunnel daemon
will be run in a chroot jail by an unprivileged
user. Create the new user, group and chroot home directory structure
using the following commands as the root user:
groupadd -g 51 stunnel &&
useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
-g stunnel -s /bin/false -u 51 stunnel &&
install -v -m 1770 -o stunnel -g stunnel -d /var/lib/stunnel/run
![[Note]](../images/note.png)
A signed SSL Certificate and a Private Key is necessary to run
the stunnel
daemon. If you own, or have already created a signed SSL
Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the
build (ensure only root has
read and write access), otherwise you will be prompted to
create one during the installation process. The .pem file must be formatted as shown below:
-----BEGIN RSA PRIVATE KEY-----
<many encrypted lines of unencrypted key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----
Install Stunnel by running the following commands:
sed -i 's|nogroup|stunnel|g' configure &&
sed -i 's|$(prefix)/var/lib|$(localstatedir)|' tools/Makefile.in &&
sed -i 's|doc/stunnel|&-$(VERSION)|' {,doc/,tools/}Makefile.in &&
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/lib \
--disable-libwrap &&
make
This package does not come with a test suite.
Now, as the root user:
make install
sed -i 's|nogroup|stunnel|g'
configure: This command is used to change the
default group for the installed files in /var/lib/stunnel from nogroup to stunnel.
sed -i '...'
tools/Makefile.in: This command ensures that the
chroot jail will be located in /var/lib/stunnel instead of /usr/var/lib/stunnel.
sed -i '...' {,doc/,tools/}Makefile.in: This command modifies the location of the installed documentation files to a versioned directory.
--sysconfdir=/etc: This
parameter forces the configuration directory to /etc instead of /usr/etc.
--localstatedir=/var/lib:
This parameter sets the installation to use /var/lib/stunnel instead of creating and using
/usr/var/stunnel.
--disable-libwrap: This
parameter is required if you don't have tcpwrappers installed. Remove the parameter if
tcpwrappers is installed.
make install: This
command installs the package and, if you did not copy an
stunnel.pem file to the /etc/stunnel directory, prompts you for the
necessary information to create one. Ensure you reply to the
Common Name (FQDN of your server) [localhost]:
prompt with the name or IP address you will be using to access the service(s).
Create a basic /etc/stunnel/stunnel.conf configuration file
using the following commands:
cat >/etc/stunnel/stunnel.conf << "EOF" &&
# File: /etc/stunnel/stunnel.conf
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
EOF
chmod -v 644 /etc/stunnel/stunnel.conf
Next, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:
[<service>]
accept = <hostname:portnumber>
connect = <hostname:portnumber>
If you use Stunnel to encrypt a
daemon started from [x]inetd, you may need to
disable that daemon in the /etc/[x]inetd.conf file and enable a
corresponding <service>_stunnel service.
You may have to add an appropriate entry in /etc/services as well.
For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.
To automatically start the stunnel daemon when the system
is rebooted, install the /etc/rc.d/init.d/stunnel bootscript from the
blfs-bootscripts-20060910 package.
make install-stunnel
Last updated on 2007-04-04 21:42:53 +0200