Beyond Linux^® From Scratch - Version 6.3

Chapter 4. Security

Prev
Cyrus SASL-2.1.22
Next
Sudo-1.6.9p15
Up
Home

Stunnel-4.21

Introduction to Stunnel

The Stunnel package contains a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) so you can easily communicate with clients over secure channels. Stunnel can be used to add SSL functionality to commonly used Inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the server package source code.

Package Information

Download (HTTP): http://www.stunnel.org/download/stunnel/src/stunnel-4.21.tar.gz
Download (FTP): ftp://stunnel.mirt.net/stunnel/stunnel-4.21.tar.gz
Download MD5 sum: 1eaec5228979beca4d548f453304e311
Download size: 528 KB
Estimated disk space required: 5 MB
Estimated build time: 0.1 SBU

Additional Downloads

Required patch: http://www.linuxfromscratch.org/patches/blfs/6.3/stunnel-4.21-setuid-1.patch

Stunnel Dependencies

Required

OpenSSL-0.9.8g

Optional

TCP Wrapper-7.6

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/stunnel

Installation of Stunnel

The stunnel daemon will be run in a chroot jail by an unprivileged user. Create the new user and group using the following commands as the root user:

groupadd -g 51 stunnel &&
useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel

Note

A signed SSL Certificate and a Private Key is necessary to run the stunnel daemon. If you own, or have already created a signed SSL Certificate you wish to use, copy it to /etc/stunnel/stunnel.pem before starting the build (ensure only root has read and write access), otherwise you will be prompted to create one during the installation process. The .pem file must be formatted as shown below:

-----BEGIN RSA PRIVATE KEY-----
<many encrypted lines of unencrypted key>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<many encrypted lines of certificate>
-----END CERTIFICATE-----

Install Stunnel by running the following commands:

patch -Np1 -i ../stunnel-4.21-setuid-1.patch &&

sed -i 's|nogroup|stunnel|g' configure &&
sed -i 's|$(prefix)/var/lib|$(localstatedir)|' tools/Makefile.in &&

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var/lib \
            --disable-libwrap &&
make

This package does not come with a test suite.

Now, as the root user:

make docdir=/usr/share/doc/stunnel-4.21 install

Command Explanations

sed -i 's|nogroup|stunnel|g' configure: This command is used to change the default group for the installed files in /var/lib/stunnel from nogroup to stunnel.

sed -i '...' tools/Makefile.in: This command ensures that the chroot jail will be located in /var/lib/stunnel instead of /usr/var/lib/stunnel.

--sysconfdir=/etc: This parameter forces the configuration directory to /etc instead of /usr/etc.

--localstatedir=/var/lib: This parameter sets the installation to use /var/lib/stunnel instead of creating and using /usr/var/stunnel.

--disable-libwrap: This parameter is required if you don't have tcpwrappers installed. Remove the parameter if tcpwrappers is installed.

make docdir=... install: This command installs the package, changes the documentation installation directory to standard naming conventions and, if you did not copy an stunnel.pem file to the /etc/stunnel directory, prompts you for the necessary information to create one. Ensure you reply to the

Common Name (FQDN of your server) [localhost]:

prompt with the name or IP address you will be using to access the service(s).

Configuring Stunnel

Config Files

/etc/stunnel/stunnel.conf

Configuration Information

As the root user, create the directory used for the .pid file that is created when the Stunnel daemon starts:

install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run

Next, create a basic /etc/stunnel/stunnel.conf configuration file using the following commands as the root user:

cat >/etc/stunnel/stunnel.conf << "EOF" &&
; File: /etc/stunnel/stunnel.conf

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel

EOF
chmod -v 644 /etc/stunnel/stunnel.conf

Finally, you need to add the service(s) you wish to encrypt to the configuration file. The format is as follows:

[<service>]
accept  = <hostname:portnumber>
connect = <hostname:portnumber>

If you use Stunnel to encrypt a daemon started from [x]inetd, you may need to disable that daemon in the /etc/[x]inetd.conf file and enable a corresponding <service>_stunnel service. You may have to add an appropriate entry in /etc/services as well.

For a full explanation of the commands and syntax used in the configuration file, run man stunnel. To see a BLFS example of an actual setup of an stunnel encrypted service, read the the section called “Configuring SWAT” in the Samba instructions.

Boot Script

To automatically start the stunnel daemon when the system is rebooted, install the /etc/rc.d/init.d/stunnel bootscript from the blfs-bootscripts-20080816 package.

make install-stunnel

Installed Programs: stunnel and stunnel3

Installed Library: libstunnel.so

Installed Directories: /etc/stunnel, /usr/lib/stunnel, /usr/share/doc/stunnel-4.21 and /var/lib/stunnel

Short Descriptions

stunnel	is a program designed to work as an SSL encryption wrapper between remote clients and local ({x}inetd-startable) or remote servers.
stunnel3	is a Perl wrapper script to use stunnel 3.x syntax with stunnel >=4.05.
`libstunnel.so`	contains the API functions required by Stunnel.

Last updated on 2008-08-11 13:33:19 -0500

Prev
Cyrus SASL-2.1.22
Next
Sudo-1.6.9p15
Up
Home

Beyond Linux® From Scratch - Version 6.3