stunnel is a great tool. It allows you to encrypt TCP connections inside SSL.
And it's available for both Unix and Windows. I use it to hide various traffic, including the cvsup
I run to update this website and the zone files on my DNS servers. See stunnel - another way to avoid plain text passwords
and stunnel - encryption and security for my previous articles.
Recently, stunnel 4.0 came out with many new improvements. Much to the annoyance
of some users, the command line paramaters changed drastically. Personally, I thought that was a good thing.
Version 4 uses a configuration file, and comes with enhanced capability. I like it.
This article will compare my old command line format with the new configuration file format. Hopefull that will
help you along the way.
Note that I've had success in mixing v3 and v4 of stunnel. Specifically, I've run v4 on my clients and v3 on the server.
With the success there, I'm quite sure that it would work the other way around too.
man pages - make the migration easier
If you are upgrading to version 4, you probably already have that man page. But what you may not have is the
version 3 man page. I found that having the old man page greatly simplified
the conversion process. Just look up the old parameter, find out what it does, then look up the same option
on the version 4 man page.
How did I create these html files? Like this:
nroff -man ~/tmp/stunnel-3.22/stunnel.8 | man2html -title "stunnel(8) - version 3" > stunnel-v3-man.html
man stunnel | man2html -title "stunnel(8) - version 4" > stunnel-v4-man.html
This section compares the old and new startup scripts (/usr/local/etc/rc.d/stunnel.sh.
As you can see the old script put the parameters right in the script. I prefer the new format.
Old code
New Code
#!/bin/sh
# Where is the program
STUNNEL="/usr/local/sbin/stunnel"
case "$1" in
start)
${STUNNEL} -c -d localhost:5999 -r 192.168.0.73:6000
;;
I will provide a one-to-one mapping for each parameter used in the above example.
That should help you get started. The configuration file is /usr/local/etc/stunnel/stunnel.conf.
The following is for a client.
See man stunnel for more information.
Old parameters
New Parameters
-p /usr/local/etc/stunnel.pem
cert = /usr/local/etc/stunnel/stunnel.pem
-s stunnel
setuid = stunnel
-g stunnel
setgid = stunnel
-c
client = yes
-d
foreground = no
default: background in daemon mode
localhost:5999
accept = 5999
-r 192.168.0.73:6000
connect = 192.168.0.73:6000
A sample client configuration file
Here is the configuration file I use on my web server in order to access my webserver. The IP address
hsa been changed.
# PID is created inside chroot jail
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel
client = no
[5999]
accept = 6000
connect = 5999
The major differences are hightlighted in bold:
The client parameter differs (well, dah....)
The client accepts connections on localhost port 5999
The client talks to the server at 192.168.0.73 on port 6000
The server accepts connections on localhost port 6000
The server directs connections on port 6000 to port 5999
One of my favourite tools
stunnel is one of my basic tools. I use it every day. And it just sits there. And runs. I've enver had to restart
stunnel daemon because it has failed. It's great. And very low overhead. A great tool.
If you've ever worried about getting TCP traffic from one place to another securely and secretly, then
stunnel is for you.
