3.6.2. Configuring stunnel as a TLS Wrapper
To configure stunnel, follow these steps:
- You need a valid certificate for stunnel regardless of what service you use it with. If you do not have a suitable certificate, you can apply to a Certificate Authority to obtain one, or you can create a self-signed cerfiticate.
Warning
Always use certificates signed by a Certificate Authority for servers running in a production environment. Self-signed certificates are only appropriate for testing purposes or private networks.To create a self-signed certificate for stunnel, enter the/etc/pki/tls/certs/
directory and type the following command asroot
:certs]#
make stunnel.pem
Answer all of the questions to complete the process. - When you have a certificate, create a configuration file for stunnel. It is a text file in which every line specifies an option or the beginning of a service definition. You can also keep comments and empty lines in the file to improve its legibility, where comments start with a semicolon.The stunnel RPM package contains the
/etc/stunnel/
directory, in which you can store the configuration file. Although stunnel does not require any special format of the file name or its extension, use/etc/stunnel/stunnel.conf
. The following content configures stunnel as a TLS wrapper:cert = /etc/pki/tls/certs/stunnel.pem ; Allow only TLS, thus avoiding SSL sslVersion = TLSv1 chroot = /var/run/stunnel setuid = nobody setgid = nobody pid = /stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [service_name] accept = port connect = port TIMEOUTclose = 0
Alternatively, you can avoid SSL by replacing the line containingsslVersion = TLSv1
with the following lines:options = NO_SSLv2 options = NO_SSLv3
The purpose of the options is as follows:cert
— the path to your certificatesslVersion
— the version of SSL; note that you can useTLS
here even though SSL and TLS are two independent cryptographic protocolschroot
— the changed root directory in which the stunnel process runs, for greater securitysetuid
,setgid
— the user and group that the stunnel process runs as;nobody
is a restricted system accountpid
— the file in which stunnel saves its process ID, relative tochroot
socket
— local and remote socket options; in this case, disable Nagle's algorithm to improve network latency[service_name]
— the beginning of the service definition; the options used below this line apply to the given service only, whereas the options above affect stunnel globallyaccept
— the port to listen onconnect
— the port to connect to; this must be the port that the service you are securing usesTIMEOUTclose
— how many seconds to wait for the close_notify alert from the client;0
instructs stunnel not to wait at alloptions
— OpenSSL library options
Example 3.1. Securing OpenLDAP
To configure stunnel as a TLS wrapper for OpenLDAP older than 2.4.39, use the following values:[openldap] accept = 636 connect = 389
636
is the standard port for secure LDAP.389
is the port that the OpenLDAP daemon listens on.Example 3.2. Securing CUPS
Similarly, to configure stunnel as a TLS wrapper for CUPS, use the following values:[cups] accept = 632 connect = 631
Instead of632
, you can use any free port that you prefer.631
is the port that CUPS normally uses. - Create the
chroot
directory and give the user specified by thesetuid
option write access to it. To do so, run the following commands asroot
:~]#
mkdir /var/run/stunnel
~]#chown nobody:nobody /var/run/stunnel
This allows stunnel to create the PID file. - If your system is using firewall settings that disallow access to the new port, change them accordingly. See Section 2.8.2.4, “Other Ports” in Section 2.8, “Firewalls” for details.
- When you have created the configuration file and the
chroot
directory, and when you are sure that the specified port is accessible, you are ready to start using stunnel.