Differences in Revisions: stunnel

# stunnel - A SSL encryption wrapper
 
stunnel (https://www.stunnel.org/) is a transparent encryption wrapper that can be used to tunnel unencrypted connections over an encrypted SSL tunnel.
 
## Installation
 
You may install the package `stunnel` in the pakfire web interface or on command line by running:
 
`pakfire install stunnel`
 
## Configuration
 
stunnel can be configured on command line via its configuration file `/etc/stunnel/stunnel.conf`. You should also place your certificates in the `/etc/stunnel` directory.
 
stunnel can operate in two modes. The **server mode** works as a transparent proxy in front of a server, so that clients that connect to the server, need to negotiate an SSL and can then talk to the server (like POP3S). The **client mode** does the opposite thing. Clients connecting to stunnel running in client mode can establish a plain text connection and stunnel will create an SSL tunnel to a server.
 
### Server Mode
 
To run stunnel in server mode, you will need to create a certificate. If you already have a certificate you want to use, you may copy the certificate and the private key into `stunnel.pem` in the PEM format and you are done. Otherwise, you may generate a self-signed certificate as shown further below.
 
The command name of the certificate should match the hostname of the server stunnel is running on.
 
Then you will need to add at least one service like this:
 
[ipfire-smtp]
`accept = 465`
`connect = 25`
 
This service for example will make stunnel listen on port 465 and a client that connects to that port will need to negotiate a SSL tunnel and will then be automatically connected to port 25. This example enhances your locally running mail server to accept mails over SMTP-over-SSL.
 
#### Create a self-signed certificate
 
This section briefly shows the commands that need to be executed.
 
`cd /etc/stunnel`
`openssl genrsa -out stunnel.key 2048`
`openssl req -new -key stunnel.key -out stunnel.csr`
`openssl x509 -req -days 365 -in stunnel.csr -signkey stunnel.key -out stunnel.crt`
`cat stunnel.crt stunnel.key > stunnel.pem`
`chmod 640 stunnel.key stunnel.pem`
 
 
### Client Mode
 
To enable the client mode, you will need to put `client = yes` into the global section of the stunnel configuration file.
 
Further below, you may add new services like the following:
 
[ipfire-smtps]
`accept = 25`
`connect = mail01.ipfire.org:465`
 
In this example, you may connect to stunnel on port 25 and it will connect you over SSL to the IPFire mail server at `mail01.ipfire.org` on port 465, which is SMTP-over-SSL.
 
## Operation
 
stunnel works in the background and can be started by running:
 
`/etc/init.d/stunnel start`
 
Likewise you can stop the service:
 
`/etc/init.d/stunnel stop`
 
To check if it running, you may run:
 
`/etc/init.d/stunnel status`