Stunnel/Server: Difference between revisions

Stunnel Server

Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.

Ports/Arrangement

Typically, stunnel is listening on port 443, open to external traffic, and is listening for SSL traffic.

Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).

Stunnel Config File

To set this up, we use the stunnel.conf configuration file. This is what a simple stunnel config looks like:

output = /etc/stunnel/stunnel.log
cert=/etc/stunnel/stunnel.fullchain.pem
key=/etc/stunnel/stunnel.key.pem
pid=/var/run/stunnel4/stunnel.pid
client=yes
[http]
accept = 443
connect = 127.0.0.1:8443

Starting Stunnel

Starting stunnel is really simple. Just run the stunnel command.

If there are problems, you'll see them; if not, you won't.

Here's an example of a failed startup:

$ stunnel
[ ] Clients allowed=500
[.] stunnel 5.30 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.0.2e 3 Dec 2015
[.] Running  with OpenSSL 1.0.2g  1 Mar 2016
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [http]
[ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Loading private key from file: /etc/stunnel/stunnel.key.pem
[!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied
[!] Service [http]: Failed to initialize SSL context

Once stunnel is running properly, you won't see any startup message:

$ sudo stunnel

You can verify that stunnel is running using nmap to check if the stunnel port is open:

$ sudo nmap localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

Flags

stunnel secure tunnel - create secure encrypted connections on any port to wrap any protocol Stunnel  · Category:Stunnel Using: Client: Stunnel/Client Server: Stunnel/Server Stunnel Over Docker: Stunnel/Docker Certificates: Stunnel/Certificates Protocols: Stunnel/Rsync  · Stunnel/SSH  · Stunnel/Scp  · Stunnel/HTTP  · Stunnel/OpenVPN Other Links: RaspberryPi/Headless  · RaspberryPi/Reverse SSH Category:Stunnel  · Category:SSH  · Category:Networking Flags  · Template:StunnelFlag  · e