Stunnel/Server

Stunnel Server

Stunnel running as a server will open two ports: one to listen for incoming traffic, and one to forward the (unencrypted) traffic onto.

Ports/Arrangement

Typically, stunnel is listening on port 443, open to external traffic, and is listening for SSL traffic.

Typically, stunnel is forwarding that traffic on to a local port, something like 8443. (Useful if you have a service only exposed to LOCAL traffic from localhost or 127.0.0.1 and not bound to an EXTERNAL ip address like 0.0.0.0).

Stunnel Config File

To set this up, we use the stunnel.conf configuration file. This is what a simple stunnel config looks like:

output = /etc/stunnel/stunnel.log
cert=/etc/stunnel/stunnel.fullchain.pem
key=/etc/stunnel/stunnel.key.pem
pid=/var/run/stunnel4/stunnel.pid
client=yes
[http]
accept = 443
connect = 127.0.0.1:8443

Starting Stunnel

Starting stunnel is really simple. Just run the stunnel command.

If there are problems, stunnel may or may not print them out when you run the stunnel command.

Here's an example of a permissions error with a certificate file:

$ stunnel
[ ] Clients allowed=500
[.] stunnel 5.30 on x86_64-pc-linux-gnu platform
[.] Compiled with OpenSSL 1.0.2e 3 Dec 2015
[.] Running  with OpenSSL 1.0.2g  1 Mar 2016
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing service [http]
[ ] Loading certificate from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Certificate loaded from file: /etc/stunnel/stunnel.fullchain.pem
[ ] Loading private key from file: /etc/stunnel/stunnel.key.pem
[!] error queue: 140B0002: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied
[!] Service [http]: Failed to initialize SSL context

Stunnel may also fail silently. In another window you can run tail on the stunnel log:

$ tail -f /var/log/stunnel4/stunnel.log

Once stunnel is running properly, you won't see any startup message:

$ sudo stunnel

The last few lines of the log should also show a clean startup:

2017.03.28 13:01:53 LOG5[ui]: Compiled with OpenSSL 0.9.8zc 19 Mar 2015
2017.03.28 13:01:53 LOG5[ui]: Running  with OpenSSL 0.9.8zh 14 Jan 2016
2017.03.28 13:01:53 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2017.03.28 13:01:53 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP
2017.03.28 13:01:53 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2017.03.28 13:01:53 LOG5[ui]: UTF-8 byte order mark not detected
2017.03.28 13:01:53 LOG4[ui]: Service [https] needs authentication to prevent MITM attacks
2017.03.28 13:01:53 LOG5[ui]: Configuration successful

You can verify that stunnel is running using nmap to check if the stunnel port is open:

$ sudo nmap localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-28 17:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000016s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 999 closed ports
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.70 seconds

Now Start the Client

See Stunnel/Client

Flags