2013-04-22 19:47:34 +02:00
|
|
|
This is the Stunnel 4.x package for Debian.
|
|
|
|
|
|
|
|
* Upgrading from stunnel to stunnel4
|
|
|
|
|
|
|
|
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
|
|
|
|
different command line syntax and configuration. You will need to
|
|
|
|
update your scripts.
|
|
|
|
|
|
|
|
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
|
|
|
|
syntax and calls stunnel4 with appropriate options. It appears to
|
|
|
|
support every stunnel3 option *except* -S (which controls the defaults
|
|
|
|
used for certificate sources).
|
|
|
|
|
|
|
|
* Basic configuration
|
|
|
|
|
|
|
|
After installation, you should :
|
|
|
|
|
|
|
|
- edit /etc/stunnel/stunnel.conf
|
|
|
|
|
|
|
|
- edit /etc/default/stunnel and set ENABLE=1, if you want your
|
|
|
|
configured tunnels to start automatically on boot.
|
|
|
|
|
|
|
|
- generate a certificate for use with stunnel if you want to use server mode
|
|
|
|
|
|
|
|
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
|
|
|
|
configuration. It is very simple and only includes a couple of configuration
|
|
|
|
options. This script is located in
|
|
|
|
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
|
|
|
|
|
|
|
|
It requires libgnome2-perl and libgtk2-perl.
|
|
|
|
|
|
|
|
* How to create SSL keys for stunnel
|
|
|
|
|
|
|
|
The certificates default directory is /etc/ssl/certs, so cd into that dir
|
|
|
|
and issue the command:
|
|
|
|
|
|
|
|
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
|
|
|
|
|
|
|
|
Fill in the info requested.
|
|
|
|
|
|
|
|
Change 'stunnel.pem' to the name of the certificate you need to
|
|
|
|
create. stunnel.pem will be used by default by stunnel, but you want
|
|
|
|
to create different certificates for different services you run with
|
|
|
|
stunnel. Make sure only root can read the file (or only the user that
|
|
|
|
needs to read it, if stunnel is run as that user):
|
|
|
|
|
|
|
|
chmod 600 stunnel.pem
|
|
|
|
|
|
|
|
Now you need to append the DH parameters to the certificate.
|
|
|
|
|
|
|
|
First you need to generate some amount of random data:
|
|
|
|
|
|
|
|
dd if=/dev/urandom of=temp_file count=2
|
|
|
|
|
|
|
|
Use /dev/random if you want a more secure source of data, but make
|
|
|
|
sure you have enough entropy on you system (the output file should be
|
|
|
|
at least 512 bytes long).
|
|
|
|
|
|
|
|
And now make openssl generate the DH parameters and append them to the
|
|
|
|
certificate file:
|
|
|
|
|
|
|
|
openssl dhparam -rand temp_file 512 >> stunnel.pem
|
|
|
|
|
|
|
|
You also want to link the certificate to its hash name so that openssl
|
|
|
|
can find it also by that means:
|
|
|
|
|
|
|
|
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
|
|
|
|
|
|
|
|
Read the manual page for openssl for more info on the various options.
|
|
|
|
|
|
|
|
* FIPS
|
|
|
|
|
2017-09-23 15:25:21 +02:00
|
|
|
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
|
|
|
|
using it requires stunnel to be compiled statically against OpenSSL and all
|
2013-04-22 19:47:34 +02:00
|
|
|
supporting libraries. Thus, this option is disabled in the Debian package.
|
|
|
|
|
2017-09-23 15:25:21 +02:00
|
|
|
See the OpenSSL FIPS User Guide at
|
|
|
|
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
|
|
|
|
and the OpenSSL notes about FIPS 140-2 at
|
|
|
|
https://www.openssl.org/docs/fips/fipsnotes.html
|
2013-04-22 19:47:34 +02:00
|
|
|
|
|
|
|
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
|
|
|
|
|
|
|
|
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z
|