1005 lines
25 KiB
Plaintext
1005 lines
25 KiB
Plaintext
|
=head1 NAME
|
||
|
|
||
|
=encoding utf8
|
||
|
|
||
|
stunnel - universal SSL tunnel
|
||
|
|
||
|
|
||
|
=head1 SYNOPSIS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<Unix:>
|
||
|
|
||
|
B<stunnel> [<S<filename>>] | S<-fd n> | S<-help> | S<-version> | S<-sockets>
|
||
|
|
||
|
=item B<WIN32:>
|
||
|
|
||
|
B<stunnel> [ [S<-install> | S<-uninstall> | S<-start> | S<-stop>] | S<-exit>]
|
||
|
[S<-quiet>] [<S<filename>>] ] | S<-help> | S<-version> | S<-sockets>
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head1 DESCRIPTION
|
||
|
|
||
|
The B<stunnel> program is designed to work as I<SSL> encryption wrapper
|
||
|
between remote clients and local (I<inetd>-startable) or remote
|
||
|
servers. The concept is that having non-SSL aware daemons running on
|
||
|
your system you can easily set them up to communicate with clients over
|
||
|
secure SSL channels.
|
||
|
|
||
|
B<stunnel> can be used to add SSL functionality to commonly used I<Inetd>
|
||
|
daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
|
||
|
NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
|
||
|
changes to the source code.
|
||
|
|
||
|
This product includes cryptographic software written by
|
||
|
Eric Young (eay@cryptsoft.com)
|
||
|
|
||
|
|
||
|
=head1 OPTIONS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item <B<filename>>
|
||
|
|
||
|
Use specified configuration file
|
||
|
|
||
|
=item B<-fd n> (Unix only)
|
||
|
|
||
|
Read the config file from specified file descriptor
|
||
|
|
||
|
=item B<-help>
|
||
|
|
||
|
Print B<stunnel> help menu
|
||
|
|
||
|
=item B<-version>
|
||
|
|
||
|
Print B<stunnel> version and compile time defaults
|
||
|
|
||
|
=item B<-sockets>
|
||
|
|
||
|
Print default socket options
|
||
|
|
||
|
=item B<-install> (NT/2000/XP only)
|
||
|
|
||
|
Install NT Service
|
||
|
|
||
|
=item B<-uninstall> (NT/2000/XP only)
|
||
|
|
||
|
Uninstall NT Service
|
||
|
|
||
|
=item B<-start> (NT/2000/XP only)
|
||
|
|
||
|
Start NT Service
|
||
|
|
||
|
=item B<-stop> (NT/2000/XP only)
|
||
|
|
||
|
Stop NT Service
|
||
|
|
||
|
=item B<-exit> (Win32 only)
|
||
|
|
||
|
Exit an already started stunnel
|
||
|
|
||
|
=item B<-quiet> (NT/2000/XP only)
|
||
|
|
||
|
Don't display any message boxes
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head1 CONFIGURATION FILE
|
||
|
|
||
|
Each line of the configuration file can be either:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item * an empty line (ignored)
|
||
|
|
||
|
=item * a comment starting with ';' (ignored)
|
||
|
|
||
|
=item * an 'option_name = option_value' pair
|
||
|
|
||
|
=item * '[service_name]' indicating a start of a service definition
|
||
|
|
||
|
=back
|
||
|
|
||
|
An address parameter of an option may be either:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item * a port number
|
||
|
|
||
|
=item * a colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number
|
||
|
|
||
|
=item * a Unix socket path (Unix only)
|
||
|
|
||
|
=back
|
||
|
|
||
|
=head2 GLOBAL OPTIONS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<chroot> = directory (Unix only)
|
||
|
|
||
|
directory to chroot B<stunnel> process
|
||
|
|
||
|
B<chroot> keeps B<stunnel> in chrooted jail. I<CApath>, I<CRLpath>, I<pid>
|
||
|
and I<exec> are located inside the jail and the patches have to be relative
|
||
|
to the directory specified with B<chroot>.
|
||
|
|
||
|
=item B<compression> = deflate | zlib | rle
|
||
|
|
||
|
select data compression algorithm
|
||
|
|
||
|
default: no compression
|
||
|
|
||
|
deflate is the standard compression method as described in RFC 1951.
|
||
|
|
||
|
zlib compression of OpenSSL 0.9.8 or above is not backward compatible with
|
||
|
OpenSSL 0.9.7.
|
||
|
|
||
|
rle compression is currently not implemented by the OpenSSL library.
|
||
|
|
||
|
=item B<debug> = [facility.]level
|
||
|
|
||
|
debugging level
|
||
|
|
||
|
Level is a one of the syslog level names or numbers
|
||
|
emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
|
||
|
info (6), or debug (7). All logs for the specified level and
|
||
|
all levels numerically less than it will be shown. Use I<debug = debug> or
|
||
|
I<debug = 7> for greatest debugging output. The default is notice (5).
|
||
|
|
||
|
The syslog facility 'daemon' will be used unless a facility name is supplied.
|
||
|
(Facilities are not supported on Win32.)
|
||
|
|
||
|
Case is ignored for both facilities and levels.
|
||
|
|
||
|
=item B<EGD> = egd path (Unix only)
|
||
|
|
||
|
path to Entropy Gathering Daemon socket
|
||
|
|
||
|
Entropy Gathering Daemon socket to use to feed OpenSSL random number
|
||
|
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
|
||
|
|
||
|
=item B<engine> = auto | <engine id>
|
||
|
|
||
|
select hardware engine
|
||
|
|
||
|
default: software-only cryptography
|
||
|
|
||
|
Here is an example of advanced engine configuration to read private key from an
|
||
|
OpenSC engine
|
||
|
|
||
|
engine=dynamic
|
||
|
engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
|
||
|
engineCtrl=ID:pkcs11
|
||
|
engineCtrl=LIST_ADD:1
|
||
|
engineCtrl=LOAD
|
||
|
engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
|
||
|
engineCtrl=INIT
|
||
|
|
||
|
[service]
|
||
|
engineNum=1
|
||
|
key=id_45
|
||
|
|
||
|
=item B<engineCtrl> = command[:parameter]
|
||
|
|
||
|
control hardware engine
|
||
|
|
||
|
Special commands "LOAD" and "INIT" can be used to load and initialize the
|
||
|
engine cryptogaphic module.
|
||
|
|
||
|
=item B<fips> = yes | no
|
||
|
|
||
|
Enable or disable FIPS 140-2 mode.
|
||
|
|
||
|
This option allows to disable entering FIPS mode if stunnel was compiled with
|
||
|
FIPS 140-2 support.
|
||
|
|
||
|
default: yes
|
||
|
|
||
|
=item B<foreground> = yes | no (Unix only)
|
||
|
|
||
|
foreground mode
|
||
|
|
||
|
Stay in foreground (don't fork) and log to stderr
|
||
|
instead of via syslog (unless I<output> is specified).
|
||
|
|
||
|
default: background in daemon mode
|
||
|
|
||
|
=item B<output> = file
|
||
|
|
||
|
append log messages to a file
|
||
|
|
||
|
/dev/stdout device can be used to send log messages to the standard
|
||
|
output (for example to log them with daemontools splogger).
|
||
|
|
||
|
=item B<pid> = file (Unix only)
|
||
|
|
||
|
pid file location
|
||
|
|
||
|
If the argument is empty, then no pid file will be created.
|
||
|
|
||
|
I<pid> path is relative to I<chroot> directory if specified.
|
||
|
|
||
|
=item B<RNDbytes> = bytes
|
||
|
|
||
|
bytes to read from random seed files
|
||
|
|
||
|
Number of bytes of data read from random seed files. With SSL versions
|
||
|
less than 0.9.5a, also determines how many bytes of data are considered
|
||
|
sufficient to seed the PRNG. More recent OpenSSL versions have a builtin
|
||
|
function to determine when sufficient randomness is available.
|
||
|
|
||
|
=item B<RNDfile> = file
|
||
|
|
||
|
path to file with random seed data
|
||
|
|
||
|
The SSL library will use data from this file first to seed the random
|
||
|
number generator.
|
||
|
|
||
|
=item B<RNDoverwrite> = yes | no
|
||
|
|
||
|
overwrite the random seed files with new random data
|
||
|
|
||
|
default: yes
|
||
|
|
||
|
=item B<service> = servicename (Unix only)
|
||
|
|
||
|
use specified string as I<inetd> mode service name for TCP Wrapper library
|
||
|
|
||
|
default: stunnel
|
||
|
|
||
|
=item B<setgid> = groupname (Unix only)
|
||
|
|
||
|
setgid() to groupname in daemon mode and clears all other groups
|
||
|
|
||
|
=item B<setuid> = username (Unix only)
|
||
|
|
||
|
setuid() to username in daemon mode
|
||
|
|
||
|
=item B<socket> = a|l|r:option=value[:value]
|
||
|
|
||
|
Set an option on accept/local/remote socket
|
||
|
|
||
|
The values for linger option are l_onof:l_linger.
|
||
|
The values for time are tv_sec:tv_usec.
|
||
|
|
||
|
Examples:
|
||
|
|
||
|
socket = l:SO_LINGER=1:60
|
||
|
set one minute timeout for closing local socket
|
||
|
socket = r:SO_OOBINLINE=yes
|
||
|
place out-of-band data directly into the
|
||
|
receive data stream for remote sockets
|
||
|
socket = a:SO_REUSEADDR=no
|
||
|
disable address reuse (enabled by default)
|
||
|
socket = a:SO_BINDTODEVICE=lo
|
||
|
only accept connections on loopback interface
|
||
|
|
||
|
=item B<syslog> = yes | no (Unix only)
|
||
|
|
||
|
enable logging via syslog
|
||
|
|
||
|
default: yes
|
||
|
|
||
|
=item B<taskbar> = yes | no (WIN32 only)
|
||
|
|
||
|
enable the taskbar icon
|
||
|
|
||
|
default: yes
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head2 SERVICE-LEVEL OPTIONS
|
||
|
|
||
|
Each configuration section begins with service name in square brackets.
|
||
|
The service name is used for libwrap (TCP Wrappers) access control and lets
|
||
|
you distinguish B<stunnel> services in your log files.
|
||
|
|
||
|
Note that if you wish to run B<stunnel> in I<inetd> mode (where it
|
||
|
is provided a network socket by a server such as I<inetd>, I<xinetd>,
|
||
|
or I<tcpserver>) then you should read the section entitled I<INETD MODE>
|
||
|
below.
|
||
|
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<accept> = address
|
||
|
|
||
|
accept connections on specified address
|
||
|
|
||
|
If no host specified, defaults to all IPv4 addresses for the local host.
|
||
|
|
||
|
To listen on all IPv6 addresses use:
|
||
|
|
||
|
connect = :::port
|
||
|
|
||
|
=item B<CApath> = directory
|
||
|
|
||
|
Certificate Authority directory
|
||
|
|
||
|
This is the directory in which B<stunnel> will look for certificates when using
|
||
|
the I<verify>. Note that the certificates in this directory should be named
|
||
|
XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
|
||
|
cert.
|
||
|
|
||
|
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
|
||
|
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
|
||
|
|
||
|
I<CApath> path is relative to I<chroot> directory if specified.
|
||
|
|
||
|
=item B<CAfile> = certfile
|
||
|
|
||
|
Certificate Authority file
|
||
|
|
||
|
This file contains multiple CA certificates, used with the I<verify>.
|
||
|
|
||
|
=item B<cert> = pemfile
|
||
|
|
||
|
certificate chain PEM file name
|
||
|
|
||
|
A PEM is always needed in server mode.
|
||
|
Specifying this flag in client mode will use this certificate chain
|
||
|
as a client side certificate chain. Using client side certs is optional.
|
||
|
The certificates must be in PEM format and must be sorted starting with the
|
||
|
certificate to the highest level (root CA).
|
||
|
|
||
|
=item B<ciphers> = cipherlist
|
||
|
|
||
|
Select permitted SSL ciphers
|
||
|
|
||
|
A colon delimited list of the ciphers to allow in the SSL connection.
|
||
|
For example DES-CBC3-SHA:IDEA-CBC-MD5
|
||
|
|
||
|
=item B<client> = yes | no
|
||
|
|
||
|
client mode (remote service uses SSL)
|
||
|
|
||
|
default: no (server mode)
|
||
|
|
||
|
=item B<connect> = address
|
||
|
|
||
|
connect to a remote address
|
||
|
|
||
|
If no host is specified, the host defaults to localhost.
|
||
|
|
||
|
Multiple B<connect> options are allowed in a single service section.
|
||
|
|
||
|
If host resolves to multiple addresses and/or if multiple I<connect>
|
||
|
options are specified, then the remote address is chosen using a
|
||
|
round-robin algorithm.
|
||
|
|
||
|
=item B<CRLpath> = directory
|
||
|
|
||
|
Certificate Revocation Lists directory
|
||
|
|
||
|
This is the directory in which B<stunnel> will look for CRLs when
|
||
|
using the I<verify>. Note that the CRLs in this directory should
|
||
|
be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
|
||
|
|
||
|
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
|
||
|
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
|
||
|
|
||
|
I<CRLpath> path is relative to I<chroot> directory if specified.
|
||
|
|
||
|
=item B<CRLfile> = certfile
|
||
|
|
||
|
Certificate Revocation Lists file
|
||
|
|
||
|
This file contains multiple CRLs, used with the I<verify>.
|
||
|
|
||
|
=item B<curve> = nid
|
||
|
|
||
|
specify ECDH curve name
|
||
|
|
||
|
To get a list of supported cuves use:
|
||
|
|
||
|
openssl ecparam -list_curves
|
||
|
|
||
|
default: prime256v1
|
||
|
|
||
|
=item B<delay> = yes | no
|
||
|
|
||
|
delay DNS lookup for 'connect' option
|
||
|
|
||
|
This option is useful for dynamic DNS, or when DNS is not available during
|
||
|
stunnel startup (road warrior VPN, dial-up configurations).
|
||
|
|
||
|
=item B<engineNum> = engine number
|
||
|
|
||
|
select engine number to read private key
|
||
|
|
||
|
The engines are numbered starting from 1.
|
||
|
|
||
|
=item B<exec> = executable_path
|
||
|
|
||
|
execute local inetd-type program
|
||
|
|
||
|
I<exec> path is relative to I<chroot> directory if specified.
|
||
|
|
||
|
=item B<execargs> = $0 $1 $2 ...
|
||
|
|
||
|
arguments for I<exec> including program name ($0)
|
||
|
|
||
|
Quoting is currently not supported.
|
||
|
Arguments are separated with arbitrary number of whitespaces.
|
||
|
|
||
|
=item B<failover> = rr | prio
|
||
|
|
||
|
Failover strategy for multiple "connect" targets.
|
||
|
|
||
|
rr (round robin) - fair load distribution
|
||
|
prio (priority) - use the order specified in config file
|
||
|
|
||
|
default: rr
|
||
|
|
||
|
=item B<ident> = username
|
||
|
|
||
|
use IDENT (RFC 1413) username checking
|
||
|
|
||
|
=item B<key> = keyfile
|
||
|
|
||
|
private key for certificate specified with I<cert> option
|
||
|
|
||
|
Private key is needed to authenticate certificate owner.
|
||
|
Since this file should be kept secret it should only be readable
|
||
|
to its owner. On Unix systems you can use the following command:
|
||
|
|
||
|
chmod 600 keyfile
|
||
|
|
||
|
default: value of I<cert> option
|
||
|
|
||
|
=item B<libwrap> = yes | no
|
||
|
|
||
|
Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
|
||
|
|
||
|
default: yes
|
||
|
|
||
|
=item B<local> = host
|
||
|
|
||
|
IP of the outgoing interface is used as source for remote connections.
|
||
|
Use this option to bind a static local IP address, instead.
|
||
|
|
||
|
=item B<sni> = service_name:server_name (server mode)
|
||
|
|
||
|
Use the service as a slave service (a name-based virtual server) for Server
|
||
|
Name Indication TLS extension (RFC 3546).
|
||
|
|
||
|
I<service_name> specifies the master service that accepts client connections
|
||
|
with I<accept> option. I<server_name> specifies the host name to be redirected.
|
||
|
Multiple slave services are normally specified for a single master service.
|
||
|
I<sni> option can also be specified more than once within a single slave service.
|
||
|
|
||
|
This service, as well as the master service, may not be configured in client mode.
|
||
|
I<connect> option of the slave service is ignored when I<protocol> option is
|
||
|
specified, as I<protocol> connects remote host before TLS handshake.
|
||
|
Libwrap checks (Unix only) are performed twice: with master service name after
|
||
|
TCP connection is accepted, and with slave service name during TLS handshake.
|
||
|
|
||
|
Option I<sni> is only available when compiled with OpenSSL 1.0.0 and later.
|
||
|
|
||
|
=item B<sni> = server_name (client mode)
|
||
|
|
||
|
Use the parameter as the value of TLS Server Name Indication (RFC 3546)
|
||
|
extension.
|
||
|
|
||
|
Option I<sni> is only available when compiled with OpenSSL 1.0.0 and later.
|
||
|
|
||
|
=item B<OCSP> = url
|
||
|
|
||
|
select OCSP server for certificate verification
|
||
|
|
||
|
=item B<OCSPflag> = flag
|
||
|
|
||
|
specify OCSP server flag
|
||
|
|
||
|
Several I<OCSPflag> can be used to specify multiple flags.
|
||
|
|
||
|
currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
|
||
|
NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
|
||
|
|
||
|
=item B<options> = SSL_options
|
||
|
|
||
|
OpenSSL library options
|
||
|
|
||
|
The parameter is the OpenSSL option name as described in the
|
||
|
I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix.
|
||
|
Several I<options> can be used to specify multiple options.
|
||
|
|
||
|
For example for compatibility with erroneous Eudora SSL implementation
|
||
|
the following option can be used:
|
||
|
|
||
|
options = DONT_INSERT_EMPTY_FRAGMENTS
|
||
|
|
||
|
=item B<protocol> = proto
|
||
|
|
||
|
application protocol to negotiate SSL (e.g. I<starttls> or I<stls>)
|
||
|
|
||
|
I<protocol> option should not be used with SSL encryption on a separate port.
|
||
|
|
||
|
Currently supported protocols:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item I<cifs>
|
||
|
|
||
|
Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
|
||
|
Support for this extension was dropped in Samba 3.0.0.
|
||
|
|
||
|
=item I<connect>
|
||
|
|
||
|
Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT>
|
||
|
|
||
|
This protocol is only supported in client mode.
|
||
|
|
||
|
=item I<imap>
|
||
|
|
||
|
Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP>
|
||
|
|
||
|
=item I<nntp>
|
||
|
|
||
|
Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)>
|
||
|
|
||
|
This protocol is only supported in client mode.
|
||
|
|
||
|
=item I<pgsql>
|
||
|
|
||
|
Based on http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982
|
||
|
|
||
|
=item I<pop3>
|
||
|
|
||
|
Based on RFC 2449 - I<POP3 Extension Mechanism>
|
||
|
|
||
|
=item I<proxy>
|
||
|
|
||
|
Haproxy client IP address http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
|
||
|
|
||
|
=item I<smtp>
|
||
|
|
||
|
Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS>
|
||
|
|
||
|
=back
|
||
|
|
||
|
=item B<protocolAuthentication> = auth_type
|
||
|
|
||
|
authentication type for protocol negotiations
|
||
|
|
||
|
currently supported: basic, NTLM
|
||
|
|
||
|
Currently authentication type only applies to 'connect' protocol.
|
||
|
|
||
|
default: basic
|
||
|
|
||
|
=item B<protocolHost> = host:port
|
||
|
|
||
|
destination address for protocol negotiations
|
||
|
|
||
|
=item B<protocolPassword> = password
|
||
|
|
||
|
password for protocol negotiations
|
||
|
|
||
|
=item B<protocolUsername> = username
|
||
|
|
||
|
username for protocol negotiations
|
||
|
|
||
|
=item B<pty> = yes | no (Unix only)
|
||
|
|
||
|
allocate pseudo terminal for 'exec' option
|
||
|
|
||
|
=item B<retry> = yes | no (Unix only)
|
||
|
|
||
|
reconnect a connect+exec section after it's disconnected
|
||
|
|
||
|
default: no
|
||
|
|
||
|
=item B<session> = timeout
|
||
|
|
||
|
session cache timeout
|
||
|
|
||
|
=item B<sessiond> = host:port
|
||
|
|
||
|
address of sessiond SSL cache server
|
||
|
|
||
|
=item B<sslVersion> = version
|
||
|
|
||
|
select version of SSL protocol
|
||
|
|
||
|
Allowed options: all, SSLv2, SSLv3, TLSv1
|
||
|
|
||
|
=item B<stack> = bytes (except for FORK model)
|
||
|
|
||
|
thread stack size
|
||
|
|
||
|
=item B<TIMEOUTbusy> = seconds
|
||
|
|
||
|
time to wait for expected data
|
||
|
|
||
|
=item B<TIMEOUTclose> = seconds
|
||
|
|
||
|
time to wait for close_notify (set to 0 for buggy MSIE)
|
||
|
|
||
|
=item B<TIMEOUTconnect> = seconds
|
||
|
|
||
|
time to wait to connect a remote host
|
||
|
|
||
|
=item B<TIMEOUTidle> = seconds
|
||
|
|
||
|
time to keep an idle connection
|
||
|
|
||
|
=item B<transparent> = none | source | destination | both (Unix only)
|
||
|
|
||
|
enable transparent proxy support on selected platforms
|
||
|
|
||
|
Supported values:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item I<none>
|
||
|
|
||
|
Disable transparent proxy support. This is the default.
|
||
|
|
||
|
=item I<source>
|
||
|
|
||
|
Re-write address to appear as if wrapped daemon is connecting
|
||
|
from the SSL client machine instead of the machine running B<stunnel>.
|
||
|
|
||
|
This option is currently available in:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
|
||
|
|
||
|
This configuration requires stunnel to be executed as root and without
|
||
|
I<setuid> option.
|
||
|
|
||
|
This configuration requires the following setup for iptables and routing
|
||
|
(possibly in /etc/rc.local or equivalent file):
|
||
|
|
||
|
iptables -t mangle -N DIVERT
|
||
|
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
|
||
|
iptables -t mangle -A DIVERT -j MARK --set-mark 1
|
||
|
iptables -t mangle -A DIVERT -j ACCEPT
|
||
|
ip rule add fwmark 1 lookup 100
|
||
|
ip route add local 0.0.0.0/0 dev lo table 100
|
||
|
echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
|
||
|
|
||
|
B<stunnel> must also to be executed as root and without I<setuid> option.
|
||
|
|
||
|
=item Remote mode (I<connect> option) on I<Linux 2.2.x>
|
||
|
|
||
|
This configuration requires kernel to be compiled with I<transparent proxy> option.
|
||
|
Connected service must be installed on a separate host.
|
||
|
Routing towards the clients has to go through the stunnel box.
|
||
|
|
||
|
B<stunnel> must also to be executed as root and without I<setuid> option.
|
||
|
|
||
|
=item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0>
|
||
|
|
||
|
This configuration requires additional firewall and routing setup.
|
||
|
B<stunnel> must also to be executed as root and without I<setuid> option.
|
||
|
|
||
|
=item Local mode (I<exec> option)
|
||
|
|
||
|
This configuration works by pre-loading I<libstunnel.so> shared library.
|
||
|
_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
|
||
|
other platforms.
|
||
|
|
||
|
=back
|
||
|
|
||
|
=item I<destination>
|
||
|
|
||
|
Original destination is used instead of I<connect> option.
|
||
|
|
||
|
A service section for transparent destination may look like this:
|
||
|
|
||
|
[transparent]
|
||
|
client=yes
|
||
|
accept=<stunnel_port>
|
||
|
transparent=destination
|
||
|
|
||
|
This configuration requires the following setup for iptables
|
||
|
(possibly in /etc/rc.local or equivalent file):
|
||
|
|
||
|
/sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
|
||
|
/sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport <redirected_port> -j DNAT --to-destination <local_ip>:<stunnel_port>
|
||
|
|
||
|
Transparent destination option is currently only supported on Linux.
|
||
|
|
||
|
=item I<both>
|
||
|
|
||
|
Use both I<source> and I<destination> transparent proxy.
|
||
|
|
||
|
=back
|
||
|
|
||
|
Two legacy options are also supported for backward compatibility:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item I<yes>
|
||
|
|
||
|
This options has been renamed to I<source>.
|
||
|
|
||
|
=item I<no>
|
||
|
|
||
|
This options has been renamed to I<none>.
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=item B<verify> = level
|
||
|
|
||
|
verify peer certificate
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item I<level 0> - request and ignore peer certificate
|
||
|
|
||
|
=item I<level 1> - verify peer certificate if present
|
||
|
|
||
|
=item I<level 2> - verify peer certificate
|
||
|
|
||
|
=item I<level 3> - verify peer with locally installed certificate
|
||
|
|
||
|
=item I<level 4> - ignore CA chain and only verify peer certificate
|
||
|
|
||
|
=item I<default> - no verify
|
||
|
|
||
|
=back
|
||
|
|
||
|
It is important to understand, that this option was solely designed for access
|
||
|
control and not for authorization. Specifically for level 2 every non-revoked
|
||
|
certificate is accepted regardless of its Common Name. For this reason a
|
||
|
dedicated CA should be used with level 2, and not a generic CA commonly used
|
||
|
for webservers. Level 3 is preferred for point-to-point connections.
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head1 RETURN VALUE
|
||
|
|
||
|
B<stunnel> returns zero on success, non-zero on error.
|
||
|
|
||
|
|
||
|
=head1 SIGNALS
|
||
|
|
||
|
The following signals can be used to control stunnel in Unix environment:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item SIGHUP
|
||
|
|
||
|
Force a reload of the configuration file.
|
||
|
|
||
|
Some global options will not be reloaded:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item * chroot
|
||
|
|
||
|
=item * foreground
|
||
|
|
||
|
=item * pid
|
||
|
|
||
|
=item * setgid
|
||
|
|
||
|
=item * setuid
|
||
|
|
||
|
=back
|
||
|
|
||
|
The use of 'setuid' option will also prevent stunnel from binding privileged
|
||
|
(<1024) ports during configuration reloading.
|
||
|
|
||
|
When 'chroot' option is used, stunnel will look for all its files (including
|
||
|
configuration file, certificates, log file and pid file) within the chroot
|
||
|
jail.
|
||
|
|
||
|
=item SIGUSR1
|
||
|
|
||
|
Close and reopen stunnel log file.
|
||
|
This function can be used for log rotation.
|
||
|
|
||
|
=item SIGTERM, SIGQUIT, SIGINT
|
||
|
|
||
|
Shut stunnel down.
|
||
|
|
||
|
=back
|
||
|
|
||
|
The result of sending any other signals to the server is undefined.
|
||
|
|
||
|
|
||
|
=head1 EXAMPLES
|
||
|
|
||
|
In order to provide SSL encapsulation to your local I<imapd> service, use
|
||
|
|
||
|
[imapd]
|
||
|
accept = 993
|
||
|
exec = /usr/sbin/imapd
|
||
|
execargs = imapd
|
||
|
|
||
|
If you want to provide tunneling to your I<pppd> daemon on port 2020,
|
||
|
use something like
|
||
|
|
||
|
[vpn]
|
||
|
accept = 2020
|
||
|
exec = /usr/sbin/pppd
|
||
|
execargs = pppd local
|
||
|
pty = yes
|
||
|
|
||
|
If you want to use B<stunnel> in I<inetd> mode to launch your imapd
|
||
|
process, you'd use this I<stunnel.conf>.
|
||
|
Note there must be no I<[service_name]> section.
|
||
|
|
||
|
exec = /usr/sbin/imapd
|
||
|
execargs = imapd
|
||
|
|
||
|
|
||
|
=head1 NOTES
|
||
|
|
||
|
=head2 RESTRICTIONS
|
||
|
|
||
|
B<stunnel> cannot be used for the FTP daemon because of the nature
|
||
|
of the FTP protocol which utilizes multiple ports for data transfers.
|
||
|
There are available SSL enabled versions of FTP and telnet daemons, however.
|
||
|
|
||
|
|
||
|
=head2 INETD MODE
|
||
|
|
||
|
The most common use of B<stunnel> is to listen on a network
|
||
|
port and establish communication with either a new port
|
||
|
via the connect option, or a new program via the I<exec> option.
|
||
|
However there is a special case when you wish to have
|
||
|
some other program accept incoming connections and
|
||
|
launch B<stunnel>, for example with I<inetd>, I<xinetd>,
|
||
|
or I<tcpserver>.
|
||
|
|
||
|
For example, if you have the following line in I<inetd.conf>:
|
||
|
|
||
|
imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
|
||
|
|
||
|
In these cases, the I<inetd>-style program is responsible
|
||
|
for binding a network socket (I<imaps> above) and handing
|
||
|
it to B<stunnel> when a connection is received.
|
||
|
Thus you do not want B<stunnel> to have any I<accept> option.
|
||
|
All the I<Service Level Options> should be placed in the
|
||
|
global options section, and no I<[service_name]> section
|
||
|
will be present. See the I<EXAMPLES> section for example
|
||
|
configurations.
|
||
|
|
||
|
=head2 CERTIFICATES
|
||
|
|
||
|
Each SSL enabled daemon needs to present a valid X.509 certificate
|
||
|
to the peer. It also needs a private key to decrypt the incoming
|
||
|
data. The easiest way to obtain a certificate and a key is to
|
||
|
generate them with the free I<OpenSSL> package. You can find more
|
||
|
information on certificates generation on pages listed below.
|
||
|
|
||
|
The order of contents of the I<.pem> file is important. It should contain the
|
||
|
unencrypted private key first, then a signed certificate (not certificate
|
||
|
request). There should be also empty lines after certificate and private key.
|
||
|
Plaintext certificate information appended on the top of generated certificate
|
||
|
should be discarded. So the file should look like this:
|
||
|
|
||
|
-----BEGIN RSA PRIVATE KEY-----
|
||
|
[encoded key]
|
||
|
-----END RSA PRIVATE KEY-----
|
||
|
[empty line]
|
||
|
-----BEGIN CERTIFICATE-----
|
||
|
[encoded certificate]
|
||
|
-----END CERTIFICATE-----
|
||
|
[empty line]
|
||
|
|
||
|
=head2 RANDOMNESS
|
||
|
|
||
|
B<stunnel> needs to seed the PRNG (pseudo random number generator) in
|
||
|
order for SSL to use good randomness. The following sources are loaded
|
||
|
in order until sufficient random data has been gathered:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item * The file specified with the I<RNDfile> flag.
|
||
|
|
||
|
=item * The file specified by the RANDFILE environment variable, if set.
|
||
|
|
||
|
=item * The file .rnd in your home directory, if RANDFILE not set.
|
||
|
|
||
|
=item * The file specified with '--with-random' at compile time.
|
||
|
|
||
|
=item * The contents of the screen if running on Windows.
|
||
|
|
||
|
=item * The egd socket specified with the I<EGD> flag.
|
||
|
|
||
|
=item * The egd socket specified with '--with-egd-sock' at compile time.
|
||
|
|
||
|
=item * The /dev/urandom device.
|
||
|
|
||
|
=back
|
||
|
|
||
|
With recent (>=OpenSSL 0.9.5a) version of SSL it will stop loading
|
||
|
random data automatically when sufficient entropy has been gathered.
|
||
|
With previous versions it will continue to gather from all the above
|
||
|
sources since no SSL function exists to tell when enough data is available.
|
||
|
|
||
|
Note that on Windows machines that do not have console user interaction
|
||
|
(mouse movements, creating windows, etc.) the screen contents are not
|
||
|
variable enough to be sufficient, and you should provide a random file
|
||
|
for use with the I<RNDfile> flag.
|
||
|
|
||
|
Note that the file specified with the I<RNDfile> flag should contain
|
||
|
random data -- that means it should contain different information
|
||
|
each time B<stunnel> is run. This is handled automatically
|
||
|
unless the I<RNDoverwrite> flag is used. If you wish to update this file
|
||
|
manually, the I<openssl rand> command in recent versions of OpenSSL,
|
||
|
would be useful.
|
||
|
|
||
|
One important note -- if /dev/urandom is available, OpenSSL has a habit of
|
||
|
seeding the PRNG with it even when checking the random state, so on
|
||
|
systems with /dev/urandom you're likely to use it even though it's listed
|
||
|
at the very bottom of the list above. This isn't B<stunnel's> behaviour, it's
|
||
|
OpenSSLs.
|
||
|
|
||
|
=head2 DH PARAMETERS
|
||
|
|
||
|
Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
|
||
|
|
||
|
It is also possible to specify DH parameters in the certificate file:
|
||
|
|
||
|
openssl dhparam 2048 >> stunnel.pem
|
||
|
|
||
|
DH parameter generation may take several minutes.
|
||
|
|
||
|
|
||
|
=head1 FILES
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item F<stunnel.conf>
|
||
|
|
||
|
B<stunnel> configuration file
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head1 BUGS
|
||
|
|
||
|
Option I<execargs> does not support quoting.
|
||
|
|
||
|
|
||
|
=head1 SEE ALSO
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item L<tcpd(8)>
|
||
|
|
||
|
access control facility for internet services
|
||
|
|
||
|
=item L<inetd(8)>
|
||
|
|
||
|
internet 'super-server'
|
||
|
|
||
|
=item F<http://www.stunnel.org/>
|
||
|
|
||
|
B<stunnel> homepage
|
||
|
|
||
|
=item F<http://www.openssl.org/>
|
||
|
|
||
|
OpenSSL project website
|
||
|
|
||
|
=back
|
||
|
|
||
|
|
||
|
=head1 AUTHOR
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item Michał Trojnara
|
||
|
|
||
|
<F<Michal.Trojnara@mirt.net>>
|
||
|
|
||
|
=back
|
||
|
|