511 lines
18 KiB
Groff
511 lines
18 KiB
Groff
.\" Automatically generated by Pod::Man v1.34, Pod::Parser v1.13
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sh \" Subsection heading
|
|
.br
|
|
.if t .Sp
|
|
.ne 5
|
|
.PP
|
|
\fB\\$1\fR
|
|
.PP
|
|
..
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. | will give a
|
|
.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
|
|
.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
|
|
.\" expand to `' in nroff, nothing in troff, for use with C<>.
|
|
.tr \(*W-|\(bv\*(Tr
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C` ""
|
|
. ds C' ""
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
'br\}
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.if \nF \{\
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. nr % 0
|
|
. rr F
|
|
.\}
|
|
.\"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.hy 0
|
|
.if n .na
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "STUNNEL 1"
|
|
.TH STUNNEL 8 "2003-08-01" " " " "
|
|
.SH "NAME"
|
|
stunnel \- universal SSL tunnel
|
|
.SH "SYNOPSIS"
|
|
.IX Header "SYNOPSIS"
|
|
\&\fBstunnel\fR [\-c\ |\ \-T] [\-D\ [facility.]level] [\-O\ a|l|r:option=value[:value]] [\-o\ file] [\-C\ cipherlist] [\-p\ pemfile] [\-v\ level] [\-A\ certfile] [\-S\ sources] [\-a\ directory] [\-t\ timeout] [\-u\ ident_username] [\-s\ setuid_user]
|
|
[\-g\ setgid_group] [\-n\ protocol] [\-P\ {\ filename\ |\ ''\ }\ ] [\-B\ bytes] [\-R\ randfile] [\-W] [\-E\ socket] [\-I\ host]
|
|
[\-d\ [host:]port\ [\-f]\ ] [\ \-r\ [host:]port\ |\ {\ \-l\ |\ \-L\ }\ program\ [\-\-\ progname\ args]\ ]
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
The \fBstunnel\fR program is designed to work as \fI\s-1SSL\s0\fR encryption
|
|
wrapper between remote clients and local (\fIinetd\fR\-startable) or
|
|
remote servers. The concept is that having non-SSL aware daemons
|
|
running on your system you can easily set them up to communicate with
|
|
clients over secure \s-1SSL\s0 channels.
|
|
.PP
|
|
\&\fBstunnel\fR can be used to add \s-1SSL\s0 functionality to commonly used
|
|
\&\fIinetd\fR daemons like \s-1POP\-2\s0, \s-1POP\-3\s0, and \s-1IMAP\s0 servers, to standalone
|
|
daemons like \s-1NNTP\s0, \s-1SMTP\s0 and \s-1HTTP\s0, and in tunneling \s-1PPP\s0 over network
|
|
sockets without changes to the source code.
|
|
.PP
|
|
This product includes cryptographic software written by Eric Young
|
|
(eay@cryptsoft.com)
|
|
.SH "OPTIONS"
|
|
.IX Header "OPTIONS"
|
|
.IP "\fB\-h\fR" 4
|
|
.IX Item "-h"
|
|
Print stunnel help menu
|
|
.IP "\fB\-D\fR level" 4
|
|
.IX Item "-D level"
|
|
Debugging level
|
|
.Sp
|
|
Level is a one of the syslog level names or numbers emerg (0), alert
|
|
(1), crit (2), err (3), warning (4), notice (5), info (6), or debug
|
|
(7). All logs for the specified level and all levels numerically less
|
|
than it will be shown. Use \-D debug or \-D 7 for greatest debugging
|
|
output. The default is notice (5).
|
|
.Sp
|
|
The syslog facility 'daemon' will be used unless a facility name is
|
|
supplied. (Facilities are not supported on windows.)
|
|
.Sp
|
|
Case is ignored for both facilities and levels.
|
|
.IP "\fB\-O\fR a|l|r:option=value[:value]" 4
|
|
.IX Item "-O a|l|r:option=value[:value]"
|
|
Set an option on accept/local/remote socket
|
|
.Sp
|
|
The values for linger option are l_onof:l_linger. The values for time
|
|
are tv_sec:tv_usec.
|
|
.Sp
|
|
\&\fBExamples:\fR
|
|
.Sp
|
|
\&\fB\-O l:SO_LINGER=1:60\fR \- set one minute timeout for closing local
|
|
socket
|
|
.Sp
|
|
\&\fB\-O r:TCP_NODELAY=1\fR \- turn off the Nagle algorithm for remote
|
|
sockets
|
|
.Sp
|
|
\&\fB\-O r:SO_OOBINLINE=1\fR \- place out-of-band data directly into the
|
|
receive data stream for remote sockets
|
|
.Sp
|
|
\&\fB\-O a:SO_REUSEADDR=0\fR \- disable address reuse (enabled by default)
|
|
.Sp
|
|
\&\fB\-O a:SO_BINDTODEVICE=lo\fR \- only accept connections on loopback
|
|
interface
|
|
.Sp
|
|
The available options and their defaults are:
|
|
Option Accept Local Remote OS default
|
|
SO_DEBUG -- -- -- 0
|
|
SO_DONTROUTE -- -- -- 0
|
|
SO_KEEPALIVE -- -- -- 0
|
|
SO_LINGER -- -- -- 0:0
|
|
SO_OOBINLINE -- -- -- 0
|
|
SO_RCVBUF -- -- -- 87380
|
|
SO_SNDBUF -- -- -- 16384
|
|
SO_RCVLOWAT -- -- -- 1
|
|
SO_SNDLOWAT -- -- -- 1
|
|
SO_RCVTIMEO -- -- -- 0:0
|
|
SO_SNDTIMEO -- -- -- 0:0
|
|
SO_REUSEADDR 1 -- -- 0
|
|
SO_BINDTODEVICE -- -- -- --
|
|
IP_TOS -- -- -- 0
|
|
IP_TTL -- -- -- 64
|
|
TCP_NODELAY -- -- -- 0
|
|
.IP "\fB\-o\fR file" 4
|
|
.IX Item "-o file"
|
|
Append log messages to a file.
|
|
.IP "\fB\-C\fR cipherlist" 4
|
|
.IX Item "-C cipherlist"
|
|
Select permitted \s-1SSL\s0 ciphers
|
|
.Sp
|
|
A colon delimited list of the ciphers to allow in the \s-1SSL\s0 connection.
|
|
For example \s-1DES\-CBC3\-SHA:IDEA\-CBC\-MD5\s0
|
|
.IP "\fB\-c\fR" 4
|
|
.IX Item "-c"
|
|
client mode (remote service uses \s-1SSL\s0)
|
|
.Sp
|
|
default: server mode
|
|
.IP "\fB\-T\fR" 4
|
|
.IX Item "-T"
|
|
transparent proxy mode
|
|
.Sp
|
|
Re-write address to appear as if wrapped daemon is connecting from the
|
|
\&\s-1SSL\s0 client machine instead of the machine running stunnel. Available
|
|
only on some operating systems (Linux only, we believe) and then only
|
|
in server mode. Note that this option will not combine with proxy mode
|
|
(\-r) unless the client's default route to the target machine lies
|
|
through the host running stunnel, which cannot be localhost.
|
|
.IP "\fB\-p\fR pemfile" 4
|
|
.IX Item "-p pemfile"
|
|
private key and certificate chain \s-1PEM\s0 file name
|
|
.Sp
|
|
A \s-1PEM\s0 is always needed in server mode (by default located in
|
|
\fI/etc/stunnel/stunnel.pem\fR). Specifying this flag in client mode
|
|
will use this key and certificate chain as a client side certificate
|
|
chain. Using client side certs is optional. The certificates must be
|
|
in \s-1PEM\s0 format and must be sorted starting with the certificate
|
|
to the highest level (root \s-1CA\s0).
|
|
.IP "\fB\-v\fR level" 4
|
|
.IX Item "-v level"
|
|
verify peer certificate
|
|
.RS 4
|
|
.IP "\(bu" 8
|
|
level 1 \- verify peer certificate if present
|
|
.IP "\(bu" 8
|
|
level 2 \- verify peer certificate
|
|
.IP "\(bu" 8
|
|
level 3 \- verify peer with locally installed certificate
|
|
.IP "\(bu" 8
|
|
default \- no verify
|
|
.RE
|
|
.RS 4
|
|
.RE
|
|
.IP "\fB\-a\fR directory" 4
|
|
.IX Item "-a directory"
|
|
client certificate directory
|
|
.Sp
|
|
This is the directory in which stunnel will look for certificates when
|
|
using the \fI\-v\fR options. Note that the certificates in this directory
|
|
should be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the
|
|
cert.
|
|
.IP "\fB\-A\fR certfile" 4
|
|
.IX Item "-A certfile"
|
|
Certificate Authority file
|
|
.Sp
|
|
This file contains multiple \s-1CA\s0 certificates, used with the \fI\-v\fR
|
|
options.
|
|
.IP "\fB\-t\fR timeout" 4
|
|
.IX Item "-t timeout"
|
|
session cache timeout
|
|
.Sp
|
|
default: 300 seconds.
|
|
.IP "\fB\-N\fR servicename" 4
|
|
.IX Item "-N servicename"
|
|
Service name to use for tcpwrappers. If not specified then a
|
|
tcpwrapper service name will be generated automatically for you. This
|
|
will also be used when auto-generating pid filenames.
|
|
.IP "\fB\-u\fR ident_username" 4
|
|
.IX Item "-u ident_username"
|
|
Use \s-1IDENT\s0 (\s-1RFC\s0 1413) username checking
|
|
.IP "\fB\-n\fR proto" 4
|
|
.IX Item "-n proto"
|
|
Negotiate \s-1SSL\s0 with specified protocol
|
|
.Sp
|
|
currently supported: smtp, pop3, nntp
|
|
.IP "\fB\-E\fR socket" 4
|
|
.IX Item "-E socket"
|
|
Entropy Gathering Daemon socket to use to feed OpenSSL random number
|
|
generator. (Available only if compiled with OpenSSL 0.9.5a or higher)
|
|
.IP "\fB\-R\fR filename" 4
|
|
.IX Item "-R filename"
|
|
File containing random input. The \s-1SSL\s0 library will use data from this
|
|
file first to seed the random number generator.
|
|
.IP "\fB\-W\fR" 4
|
|
.IX Item "-W"
|
|
Do not overwrite the random seed files with new random data.
|
|
.IP "\fB\-B\fR bytes" 4
|
|
.IX Item "-B bytes"
|
|
Number of bytes of data read from random seed files. With \s-1SSL\s0
|
|
versions less than 0.9.5a, also determines how many bytes of data are
|
|
considered sufficient to seed the \s-1PRNG\s0. More recent OpenSSL versions
|
|
have a builtin function to determine when sufficient randomness is
|
|
available.
|
|
.IP "\fB\-I\fR host" 4
|
|
.IX Item "-I host"
|
|
\&\s-1IP\s0 of the outgoing interface is used as source for remote connections.
|
|
Use this option to bind a static local \s-1IP\s0 address, instead.
|
|
.IP "\fB\-d\fR [host:]port" 4
|
|
.IX Item "-d [host:]port"
|
|
daemon mode
|
|
.Sp
|
|
Listen for connections on [host:]port. If no host specified, defaults
|
|
to all \s-1IP\s0 addresses for the local host.
|
|
.Sp
|
|
default: inetd mode
|
|
.IP "\fB\-f\fR" 4
|
|
.IX Item "-f"
|
|
foreground mode
|
|
.Sp
|
|
Stay in foreground (don't fork) and log to stderr instead of via
|
|
syslog (unless \-o is specified).
|
|
.Sp
|
|
default: background in daemon mode
|
|
.IP "\fB\-l\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
|
|
.IX Item "-l program [-- programname [arg1 arg2 arg3...] ]"
|
|
execute local inetd-type program.
|
|
.IP "\fB\-L\fR program [\-\- programname [arg1 arg2 arg3...] ]" 4
|
|
.IX Item "-L program [-- programname [arg1 arg2 arg3...] ]"
|
|
open local pty and execute program.
|
|
.IP "\fB\-s\fR username" 4
|
|
.IX Item "-s username"
|
|
\&\fIsetuid()\fR to username in daemon mode
|
|
.IP "\fB\-g\fR groupname" 4
|
|
.IX Item "-g groupname"
|
|
\&\fIsetgid()\fR to groupname in daemon mode. Clears all other groups.
|
|
.IP "\fB\-P\fR { file | '' }" 4
|
|
.IX Item "-P { file | '' }"
|
|
Pid file location
|
|
.Sp
|
|
If the argument is a filename, then that filename will be used for the
|
|
pid. If the argument is empty ('', not missing), then no pid file will
|
|
be created.
|
|
.IP "\fB\-r\fR [host:]port" 4
|
|
.IX Item "-r [host:]port"
|
|
connect to remote service
|
|
.Sp
|
|
If no host specified, defaults to localhost.
|
|
.SH "EXAMPLES"
|
|
.IX Header "EXAMPLES"
|
|
In order to provide \s-1SSL\s0 encapsulation to your local \fIimapd\fR service,
|
|
use
|
|
.PP
|
|
.Vb 1
|
|
\& stunnel \-d 993 \-l /usr/sbin/imapd \-\- imapd
|
|
.Ve
|
|
.PP
|
|
In order to let your local e-mail client connect to a \s-1SSL\s0-enabled
|
|
\fIimapd\fR service on another server, configure the e-mail client to connect to
|
|
localhost on port 119 and use:
|
|
.PP
|
|
.Vb 1
|
|
\& stunnel \-c \-d 143 \-r servername:993
|
|
.Ve
|
|
.PP
|
|
If you want to provide tunneling to your \fIpppd\fR daemon on port 2020,
|
|
use something like
|
|
.PP
|
|
.Vb 1
|
|
\& stunnel \-d 2020 \-L /usr/sbin/pppd \-\- pppd local
|
|
.Ve
|
|
.SH "ENVIRONMENT"
|
|
.IX Header "ENVIRONMENT"
|
|
If Stunnel is used to create local processes using the \fB\-l\fR or \fB\-L\fR
|
|
options, it will set the following environment variables
|
|
.IP "\s-1REMOTE_HOST\s0" 4
|
|
.IX Item "REMOTE_HOST"
|
|
The \s-1IP\s0 address of the remote end of the connection.
|
|
.IP "\s-1SSL_CLIENT_DN\s0" 4
|
|
.IX Item "SSL_CLIENT_DN"
|
|
The \s-1DN\s0 (Distinguished Name, aka subject name) of the peer certificate,
|
|
if a certificate was present and verified.
|
|
.IP "\s-1SSL_CLIENT_I_DN\s0" 4
|
|
.IX Item "SSL_CLIENT_I_DN"
|
|
The Issuer's \s-1DN\s0 of the peer's certificate, if a certificate was
|
|
present and verified.
|
|
.SH "CERTIFICATES"
|
|
.IX Header "CERTIFICATES"
|
|
.IP "\(bu" 4
|
|
Each \s-1SSL\s0 enabled daemon needs to present a valid X.509 certificate to
|
|
the peer. It also needs a private key to decrypt the incoming data.
|
|
The easiest way to obtain a certificate and a key is to generate them
|
|
with the free \fIopenssl\fR package. You can find more information on
|
|
certificates generation on pages listed below.
|
|
.Sp
|
|
Two things are important when generating certificate-key pairs for
|
|
\&\fBstunnel\fR. The private key cannot be encrypted, because the server
|
|
has no way to obtain the password from the user. To produce an
|
|
unencrypted key add the \fI\-nodes\fR option when running the \fBreq\fR
|
|
command from the \fIopenssl\fR kit.
|
|
.Sp
|
|
The order of contents of the \fI.pem\fR file is also important. It should
|
|
contain the unencrypted private key first, then a signed certificate
|
|
(not certificate request). There should be also empty lines after
|
|
certificate and private key. Plaintext certificate information
|
|
appended on the top of generated certificate should be discarded. So
|
|
the file should look like this:
|
|
.Sp
|
|
.Vb 8
|
|
\& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\-
|
|
\& [encoded key]
|
|
\& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\-
|
|
\& [empty line]
|
|
\& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\-
|
|
\& [encoded certificate]
|
|
\& \-\-\-\-\-END CERTIFICATE\-\-\-\-\-
|
|
\& [empty line]
|
|
.Ve
|
|
.SH "RANDOMNESS"
|
|
.IX Header "RANDOMNESS"
|
|
.IP "\(bu" 4
|
|
\&\fIstunnel\fR needs to seed the \s-1PRNG\s0 (pseudo random number generator) in
|
|
order for \s-1SSL\s0 to use good randomness. The following sources are
|
|
loaded in order until sufficient random data has been gathered:
|
|
.RS 4
|
|
.IP "\(bu" 8
|
|
The file specified with the \fI\-R\fR flag.
|
|
.IP "\(bu" 8
|
|
The file specified by the \s-1RANDFILE\s0 environment variable, if set.
|
|
.IP "\(bu" 8
|
|
The file .rnd in your home directory, if \s-1RANDFILE\s0 not set.
|
|
.IP "\(bu" 8
|
|
The file specified with '\-\-with\-random' at compile time.
|
|
.IP "\(bu" 8
|
|
The contents of the screen if running on Windows.
|
|
.IP "\(bu" 8
|
|
The egd socket specified with the \fI\-E\fR flag.
|
|
.IP "\(bu" 8
|
|
The egd socket specified with '\-\-with\-egd\-sock' at compile time.
|
|
.IP "\(bu" 8
|
|
The /dev/urandom device.
|
|
.RE
|
|
.RS 4
|
|
.Sp
|
|
With recent (>=OpenSSL 0.9.5a) version of \s-1SSL\s0 it will stop loading
|
|
random data automatically when sufficient entropy has been gathered.
|
|
With previous versions it will continue to gather from all the above
|
|
sources since no \s-1SSL\s0 function exists to tell when enough data is
|
|
available.
|
|
.Sp
|
|
Note that on Windows machines that do not have console user
|
|
interaction (mouse movements, creating windows, etc) the screen
|
|
contents are not variable enough to be sufficient, and you should
|
|
provide a random file for use with the \fI\-R\fR flag.
|
|
.Sp
|
|
Note that the file specified with the \fI\-R\fR flag should contain random
|
|
data \*(-- that means it should contain different information each time
|
|
\&\fIstunnel\fR is run. This is handled automatically unless the \fI\-W\fR
|
|
flag is used. If you wish to update this file manually, the \fIopenssl
|
|
rand\fR command in recent versions of OpenSSL, would be useful.
|
|
.Sp
|
|
One important note \*(-- if /dev/urandom is available, OpenSSL has a
|
|
habit of seeding the \s-1PRNG\s0 with it even when checking the random state,
|
|
so on systems with /dev/urandom you're likely to use it even though
|
|
it's listed at the very bottom of the list above. This isn't
|
|
stunnel's behaviour, it's OpenSSLs.
|
|
.RE
|
|
.SH "LIMITATIONS"
|
|
.IX Header "LIMITATIONS"
|
|
.IP "\(bu" 4
|
|
\&\fIstunnel\fR cannot be used for the \s-1FTP\s0 daemon because of the nature of
|
|
the \s-1FTP\s0 protocol which utilizes multiple ports for data transfers.
|
|
There are available \s-1SSL\s0 enabled versions of \s-1FTP\s0 and telnet daemons,
|
|
however.
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
.RS 4
|
|
.IP "\fItcpd\fR\|(8)" 8
|
|
.IX Item "tcpd"
|
|
access control facility for internet services
|
|
.IP "\fIinetd\fR\|(8)" 8
|
|
.IX Item "inetd"
|
|
internet ``super\-server''
|
|
.IP "\fIhttps://www.stunnel.org/\fR" 8
|
|
.IX Item "https://www.stunnel.org/"
|
|
Stunnel homepage
|
|
.IP "\fIhttps://www.openssl.org/\fR" 8
|
|
.IX Item "https://www.openssl.org/"
|
|
OpenSSL project website
|
|
.RE
|
|
.RS 4
|
|
.RE
|
|
.SH "AUTHOR"
|
|
.IX Header "AUTHOR"
|
|
.RS 4
|
|
.IP "Michal Trojnara" 8
|
|
.IX Item "Michal Trojnara"
|
|
<\fIMichal.Trojnara@stunnel.org\fR>
|
|
.RE
|
|
.RS 4
|
|
.RE
|