| =head1 NAME |
| |
| =encoding utf8 |
| |
| stunnel - TLS offloading and load-balancing proxy |
| |
| |
| =head1 SYNOPSIS |
| |
| =over 4 |
| |
| =item B<Unix:> |
| |
| B<stunnel> [S<FILE>] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options> |
| |
| =item B<WIN32:> |
| |
| B<stunnel> [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> | |
| S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S<FILE>] ] | |
| S<-help> | S<-version> | S<-sockets> | S<-options> |
| |
| =back |
| |
| |
| =head1 DESCRIPTION |
| |
| The B<stunnel> program is designed to work as I<SSL> encryption wrapper |
| between remote clients and local (I<inetd>-startable) or remote |
| servers. The concept is that having non-SSL aware daemons running on |
| your system you can easily set them up to communicate with clients over |
| secure SSL channels. |
| |
| B<stunnel> can be used to add SSL functionality to commonly used I<Inetd> |
| daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like |
| NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without |
| changes to the source code. |
| |
| This product includes cryptographic software written by |
| Eric Young (eay@cryptsoft.com) |
| |
| |
| =head1 OPTIONS |
| |
| =over 4 |
| |
| =item B<FILE> |
| |
| Use specified configuration file |
| |
| =item B<-fd N> (Unix only) |
| |
| Read the config file from specified file descriptor |
| |
| =item B<-help> |
| |
| Print B<stunnel> help menu |
| |
| =item B<-version> |
| |
| Print B<stunnel> version and compile time defaults |
| |
| =item B<-sockets> |
| |
| Print default socket options |
| |
| =item B<-options> |
| |
| Print supported SSL options |
| |
| =item B<-install> (Windows NT and later only) |
| |
| Install NT Service |
| |
| =item B<-uninstall> (Windows NT and later only) |
| |
| Uninstall NT Service |
| |
| =item B<-start> (Windows NT and later only) |
| |
| Start NT Service |
| |
| =item B<-stop> (Windows NT and later only) |
| |
| Stop NT Service |
| |
| =item B<-reload> (Windows NT and later only) |
| |
| Reload the configuration file of the running NT Service |
| |
| =item B<-reopen> (Windows NT and later only) |
| |
| Reopen the log file of the running NT Service |
| |
| =item B<-exit> (Win32 only) |
| |
| Exit an already started stunnel |
| |
| =item B<-quiet> (Win32 only) |
| |
| Don't display any message boxes |
| |
| =back |
| |
| |
| =head1 CONFIGURATION FILE |
| |
| Each line of the configuration file can be either: |
| |
| =over 4 |
| |
| =item * |
| |
| An empty line (ignored). |
| |
| =item * |
| |
| A comment starting with ';' (ignored). |
| |
| =item * |
| |
| An 'option_name = option_value' pair. |
| |
| =item * |
| |
| '[service_name]' indicating a start of a service definition. |
| |
| =back |
| |
| An address parameter of an option may be either: |
| |
| =over 4 |
| |
| =item * |
| |
| A port number. |
| |
| =item * |
| |
| A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number. |
| |
| =item * |
| |
| A Unix socket path (Unix only). |
| |
| =back |
| |
| =head2 GLOBAL OPTIONS |
| |
| =over 4 |
| |
| =item B<chroot> = DIRECTORY (Unix only) |
| |
| directory to chroot B<stunnel> process |
| |
| B<chroot> keeps B<stunnel> in a chrooted jail. I<CApath>, I<CRLpath>, I<pid> |
| and I<exec> are located inside the jail and the patches have to be relative |
| to the directory specified with B<chroot>. |
| |
| Several functions of the operating system also need their files to be located within the chroot jail, e.g.: |
| |
| =over 4 |
| |
| =item * |
| |
| Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf. |
| |
| =item * |
| |
| Local time in log files needs /etc/timezone. |
| |
| =item * |
| |
| Some other functions may need devices, e.g. /dev/zero or /dev/null. |
| |
| =back |
| |
| =item B<compression> = deflate | zlib |
| |
| select data compression algorithm |
| |
| default: no compression |
| |
| deflate is the standard compression method as described in RFC 1951. |
| |
| zlib compression of B<OpenSSL 0.9.8> or above is not backward compatible with |
| B<OpenSSL 0.9.7>. |
| |
| =item B<debug> = [FACILITY.]LEVEL |
| |
| debugging level |
| |
| Level is one of the syslog level names or numbers |
| emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), |
| info (6), or debug (7). All logs for the specified level and |
| all levels numerically less than it will be shown. Use I<debug = debug> or |
| I<debug = 7> for greatest debugging output. The default is notice (5). |
| |
| The syslog facility 'daemon' will be used unless a facility name is supplied. |
| (Facilities are not supported on Win32.) |
| |
| Case is ignored for both facilities and levels. |
| |
| =item B<EGD> = EGD_PATH (Unix only) |
| |
| path to Entropy Gathering Daemon socket |
| |
| Entropy Gathering Daemon socket to use to feed the B<OpenSSL> random number |
| generator. (Available only if compiled with B<OpenSSL 0.9.5a> or higher) |
| |
| =item B<engine> = auto | ENGINE_ID |
| |
| select hardware engine |
| |
| default: software-only cryptography |
| |
| Here is an example of advanced engine configuration to read the private key from an |
| OpenSC engine |
| |
| engine=dynamic |
| engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so |
| engineCtrl=ID:pkcs11 |
| engineCtrl=LIST_ADD:1 |
| engineCtrl=LOAD |
| engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so |
| engineCtrl=INIT |
| |
| [service] |
| engineNum=1 |
| key=id_45 |
| |
| =item B<engineCtrl> = COMMAND[:PARAMETER] |
| |
| control hardware engine |
| |
| Special commands "LOAD" and "INIT" can be used to load and initialize the |
| engine cryptogaphic module. |
| |
| =item B<engineDefault> = TASK_LIST |
| |
| set OpenSSL tasks delegated to the current engine |
| |
| The parameter specifies a comma-separated list of task to be delegated to the |
| current engine. |
| |
| The following tasks may be available, if supported by the engine: ALL, RSA, |
| DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1. |
| |
| =item B<fips> = yes | no |
| |
| Enable or disable FIPS 140-2 mode. |
| |
| This option allows you to disable entering FIPS mode if B<stunnel> was compiled |
| with FIPS 140-2 support. |
| |
| default: no (since version 5.00) |
| |
| =item B<foreground> = yes | no (Unix only) |
| |
| foreground mode |
| |
| Stay in foreground (don't fork) and log to stderr |
| instead of via syslog (unless I<output> is specified). |
| |
| default: background in daemon mode |
| |
| =item B<iconActive> = ICON_FILE (GUI only) |
| |
| GUI icon to be displayed when there are established connections |
| |
| On Windows platform the parameter should be an .ico file containing a 16x16 |
| pixel image. |
| |
| =item B<iconError> = ICON_FILE (GUI only) |
| |
| GUI icon to be displayed when no valid configuration is loaded |
| |
| On Windows platform the parameter should be an .ico file containing a 16x16 |
| pixel image. |
| |
| =item B<iconIdle> = ICON_FILE (GUI only) |
| |
| GUI icon to be displayed when there are no established connections |
| |
| On Windows platform the parameter should be an .ico file containing a 16x16 |
| pixel image. |
| |
| =item B<log> = append | overwrite |
| |
| log file handling |
| |
| This option allows you to choose whether the log file (specified with the I<output> |
| option) is appended or overwritten when opened or re-opened. |
| |
| default: append |
| |
| =item B<output> = FILE |
| |
| append log messages to a file |
| |
| /dev/stdout device can be used to send log messages to the standard |
| output (for example to log them with daemontools splogger). |
| |
| =item B<pid> = FILE (Unix only) |
| |
| pid file location |
| |
| If the argument is empty, then no pid file will be created. |
| |
| I<pid> path is relative to the I<chroot> directory if specified. |
| |
| =item B<RNDbytes> = BYTES |
| |
| bytes to read from random seed files |
| |
| Number of bytes of data read from random seed files. With SSL versions less |
| than B<0.9.5a>, also determines how many bytes of data are considered |
| sufficient to seed the PRNG. More recent B<OpenSSL> versions have a builtin |
| function to determine when sufficient randomness is available. |
| |
| =item B<RNDfile> = FILE |
| |
| path to file with random seed data |
| |
| The SSL library will use data from this file first to seed the random |
| number generator. |
| |
| =item B<RNDoverwrite> = yes | no |
| |
| overwrite the random seed files with new random data |
| |
| default: yes |
| |
| =item B<service> = SERVICE (Unix only) |
| |
| stunnel service name |
| |
| The specified service name is used for syslog and as the I<inetd> mode service |
| name for TCP Wrappers. While this option can technically be specified in the |
| service sections, it is only useful in global options. |
| |
| default: stunnel |
| |
| =item B<setgid> = GROUP (Unix only) |
| |
| setgid() to the specified group in daemon mode and clear all other groups |
| |
| =item B<setuid> = USER (Unix only) |
| |
| setuid() to the specified user in daemon mode |
| |
| =item B<socket> = a|l|r:OPTION=VALUE[:VALUE] |
| |
| Set an option on the accept/local/remote socket |
| |
| The values for the linger option are l_onof:l_linger. |
| The values for the time are tv_sec:tv_usec. |
| |
| Examples: |
| |
| socket = l:SO_LINGER=1:60 |
| set one minute timeout for closing local socket |
| socket = r:SO_OOBINLINE=yes |
| place out-of-band data directly into the |
| receive data stream for remote sockets |
| socket = a:SO_REUSEADDR=no |
| disable address reuse (enabled by default) |
| socket = a:SO_BINDTODEVICE=lo |
| only accept connections on loopback interface |
| |
| =item B<syslog> = yes | no (Unix only) |
| |
| enable logging via syslog |
| |
| default: yes |
| |
| =item B<taskbar> = yes | no (WIN32 only) |
| |
| enable the taskbar icon |
| |
| default: yes |
| |
| =back |
| |
| |
| =head2 SERVICE-LEVEL OPTIONS |
| |
| Each configuration section begins with a service name in square brackets. |
| The service name is used for libwrap (TCP Wrappers) access control and lets |
| you distinguish B<stunnel> services in your log files. |
| |
| Note that if you wish to run B<stunnel> in I<inetd> mode (where it |
| is provided a network socket by a server such as I<inetd>, I<xinetd>, |
| or I<tcpserver>) then you should read the section entitled I<INETD MODE> |
| below. |
| |
| |
| =over 4 |
| |
| =item B<accept> = [HOST:]PORT |
| |
| accept connections on specified address |
| |
| If no host specified, defaults to all IPv4 addresses for the local host. |
| |
| To listen on all IPv6 addresses use: |
| |
| accept = :::PORT |
| |
| =item B<CApath> = DIRECTORY |
| |
| Certificate Authority directory |
| |
| This is the directory in which B<stunnel> will look for certificates when using |
| the I<verify> option. Note that the certificates in this directory should be named |
| XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the |
| cert. |
| |
| The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to |
| c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>. |
| |
| I<CApath> path is relative to the I<chroot> directory if specified. |
| |
| =item B<CAfile> = CERT_FILE |
| |
| Certificate Authority file |
| |
| This file contains multiple CA certificates, used with the I<verify> option. |
| |
| =item B<cert> = PEM_FILE |
| |
| certificate chain PEM file name |
| |
| The certificates must be in PEM format, and must be from the |
| actual server/client certificate to the self-signed root CA certificate. |
| |
| A certificate is required in server mode, and optional in client mode. |
| |
| =item B<checkEmail> = EMAIL |
| |
| email address of the peer certificate subject |
| |
| Multiple I<checkEmail> options are allowed in a single service section. |
| Certificates are accepted if no I<checkEmail> option was specified, or the |
| email address of the peer certificate matches any of the email addresses |
| specified with I<checkEmail>. |
| |
| =item B<checkHost> = HOST |
| |
| host of the peer certificate subject |
| |
| Multiple I<checkHost> options are allowed in a single service section. |
| Certificates are accepted if no I<checkHost> option was specified, or the host |
| name of the peer certificate matches any of the hosts specified with |
| I<checkHost>. |
| |
| =item B<checkIP> = IP |
| |
| IP address of the peer certificate subject |
| |
| Multiple I<checkIP> options are allowed in a single service section. |
| Certificates are accepted if no I<checkIP> option was specified, or the IP |
| address of the peer certificate matches any of the IP addresses specified with |
| I<checkIP>. |
| |
| =item B<ciphers> = CIPHER_LIST |
| |
| Select permitted SSL ciphers |
| |
| A colon-delimited list of the ciphers to allow in the SSL connection, |
| for example DES-CBC3-SHA:IDEA-CBC-MD5. |
| |
| =item B<client> = yes | no |
| |
| client mode (remote service uses SSL) |
| |
| default: no (server mode) |
| |
| =item B<connect> = [HOST:]PORT |
| |
| connect to a remote address |
| |
| If no host is specified, the host defaults to localhost. |
| |
| Multiple I<connect> options are allowed in a single service section. |
| |
| If host resolves to multiple addresses and/or if multiple I<connect> |
| options are specified, then the remote address is chosen using a |
| round-robin algorithm. |
| |
| =item B<CRLpath> = DIRECTORY |
| |
| Certificate Revocation Lists directory |
| |
| This is the directory in which B<stunnel> will look for CRLs when |
| using the I<verify> option. Note that the CRLs in this directory should |
| be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL. |
| |
| The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to |
| c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>. |
| |
| I<CRLpath> path is relative to the I<chroot> directory if specified. |
| |
| =item B<CRLfile> = CERT_FILE |
| |
| Certificate Revocation Lists file |
| |
| This file contains multiple CRLs, used with the I<verify> option. |
| |
| =item B<curve> = NID |
| |
| specify ECDH curve name |
| |
| To get a list of supported curves use: |
| |
| openssl ecparam -list_curves |
| |
| default: prime256v1 |
| |
| =item B<logId> = TYPE |
| |
| connection identifier type |
| |
| This identifier allows you to distinguish log entries generated for each of the |
| connections. |
| |
| Currently supported types: |
| |
| =over 4 |
| |
| =item I<sequential> |
| |
| The numeric sequential identifier is only unique within a single instance of |
| B<stunnel>, but very compact. It is most useful for manual log analysis. |
| |
| =item I<unique> |
| |
| This alphanumeric identifier is globally unique, but longer than the sequential |
| number. It is most useful for automated log analysis. |
| |
| =item I<thread> |
| |
| The operating system thread identifier is neither unique (even within a single |
| instance of B<stunnel>) nor short. It is most useful for debugging software |
| or configuration issues. |
| |
| =back |
| |
| default: sequential |
| |
| =item B<debug> = LEVEL |
| |
| debugging level |
| |
| Level is a one of the syslog level names or numbers |
| emerg (0), alert (1), crit (2), err (3), warning (4), notice (5), |
| info (6), or debug (7). All logs for the specified level and |
| all levels numerically less than it will be shown. Use I<debug = debug> or |
| I<debug = 7> for greatest debugging output. The default is notice (5). |
| |
| =item B<delay> = yes | no |
| |
| delay DNS lookup for the I<connect> option |
| |
| This option is useful for dynamic DNS, or when DNS is not available during |
| B<stunnel> startup (road warrior VPN, dial-up configurations). |
| |
| Delayed resolver mode is automatically engaged when stunnel fails to resolve on |
| startup any of the I<connect> targets for a service. |
| |
| Delayed resolver inflicts I<failover = prio>. |
| |
| default: no |
| |
| =item B<engineId> = ENGINE_ID |
| |
| select engine ID for the service |
| |
| =item B<engineNum> = ENGINE_NUMBER |
| |
| select engine number for the service |
| |
| The engines are numbered starting from 1. |
| |
| =item B<exec> = EXECUTABLE_PATH |
| |
| execute a local inetd-type program |
| |
| I<exec> path is relative to the I<chroot> directory if specified. |
| |
| The following environmental variables are set on Unix platforms: |
| REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN. |
| |
| =item B<execArgs> = $0 $1 $2 ... |
| |
| arguments for I<exec> including the program name ($0) |
| |
| Quoting is currently not supported. |
| Arguments are separated with an arbitrary amount of whitespace. |
| |
| =item B<failover> = rr | prio |
| |
| Failover strategy for multiple "connect" targets. |
| |
| rr (round robin) - fair load distribution |
| prio (priority) - use the order specified in config file |
| |
| default: rr |
| |
| =item B<ident> = USERNAME |
| |
| use IDENT (RFC 1413) username checking |
| |
| =item B<include> = DIRECTORY |
| |
| include all configuration file parts located in DIRECTORY |
| |
| The files are included in the ascending alphabetical order of their names. |
| |
| =item B<key> = KEY_FILE |
| |
| private key for the certificate specified with I<cert> option |
| |
| A private key is needed to authenticate the certificate owner. |
| Since this file should be kept secret it should only be readable |
| by its owner. On Unix systems you can use the following command: |
| |
| chmod 600 keyfile |
| |
| default: the value of the I<cert> option |
| |
| =item B<libwrap> = yes | no |
| |
| Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny. |
| |
| default: no (since version 5.00) |
| |
| =item B<local> = HOST |
| |
| By default, the IP address of the outgoing interface is used as the source for remote connections. |
| Use this option to bind a static local IP address instead. |
| |
| =item B<sni> = SERVICE:SERVER_PATTERN (server mode) |
| |
| Use the service as a slave service (a name-based virtual server) for Server |
| Name Indication TLS extension (RFC 3546). |
| |
| I<service_name> specifies the master service that accepts client connections |
| with the I<accept> option. I<server_name_pattern> specifies the host name to be |
| redirected. The pattern may start with the '*' character, e.g. '*.example.com'. |
| Multiple slave services are normally specified for a single master service. |
| The I<sni> option can also be specified more than once within a single slave |
| service. |
| |
| This service, as well as the master service, may not be configured in client |
| mode. |
| |
| The I<connect> option of the slave service is ignored when the I<protocol> option is |
| specified, as I<protocol> connects to the remote host before TLS handshake. |
| |
| Libwrap checks (Unix only) are performed twice: with the master service name after |
| TCP connection is accepted, and with the slave service name during the TLS handshake. |
| |
| The I<sni> option is only available when compiled with B<OpenSSL 1.0.0> and later. |
| |
| =item B<sni> = SERVER (client mode) |
| |
| Use the parameter as the value of TLS Server Name Indication (RFC 3546) |
| extension. |
| |
| The I<sni> option is only available when compiled with B<OpenSSL 1.0.0> and later. |
| |
| =item B<OCSP> = URL |
| |
| select OCSP server for certificate verification |
| |
| =item B<OCSPaia> = yes | no |
| |
| validate certificates with their AIA OCSP responders |
| |
| This option enables I<stunnel> to validate certificates with the list of |
| OCSP responder URLs retrieved from their AIA (Authority Information Access) |
| extension. |
| |
| =item B<OCSPflag> = OCSP_FLAG |
| |
| specify OCSP server flag |
| |
| Several I<OCSPflag> can be used to specify multiple flags. |
| |
| currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY, |
| NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME |
| |
| =item B<options> = SSL_OPTIONS |
| |
| B<OpenSSL> library options |
| |
| The parameter is the B<OpenSSL> option name as described in the |
| I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix. |
| I<stunnel -options> lists the options found to be allowed in the |
| current combination of I<stunnel> and the I<OpenSSL> library used |
| to build it. |
| |
| Several I<options> can be used to specify multiple options. |
| An option name can be prepended with a dash ("-") to disable the option. |
| |
| For example, for compatibility with the erroneous Eudora SSL |
| implementation, the following option can be used: |
| |
| options = DONT_INSERT_EMPTY_FRAGMENTS |
| |
| default: |
| |
| options = NO_SSLv2 |
| options = NO_SSLv3 |
| |
| =item B<protocol> = PROTO |
| |
| application protocol to negotiate SSL |
| |
| This option enables initial, protocol-specific negotiation of the SSL/TLS |
| encryption. |
| The I<protocol> option should not be used with SSL encryption on a separate port. |
| |
| Currently supported protocols: |
| |
| =over 4 |
| |
| =item I<cifs> |
| |
| Proprietary (undocummented) extension of CIFS protocol implemented in Samba. |
| Support for this extension was dropped in Samba 3.0.0. |
| |
| =item I<connect> |
| |
| Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT> |
| |
| This protocol is only supported in client mode. |
| |
| =item I<imap> |
| |
| Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP> |
| |
| =item I<nntp> |
| |
| Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)> |
| |
| This protocol is only supported in client mode. |
| |
| =item I<pgsql> |
| |
| Based on |
| F<http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982> |
| |
| =item I<pop3> |
| |
| Based on RFC 2449 - I<POP3 Extension Mechanism> |
| |
| =item I<proxy> |
| |
| Haproxy client IP address |
| F<http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt> |
| |
| =item I<smtp> |
| |
| Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS> |
| |
| =item I<socks> |
| |
| SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself |
| is encapsulated within SSL/TLS encryption layer to protect the final |
| destination address. |
| |
| F<http://www.openssh.com/txt/socks4.protocol> |
| |
| F<http://www.openssh.com/txt/socks4a.protocol> |
| |
| The BIND command of the SOCKS protocol is not supported. |
| The USERID parameter is ignored. |
| |
| See Examples section for sample configuration files for VPN based on SOCKS |
| encryption. |
| |
| =back |
| |
| =item B<protocolAuthentication> = basic | ntlm |
| |
| authentication type for protocol negotiations |
| |
| Currently the authentication type only applies to the 'connect' protocol. |
| |
| default: basic |
| |
| =item B<protocolHost> = HOST:PORT |
| |
| destination address for protocol negotiations |
| |
| I<protocolHost> specifies the final SSL server to be connected to by the proxy, |
| and not the proxy server directly connected by B<stunnel>. |
| The proxy server should be specified with the 'connect' option. |
| |
| Currently the protocol destination address only applies to 'connect' protocol. |
| |
| =item B<protocolPassword> = PASSWORD |
| |
| password for protocol negotiations |
| |
| =item B<protocolUsername> = USERNAME |
| |
| username for protocol negotiations |
| |
| =item B<PSKidentity> = IDENTITY |
| |
| PSK identity for the PSK client |
| |
| I<PSKidentity> can be used on B<stunnel> clients to select the PSK identity |
| used for authentication. This option is ignored in server sections. |
| |
| default: the first identity specified in the I<PSKsecrets> file. |
| |
| =item B<PSKsecrets> = FILE |
| |
| file with PSK identities and corresponding keys |
| |
| Each line of the file in the following format: |
| |
| IDENTITY:KEY |
| |
| The key is required to be at least 20 characters long. |
| The file should not be world-readable nor world-writable. |
| |
| =item B<pty> = yes | no (Unix only) |
| |
| allocate a pseudoterminal for 'exec' option |
| |
| =item B<redirect> = [HOST:]PORT |
| |
| redirect SSL client connections on certificate-based authentication failures |
| |
| This option only works in server mode. |
| Some protocol negotiations are also incompatible with the I<redirect> option. |
| |
| =item B<renegotiation> = yes | no |
| |
| support SSL renegotiation |
| |
| Applications of the SSL renegotiation include some authentication scenarios, |
| or re-keying long lasting connections. |
| |
| On the other hand this feature can facilitate a trivial CPU-exhaustion |
| DoS attack: |
| |
| F<http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html> |
| |
| Please note that disabling SSL renegotiation does not fully mitigate |
| this issue. |
| |
| default: yes (if supported by B<OpenSSL>) |
| |
| =item B<reset> = yes | no |
| |
| attempt to use the TCP RST flag to indicate an error |
| |
| This option is not supported on some platforms. |
| |
| default: yes |
| |
| =item B<retry> = yes | no |
| |
| reconnect a connect+exec section after it's disconnected |
| |
| default: no |
| |
| =item B<sessionCacheSize> = NUM_ENTRIES |
| |
| session cache size |
| |
| I<sessionCacheSize> specifies the maximum number of the internal session cache |
| entries. |
| |
| The value of 0 can be used for unlimited size. It is not recommended |
| for production use due to the risk of a memory exhaustion DoS attack. |
| |
| =item B<sessionCacheTimeout> = TIMEOUT |
| |
| session cache timeout |
| |
| This is the number of seconds to keep cached SSL sessions. |
| |
| =item B<sessiond> = HOST:PORT |
| |
| address of sessiond SSL cache server |
| |
| =item B<sslVersion> = SSL_VERSION |
| |
| select the SSL protocol version |
| |
| Supported values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 |
| |
| Availability of specific protocols depends on the linked OpenSSL library. |
| Older versions of OpenSSL do not support TLSv1.1 and TLSv1.2. |
| Newer versions of OpenSSL do not support SSLv2. |
| |
| Obsolete SSLv2 and SSLv3 are currently disabled by default. |
| See the B<options> option documentation for details. |
| |
| =item B<stack> = BYTES (except for FORK model) |
| |
| thread stack size |
| |
| =item B<TIMEOUTbusy> = SECONDS |
| |
| time to wait for expected data |
| |
| =item B<TIMEOUTclose> = SECONDS |
| |
| time to wait for close_notify (set to 0 for buggy MSIE) |
| |
| =item B<TIMEOUTconnect> = SECONDS |
| |
| time to wait to connect to a remote host |
| |
| =item B<TIMEOUTidle> = SECONDS |
| |
| time to keep an idle connection |
| |
| =item B<transparent> = none | source | destination | both (Unix only) |
| |
| enable transparent proxy support on selected platforms |
| |
| Supported values: |
| |
| =over 4 |
| |
| =item I<none> |
| |
| Disable transparent proxy support. This is the default. |
| |
| =item I<source> |
| |
| Re-write the address to appear as if a wrapped daemon is connecting |
| from the SSL client machine instead of the machine running B<stunnel>. |
| |
| This option is currently available in: |
| |
| =over 4 |
| |
| =item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28> |
| |
| This configuration requires B<stunnel> to be executed as root and without |
| the I<setuid> option. |
| |
| This configuration requires the following setup for iptables and routing |
| (possibly in /etc/rc.local or equivalent file): |
| |
| iptables -t mangle -N DIVERT |
| iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT |
| iptables -t mangle -A DIVERT -j MARK --set-mark 1 |
| iptables -t mangle -A DIVERT -j ACCEPT |
| ip rule add fwmark 1 lookup 100 |
| ip route add local 0.0.0.0/0 dev lo table 100 |
| echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter |
| |
| B<stunnel> must also to be executed as root and without the I<setuid> option. |
| |
| =item Remote mode (I<connect> option) on I<Linux 2.2.x> |
| |
| This configuration requires the kernel to be compiled with the I<transparent proxy> |
| option. |
| Connected service must be installed on a separate host. |
| Routing towards the clients has to go through the B<stunnel> box. |
| |
| B<stunnel> must also to be executed as root and without the I<setuid> option. |
| |
| =item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0> |
| |
| This configuration requires additional firewall and routing setup. |
| B<stunnel> must also to be executed as root and without the I<setuid> option. |
| |
| =item Local mode (I<exec> option) |
| |
| This configuration works by pre-loading the I<libstunnel.so> shared library. |
| _RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on |
| other platforms. |
| |
| =back |
| |
| =item I<destination> |
| |
| The original destination is used instead of the I<connect> option. |
| |
| A service section for transparent destination may look like this: |
| |
| [transparent] |
| client=yes |
| accept=<stunnel_port> |
| transparent=destination |
| |
| This configuration requires iptables setup to work, |
| possibly in /etc/rc.local or equivalent file. |
| |
| For a connect target installed on the same host: |
| |
| /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \ |
| -m ! --uid-owner <stunnel_user_id> \ |
| -j DNAT --to-destination <local_ip>:<stunnel_port> |
| |
| For a connect target installed on a remote host: |
| |
| /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT |
| /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \ |
| -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port> |
| |
| The transparent destination option is currently only supported on Linux. |
| |
| =item I<both> |
| |
| Use both I<source> and I<destination> transparent proxy. |
| |
| =back |
| |
| Two legacy options are also supported for backward compatibility: |
| |
| =over 4 |
| |
| =item I<yes> |
| |
| This option has been renamed to I<source>. |
| |
| =item I<no> |
| |
| This option has been renamed to I<none>. |
| |
| =back |
| |
| |
| =item B<verify> = LEVEL |
| |
| verify the peer certificate |
| |
| =over 4 |
| |
| =item level 0 |
| |
| Request and ignore the peer certificate. |
| |
| =item level 1 |
| |
| Verify the peer certificate if present. |
| |
| =item level 2 |
| |
| Verify the peer certificate. |
| |
| =item level 3 |
| |
| Verify the peer with locally installed certificate. |
| |
| =item level 4 |
| |
| Ignore the CA chain and only verify the peer certificate. |
| |
| =item default |
| |
| No verify. |
| |
| =back |
| |
| It is important to understand that this option was solely designed for access |
| control and not for authorization. Specifically for level 2 every non-revoked |
| certificate is accepted regardless of its Common Name. For this reason a |
| dedicated CA should be used with level 2, and not a generic CA commonly used |
| for webservers. Level 3 is preferred for point-to-point connections. |
| |
| =back |
| |
| |
| =head1 RETURN VALUE |
| |
| B<stunnel> returns zero on success, non-zero on error. |
| |
| |
| =head1 SIGNALS |
| |
| The following signals can be used to control B<stunnel> in Unix environment: |
| |
| =over 4 |
| |
| =item SIGHUP |
| |
| Force a reload of the configuration file. |
| |
| Some global options will not be reloaded: |
| |
| =over 4 |
| |
| =item * |
| |
| chroot |
| |
| =item * |
| |
| foreground |
| |
| =item * |
| |
| pid |
| |
| =item * |
| |
| setgid |
| |
| =item * |
| |
| setuid |
| |
| =back |
| |
| The use of the 'setuid' option will also prevent B<stunnel> from binding to privileged |
| (<1024) ports during configuration reloading. |
| |
| When the 'chroot' option is used, B<stunnel> will look for all its files (including |
| the configuration file, certificates, the log file and the pid file) within the chroot |
| jail. |
| |
| =item SIGUSR1 |
| |
| Close and reopen the B<stunnel> log file. |
| This function can be used for log rotation. |
| |
| =item SIGTERM, SIGQUIT, SIGINT |
| |
| Shut B<stunnel> down. |
| |
| =back |
| |
| The result of sending any other signals to the server is undefined. |
| |
| |
| =head1 EXAMPLES |
| |
| In order to provide SSL encapsulation to your local I<imapd> service, use: |
| |
| [imapd] |
| accept = 993 |
| exec = /usr/sbin/imapd |
| execArgs = imapd |
| |
| or in remote mode: |
| |
| [imapd] |
| accept = 993 |
| connect = 143 |
| |
| In order to let your local e-mail client connect to an SSL-enabled I<imapd> |
| service on another server, configure the e-mail client to connect to localhost |
| on port 119 and use: |
| |
| [imap] |
| client = yes |
| accept = 143 |
| connect = servername:993 |
| |
| If you want to provide tunneling to your I<pppd> daemon on port 2020, |
| use something like: |
| |
| [vpn] |
| accept = 2020 |
| exec = /usr/sbin/pppd |
| execArgs = pppd local |
| pty = yes |
| |
| If you want to use B<stunnel> in I<inetd> mode to launch your imapd |
| process, you'd use this I<stunnel.conf>. |
| Note there must be no I<[service_name]> section. |
| |
| exec = /usr/sbin/imapd |
| execArgs = imapd |
| |
| To setup SOCKS VPN configure the following client service: |
| |
| [socks_client] |
| client = yes |
| accept = 127.0.0.1:1080 |
| connect = vpn_server:9080 |
| verify = 4 |
| CAfile = stunnel.pem |
| |
| The corresponding configuration on the vpn_server host: |
| |
| [socks_server] |
| protocol = socks |
| accept = 9080 |
| cert = stunnel.pem |
| key = stunnel.key |
| |
| Now test your configuration on the client machine with: |
| |
| curl --socks4a localhost http://www.example.com/ |
| |
| =head1 NOTES |
| |
| =head2 RESTRICTIONS |
| |
| B<stunnel> cannot be used for the FTP daemon because of the nature |
| of the FTP protocol which utilizes multiple ports for data transfers. |
| There are available SSL-enabled versions of FTP and telnet daemons, however. |
| |
| |
| =head2 INETD MODE |
| |
| The most common use of B<stunnel> is to listen on a network |
| port and establish communication with either a new port |
| via the connect option, or a new program via the I<exec> option. |
| However there is a special case when you wish to have |
| some other program accept incoming connections and |
| launch B<stunnel>, for example with I<inetd>, I<xinetd>, |
| or I<tcpserver>. |
| |
| For example, if you have the following line in I<inetd.conf>: |
| |
| imaps stream tcp nowait root @bindir@/stunnel stunnel @sysconfdir@/stunnel/imaps.conf |
| |
| In these cases, the I<inetd>-style program is responsible |
| for binding a network socket (I<imaps> above) and handing |
| it to B<stunnel> when a connection is received. |
| Thus you do not want B<stunnel> to have any I<accept> option. |
| All the I<Service Level Options> should be placed in the |
| global options section, and no I<[service_name]> section |
| will be present. See the I<EXAMPLES> section for example |
| configurations. |
| |
| =head2 CERTIFICATES |
| |
| Each SSL-enabled daemon needs to present a valid X.509 certificate |
| to the peer. It also needs a private key to decrypt the incoming |
| data. The easiest way to obtain a certificate and a key is to |
| generate them with the free B<OpenSSL> package. You can find more |
| information on certificates generation on pages listed below. |
| |
| The order of contents of the I<.pem> file is important. It should contain the |
| unencrypted private key first, then a signed certificate (not certificate |
| request). There should also be empty lines after the certificate and the private key. |
| Any plaintext certificate information appended on the top of generated certificate |
| should be discarded. So the file should look like this: |
| |
| -----BEGIN RSA PRIVATE KEY----- |
| [encoded key] |
| -----END RSA PRIVATE KEY----- |
| [empty line] |
| -----BEGIN CERTIFICATE----- |
| [encoded certificate] |
| -----END CERTIFICATE----- |
| [empty line] |
| |
| =head2 RANDOMNESS |
| |
| B<stunnel> needs to seed the PRNG (pseudo-random number generator) in |
| order for SSL to use good randomness. The following sources are loaded |
| in order until sufficient random data has been gathered: |
| |
| =over 4 |
| |
| =item * |
| |
| The file specified with the I<RNDfile> flag. |
| |
| =item * |
| |
| The file specified by the RANDFILE environment variable, if set. |
| |
| =item * |
| |
| The file .rnd in your home directory, if RANDFILE not set. |
| |
| =item * |
| |
| The file specified with '--with-random' at compile time. |
| |
| =item * |
| |
| The contents of the screen if running on Windows. |
| |
| =item * |
| |
| The egd socket specified with the I<EGD> flag. |
| |
| =item * |
| |
| The egd socket specified with '--with-egd-sock' at compile time. |
| |
| =item * |
| |
| The /dev/urandom device. |
| |
| =back |
| |
| With recent (B<OpenSSL 0.9.5a> or later) version of SSL it will stop loading |
| random data automatically when sufficient entropy has been gathered. With |
| previous versions it will continue to gather from all the above sources since |
| no SSL function exists to tell when enough data is available. |
| |
| Note that on Windows machines that do not have console user interaction |
| (mouse movements, creating windows, etc.) the screen contents are not |
| variable enough to be sufficient, and you should provide a random file |
| for use with the I<RNDfile> flag. |
| |
| Note that the file specified with the I<RNDfile> flag should contain |
| random data -- that means it should contain different information |
| each time B<stunnel> is run. This is handled automatically |
| unless the I<RNDoverwrite> flag is used. If you wish to update this file |
| manually, the I<openssl rand> command in recent versions of B<OpenSSL>, |
| would be useful. |
| |
| Important note: If /dev/urandom is available, B<OpenSSL> often seeds the PRNG |
| with it while checking the random state. On systems with /dev/urandom |
| B<OpenSSL> is likely to use it even though it is listed at the very bottom of |
| the list above. This is the behaviour of B<OpenSSL> and not B<stunnel>. |
| |
| =head2 DH PARAMETERS |
| |
| B<stunnel> 4.40 and later contains hardcoded 2048-bit DH parameters. Starting |
| with B<stunnel> 5.18, these hardcoded DH parameters are replaced every 24 hours |
| with autogenerated temporary DH parameters. DH parameter generation may take |
| several minutes. |
| |
| Alternatively, it is possible to specify static DH parameters in the |
| certificate file, which disables generating temporary DH parameters: |
| |
| openssl dhparam 2048 >> stunnel.pem |
| |
| |
| =head1 FILES |
| |
| =over 4 |
| |
| =item F<@sysconfdir@/stunnel/stunnel.conf> |
| |
| B<stunnel> configuration file |
| |
| =back |
| |
| |
| =head1 BUGS |
| |
| The I<execArgs> option and the Win32 command line do not support quoting. |
| |
| |
| =head1 SEE ALSO |
| |
| =over 4 |
| |
| =item L<tcpd(8)> |
| |
| access control facility for internet services |
| |
| =item L<inetd(8)> |
| |
| internet 'super-server' |
| |
| =item F<http://www.stunnel.org/> |
| |
| B<stunnel> homepage |
| |
| =item F<http://www.openssl.org/> |
| |
| B<OpenSSL> project website |
| |
| =back |
| |
| |
| =head1 AUTHOR |
| |
| =over 4 |
| |
| =item MichaĆ Trojnara |
| |
| <F<Michal.Trojnara@mirt.net>> |
| |
| =back |
| |
| =for comment |
| vim:spelllang=en:spell |