Configure stunnel to receive traffic and encrypt it with an SSL

In this article we will discuss how to configure stunnel to receive the traffic and encrypt it with an SSL.

There are several case scenarios where you want stunnel to do such a thing for you. I will mention just a few of them.

  1. Encrypt, secure incoming email traffic on a server that does not have mail encryption capability or has poor encryption options: dovecot mail server.
  2. Encrypt, secure incoming traffic to a process or service that has poor encryption options: load balancers or other appliances, java services, nodejs applications, shoutcast streaming applications, and the list can go on.
  3. Configure stunnel for PCI compliance reasons

 

The steps to install and configure are as follows:

  1. Install stunnel using "yum install stunnel" or "apt-get install stunnel"
  2. After installation is complete you need to edit the configuration file, usually located at /etc/stunnel/stunnel.conf
  3. Upload your certificate file to /etc/stunnel/domain_to_secure.com, in some installations it works to put private key, certificate, and intermediate all in 1 file, but in case this does not work, put the certificate in one file and key in another file like this:
    cert = /etc/stunnel/domain_to_secure.com.crt

    key = /etc/stunnel/domain_to_secure.com.key

    and add your certificate file details as follows:

    SSL Ciphers, depending on your requirements and ssl libraries you have available you can configure something like this:

    ciphers=EECDH+AESGCM:EDH+AESGCM

    sslVersion = TLSv1.2

    options = NO_SSLv2

    options = NO_SSLv3

    cert = /etc/stunnel/domain_to_secure.com 

    For secure pop3 service configure/uncomment this section:

    [pop3s]

    accept = 995

    connect = 110

    For secure imap service configure/uncomment this section:

    [imaps]

    accept = 993

    connect = 143

    For secure SMTP service configure uncomment this section:

    [ssmtp]

    accept = 465

    connect = 25

    For https it is usually configured like this:

    [https]

    accept = 443

    connect = 8080
  4. The connect option is showing the backend port (unsecure port) that you want the traffic redirected to. For imap it is 110, for pop3 is 143, and for java it is something like 8080
  5. Some other configuration settings required:
    chroot = /var/run/stunnel
    setuid = stunnel
    setgid = stunnel
    pid = /stunnel.pid
    fips = no
  6. After configuration is in place reload the systemctl daemon: 
    systemctl daemon-reload
  7. And start/restart the stunnel service 
    systemctl restart stunnel
  • stunnel, encrypt traffic, ssl
  • 2 Users Found This Useful
Was this answer helpful?

Related Articles

 CVE-2007-4072 cms places full pathname of server in html comment fix

Description: Some CMS provide the full installation path within HTML comments in certain...

 CVE-2007-6197 Version numbers and internal hostnames leaked in HTML comments fix

Description: The Plumtree portal in BEA AquaLogic Interaction 5.0.2 through 5.0.4 and...

 CVE-2009-2431 blog software leaks real username in html comment fix

Some applications place the username of a post's author in an HTML comment, which allows...

 CWE-540 Inclusion of Sensitive Information in Source Code fix

  Weakness ID: 540 Abstraction: BaseStructure: Simple Status: Incomplete...

 CWE-546 Suspicious Comment

 Description   The code contains comments that suggest the presence of bugs,...