stunnel Universal SSL tunnel See another FAQ at http://www.onsight.com/faq/stunnel/ Q: Is there a mailing list for stunnel? A: Sure. You can subscribe the list in two simple steps: 1. Send an empty e-mail to stunnel-users-subscribe@mike.daewoo.com.pl 2. Follow the instructions you'll receive. 8-) Q: What do I need to build stunnel on a UNIX machine? A: You need: - ANSI C compiler; - Openssl or SSLeay library. You shoud have (not necessary): - POSIX threads (make sure your SSL library is built with -DTHREADS); - libwrap if you want to have tcp wrappers functionality. Q: Should I use daemon mode or inetd mode? A: Use daemon mode, if not sure. It's better in most cases. Q: I'd like to use ssl in my IMAP client. Could you give me an example? A: Use: "stunnel -d 993 -r imap" Or: "stunnel -d 993 -l /usr/sbin/imapd imapd" Q: I need to add -s option to my in.pop3d. How to do that? Use: "stunnel -d 995 -l /usr/sbin/in.pop3d -- in.pop3d -s" Q: "stunnel -d 465 -l /usr/lib/sendmail sendmail" doesn't work... A: Sure it doesn't. Sendmail is not a service to be started with inetd. Use: "stunnel -d 465 -r smtp" instead. Q: I'd like to start stunnel from inetd. Could you give me an example? A: If possible avoid starting stunnel from inetd. It's slow (SSL needs to be initialized every connection), does not support session cache and will use more memory on heavy load. The example /etc/inetd.conf line for imapd: "imaps stream tcp nowait root \ /usr/local/sbin/stunnel stunnel -l /usr/sbin/imapd imapd". Notice, that for better compatibility above syntax is different than the old one (2.x). Don't forget to add "imaps 993/tcp" to /etc/services and restart inetd. Q: How is the service name (for logging and for libwrap) created? A: Here are the rules: 1. If the are some arguments (after options) the first one (argv[0] for the local service) is used. 2. Else in remote mode - remote hostname is used, but ':' is changed to '.'. 3. Else in local mode - the execname (w/o path) is used. See debug output of stunnel, if you're not sure what is the correct service name in your case. Q: How to correctly use tcpd (tcp wrappers) with stunnel? A: You don't need to use tcpd with stunnel. Stunnel can do it by itself. Just make sure you have libwrap library installed when building stunnel. Q: How to setup /etc/hosts.allow with stunnel? An example? A: To allow connecting "stunnel -d 9999 -r proxy:3128" only from foo.bar.com use: "proxy.3128: foo.bar.com". Also look at the answer about creating the service name. Q: Will stunnel work with [...] protocol? A: There are some simple rules to check this: 1. The protocol needs to be based on TCP (not UDP). 2. The protocol can't use multiple connections (like ftp). 3. The protocol can't depend on OOB data (like telnet). 4. Remote site can't use an application-specific protocol (like ssltelnet, where SSL is a negotiated option). Q: Can you give ma a list of officially assigned SSL ports numbers? A: Here it is (from Internet Assigned Numbers Authority): nsiiops 261/tcp # IIOP Name Service over TLS/SSL https 443/tcp # http protocol over TLS/SSL smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead) sshell 614/tcp # SSLshell ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL telnets 992/tcp # telnet protocol over TLS/SSL imaps 993/tcp # imap4 protocol over TLS/SSL ircs 994/tcp # irc protocol over TLS/SSL pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) msft-gc-ssl 3269/tcp # Microsoft Global Catalog with LDAP/SSL Please notice, that not every protocol on that list will work with stunnel. Q: SMTP with SSL doesn't work with Netscape 4.5 (or better). What should I do? A: Netscape uses specific protocol for SMTP - it's not just tunneling. You need to use '-n smtp' option. Q: With my Windows 2000 Build 2195 I have the following errors: SSL_accept:error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol SSL_accept:error:1409B0AB:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:missing tmp rsa key A: Install 'Critical Updates' for Win2K. 8-) Q: I have a strange error message: SSL_accept: error:00000000::lib(0) :func(0) :reason(0) What does it mean? A: The error means that your client has closed connection before SSL negotiation. You're probably trying to connect SSL service with non-SSL client. Q: I have strange timeouts with my Outlook Express 4. What to do? A: Do *NOT* use SSL of Outlook Express 4. Upgrade, if you have to use Microsoft products. Workaround: Install stunnel in client mode on your Windows, instead of enabling SSL in Outlook. Q: None of the above helped me... A: Look into your syslog or use "-f" option. Q: I don't understand the error. Please help! A: Prepare following data: 1. Description of your problem. 2. Output of "stunnel -f -D 7 ". 3. Output of "uname -a". 4. Your libc version if you use Linux. 5. Output of "gcc -v". 6. Output of "openssl version" or "ssleay version" depending of you library. Subscribe stunnel-users. Send e-mail with the above informations to the list. Q: How do I use stunnel to create a secure PPP session over the internet? A: Follow these steps: 1. Set up your PPP stuff as you would otherwise do for a serial (dialup) connection, passwords and all. 2. Decide on how you want stunnel to run on the server system, i.e. inetd vs. daemon mode. 3. On the server, use something like (observe the -L for pty mode) "stunnel -d 2020 -L /usr/sbin/pppd -- pppd local" 4. On the client system, in order to bring up the secure PPP link run "stunnel -c -r server:2020 -L /usr/sbin/pppd -- pppd local" * THE END *