Stunnel 5.34 + Manual | 3.6 Mb
Stunnel is a program created to allow secure client-server transfers. Its purpose is to provide encryption via SSL (secure socket layer) to inetd daemons such as POP2, POP3, and IMAP servers. It can be used with standalone daemons (NNTP, SMTP and HTTP) and tunnelling PPP over network sockets, too.
Since the application is not intended for the average user solid knowledge about encrypted transfers and client server relationship is required.
Getting the tool on the system
Installing the tool on the system is not a tough job, but the operation requires a couple of stops that allow the user to select the components to be added as well as to provide information to be added to the certificate request.
During the installation procedure there is the possibility to include self-signed certificate tools and a terminal version of the application for sending the necessary commands.
Details about the country, state, and city or localhost are also requested, but some of the fields may be left blank.
Setting up the utility
The most important part in stunnel is its configuration. Setting everything up can be done from the main application window, which also lists a brief log of the operations carried out.
Customizing the connection should not be a difficult job for a more advanced user, especially since most of the options are accompanied by tooltips and the configuration is based on a demo file.
Among the options available there is the possibility to enable FIPS 140-2 mode, a security standard for validating cryptographic modules. Furthermore, at least one service must also be defined in the configuration file. Once the program started, the terminal window informs the user of the current setup.
Straightforward SSL encryption wrapper
stunnel may appear like a simple application, but the most difficult part is knowing what it is suitable for; and this information is reserved for system administrators.
Portability (Threading Models):
* PTHREAD (Posix)
* FORK (traditional Unix)
* UCONTEXT (userlevel)
Performance and Scalability:
* Load sharing among multiple backend servers
* External session cache (for clusters)
* Compression (for limited bandwidth)
Support for OpenSSL Security Features:
* Certificate-based access control
* CRL and OCSP certificate revocation
* SNI (Server Name Indication) support for name-based virtual servers
* PFS (Perfect Forward Secrecy) with DH and ECDH key agreement
* FIPS mode (for compliance)
* Configuration of hardware engines
Features Specific to Unix Platform:
* Local mode (running services designed for inetd) with optional pseudo-terminal allocation
* chroot (additional security)
* setuid/setgid (additional security)
* Logging to syslog
* Libwrap (TCP Wrappers) access control
* Transparent proxy on selected platforms
* EGD (Entropy Gathering Daemon) client
* Unix socket support
Features Specific to ShiChuang Platform:
* Saving cached peer certificate chains to files
* ShiChuang service mode
* IPv6 support
* Protocol negotiation for cifs, connect, imap, nntp, pgsql, pop3, proxy, and smtp
* Delayed resolver (for dialup connections and remote hosts with dynamic IP addresses)
* Graceful configuration file reloading
* Graceful log file reopening
* Ident access control
New in version 5.34 (July 5, 2016):
* Fixed malfunctioning "verify = 4".
* Bind sockets with SO_EXCLUSIVEADDRUSE on WIN32.
* Added three new service-level options: requireCert, verifyChain, and * verifyPeer for fine-grained certificate verification control.
* Improved compatibility with the current OpenSSL 1.1.0-dev tree.
OS: ShiChuang All
Links are Interchangeable - No Password - Single Extraction