Context Navigation

source: postlfs/security/stunnel.xml@ 5cc198cd

Visit:

11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk xry111/llvm18 xry111/soup3 xry111/xf86-video-removal

Last change on this file since 5cc198cd was 5cc198cd, checked in by Bruce Dubbs <bdubbs@…>, 20 months ago
Update to vim-9.0.0228 (sync with LFS. And some tags.
Property mode set to `100644`
File size: 13.5 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY stunnel-download-http " ">
8	<!-- Following ftp also has older releases -->
9	<!ENTITY stunnel-download-ftp "ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-&stunnel-version;.tar.gz">
10	<!-- Following ftp only has later release -->
11	<!-- "ftp://ftp.stunnel.org/stunnel/stunnel-&stunnel-version;.tar.gz"> -->
12	<!ENTITY stunnel-md5sum "b05d5e07a59eb6c3c0b7d26d1281e5c6">
13	<!ENTITY stunnel-size "852 KB">
14	<!ENTITY stunnel-buildsize "8.1 MB">
15	<!ENTITY stunnel-time "0.1 SBU">
16	]>
17
18	<sect1 id="stunnel" xreflabel="stunnel-&stunnel-version;">
19	<?dbhtml filename="stunnel.html"?>
20
21	<sect1info>
22	<date>$Date$</date>
23	</sect1info>
24
25	<title>stunnel-&stunnel-version;</title>
26
27	<indexterm zone="stunnel">
28	<primary sortas="a-stunnel">stunnel</primary>
29	</indexterm>
30
31	<sect2 role="package">
32	<title>Introduction to stunnel</title>
33
34	<para>
35	The <application>stunnel</application> package contains a program
36	that allows you to encrypt arbitrary TCP connections inside SSL (Secure
37	Sockets Layer) so you can easily communicate with clients over secure
38	channels. <!--<application>stunnel</application> can be used to add SSL
39	functionality to commonly used <application>Inetd</application> daemons
40	such as POP-2, POP-3, and IMAP servers, along with standalone daemons
41	such as NNTP, SMTP, and HTTP.--> <application>stunnel</application> can
42	also be used to tunnel PPP over network sockets without changes to the
43	server package source code.
44	</para>
45
46	&lfs112_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&stunnel-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&stunnel-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &stunnel-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &stunnel-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &stunnel-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &stunnel-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81
82	<bridgehead renderas="sect3">stunnel Dependencies</bridgehead>
83
84	<bridgehead renderas="sect4">Optional</bridgehead>
85	<para role="optional">
86	<xref linkend="libnsl"/>,
87	<ulink url="http://netcat.sourceforge.net/">netcat</ulink>
88	(required for tests),
89	<ulink url="http://ftp.porcupine.org/pub/security/index.html">tcpwrappers</ulink>,
90	and
91	<ulink url="https://dist.torproject.org/">TOR</ulink>
92	</para>
93
94	<para condition="html" role="usernotes">User Notes:
95	<ulink url="&blfs-wiki;/stunnel"/></para>
96
97	</sect2>
98
99	<sect2 role="installation">
100	<title>Installation of stunnel</title>
101
102	<para>
103	The <command>stunnel</command> daemon will be run in a
104	<command>chroot</command> jail by an unprivileged user. Create the
105	new user and group using the following commands as the
106	<systemitem class="username">root</systemitem> user:
107	</para>
108
109	<screen role="root"><userinput>groupadd -g 51 stunnel &&
110	useradd -c "stunnel Daemon" -d /var/lib/stunnel \
111	-g stunnel -s /bin/false -u 51 stunnel</userinput></screen>
112
113	<note>
114	<para>
115	A signed SSL Certificate and a Private Key is necessary to run the
116	<command>stunnel</command> daemon. After the package is installed,
117	there are instructions to generate them. However, if you own or have
118	already created a signed SSL Certificate you wish to use, copy it to
119	<filename>/etc/stunnel/stunnel.pem</filename> before starting the
120	build (ensure only <systemitem class="username">root</systemitem> has
121	read and write access). The <filename class="extension">.pem</filename>
122	file must be formatted as shown below:
123	</para>
124
125	<screen><literal>-----BEGIN PRIVATE KEY-----
126	<replaceable><many encrypted lines of private key></replaceable>
127	-----END PRIVATE KEY-----
128	-----BEGIN CERTIFICATE-----
129	<replaceable><many encrypted lines of certificate></replaceable>
130	-----END CERTIFICATE-----
131	-----BEGIN DH PARAMETERS-----
132	<replaceable><encrypted lines of dh parms></replaceable>
133	-----END DH PARAMETERS-----</literal></screen>
134
135	</note>
136
137	<para>
138	Install <application>stunnel</application> by running the following
139	commands:
140	</para>
141
142	<!-- Not needed, we're 10+ versions ahead of this now
143	<note>
144	<para>
145	For some systems with <application>binutils</application>
146	versions prior to 2.25, <command>configure</command> may fail. If
147	necessary, fix it either with:
148	</para>
149
150	<screen><userinput>sed -i '/LDFLAGS.*static_flag/ s/^/#/' configure</userinput></screen>
151
152	<para>
153	or, if <xref linkend="llvm"/> with Clang is installed, you can
154	replace <command>./configure ...</command> with <command>CC=clang
155	./configure ...</command> in the first command below.
156	</para>
157	</note>
158	-->
159
160	<screen revision="sysv"><userinput>./configure --prefix=/usr \
161	--sysconfdir=/etc \
162	--localstatedir=/var \
163	--disable-systemd &&
164	make</userinput></screen>
165
166	<screen revision="systemd"><userinput>./configure --prefix=/usr \
167	--sysconfdir=/etc \
168	--localstatedir=/var &&
169	make</userinput></screen>
170
171	<para>
172	If you have installed the optional netcat application, the
173	regression tests can be run with <command>make check</command>.
174	</para>
175
176	<para>
177	Now, as the <systemitem class="username">root</systemitem> user:
178	</para>
179
180	<screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
181
182	<para revision="systemd">
183	Install the included systemd unit by running the following command as the
184	<systemitem class="username">root</systemitem> user:
185	</para>
186
187	<screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /usr/lib/systemd/system</userinput></screen>
188
189	<para>
190	If you do not already have a signed SSL Certificate and Private Key,
191	create the <filename>stunnel.pem</filename> file in the
192	<filename class="directory">/etc/stunnel</filename> directory using the
193	command below. You will be prompted to enter the necessary
194	information. Ensure you reply to the
195	</para>
196
197	<screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen>
198
199	<para>
200	prompt with the name or IP address you will be using
201	to access the service(s).
202	</para>
203
204	<para>
205	To generate a certificate, as the
206	<systemitem class="username">root</systemitem> user, issue:
207	</para>
208
209	<screen role="root"><userinput>make cert</userinput></screen>
210
211	</sect2>
212
213	<sect2 role="commands">
214	<title>Command Explanations</title>
215
216	<para revision="sysv">
217	<parameter>--disable-systemd</parameter>: This switch disables systemd
218	socket activation support which is not available in BLFS.
219	</para>
220
221	<para>
222	<command>make docdir=... install</command>: This command installs the
223	package and changes the documentation installation directory to standard
224	naming conventions.
225	</para>
226
227	</sect2>
228
229	<sect2 role="configuration">
230	<title>Configuring stunnel</title>
231
232	<sect3 id="stunnel-config">
233	<title>Config Files</title>
234
235	<para>
236	<filename>/etc/stunnel/stunnel.conf</filename>
237	</para>
238
239	<indexterm zone="stunnel stunnel-config">
240	<primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary>
241	</indexterm>
242
243	</sect3>
244
245	<sect3>
246	<title>Configuration Information</title>
247
248	<para>
249	As the <systemitem class="username">root</systemitem> user,
250	create the directory used for the
251	<filename class="extension">.pid</filename> file created
252	when the <application>stunnel</application> daemon starts:
253	</para>
254
255	<screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &&
256	chown stunnel:stunnel /var/lib/stunnel</userinput></screen>
257
258	<para>
259	Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename>
260	configuration file using the following commands as the
261	<systemitem class="username">root</systemitem> user:
262	</para>
263
264	<screen role="root"><userinput>cat > /etc/stunnel/stunnel.conf << "EOF"
265	<literal>; File: /etc/stunnel/stunnel.conf
266
267	; Note: The pid and output locations are relative to the chroot location.
268
269	pid = /run/stunnel.pid
270	chroot = /var/lib/stunnel
271	client = no
272	setuid = stunnel
273	setgid = stunnel
274	cert = /etc/stunnel/stunnel.pem
275
276	;debug = 7
277	;output = stunnel.log
278
279	;[https]
280	;accept = 443
281	;connect = 80
282	;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
283	;; Microsoft implementations do not use SSL close-notify alert and thus
284	;; they are vulnerable to truncation attacks
285	;TIMEOUTclose = 0</literal>
286
287	EOF</userinput></screen>
288
289	<para>
290	Finally, add the service(s) you wish to encrypt to the
291	configuration file. The format is as follows:
292	</para>
293
294	<screen><literal>[<replaceable><service></replaceable>]
295	accept = <replaceable><hostname:portnumber></replaceable>
296	connect = <replaceable><hostname:portnumber></replaceable></literal></screen>
297
298	<!--
299	<para>
300	If you use <application>stunnel</application> to encrypt a daemon
301	started from <command>[x]inetd</command>, you may need to disable that
302	daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a
303	corresponding <replaceable><service></replaceable>_stunnel
304	service. You may have to add an appropriate entry in
305	<filename>/etc/services</filename> as well.
306	</para>
307	-->
308
309	<para>
310	For a full explanation of the commands and syntax used in the
311	configuration file, issue <command>man stunnel</command>.
312	</para>
313
314	</sect3>
315
316	<sect3 id="stunnel-init">
317	<title><phrase revision="sysv">Boot Script</phrase>
318	<phrase revision="systemd">Systemd Unit</phrase></title>
319
320	<para revision="sysv">
321	To automatically start the <command>stunnel</command> daemon when the
322	system is booted, install the
323	<filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
324	<xref linkend="bootscripts"/> package.
325	</para>
326
327	<para revision="systemd">
328	To start the <command>stunnel</command>
329	daemon at boot, enable the previously installed
330	<application>systemd</application> unit by running the following
331	command as the <systemitem class="username">root</systemitem> user:
332	</para>
333
334	<indexterm zone="stunnel stunnel-init">
335	<primary sortas="f-stunnel">stunnel</primary>
336	</indexterm>
337
338	<screen role="root" revision="sysv"><userinput>make install-stunnel</userinput></screen>
339
340	<screen role="root" revision="systemd"><userinput>systemctl enable stunnel</userinput></screen>
341
342	</sect3>
343
344	</sect2>
345
346	<sect2 role="content">
347	<title>Contents</title>
348
349	<segmentedlist>
350	<segtitle>Installed Programs</segtitle>
351	<segtitle>Installed Library</segtitle>
352	<segtitle>Installed Directories</segtitle>
353
354	<seglistitem>
355	<seg>
356	stunnel and stunnel3
357	</seg>
358	<seg>
359	libstunnel.so
360	</seg>
361	<seg>
362	/{etc,lib,var/lib}/stunnel and
363	/usr/share/doc/stunnel-&stunnel-version;
364	</seg>
365	</seglistitem>
366	</segmentedlist>
367
368	<variablelist>
369	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
370	<?dbfo list-presentation="list"?>
371	<?dbhtml list-presentation="table"?>
372
373	<varlistentry id="stunnel-prog">
374	<term><command>stunnel</command></term>
375	<listitem>
376	<para>
377	is a program designed to work as an SSL
378	encryption wrapper between remote clients and local
379	or remote servers
380	</para>
381	<indexterm zone="stunnel stunnel-prog">
382	<primary sortas="b-stunnel">stunnel</primary>
383	</indexterm>
384	</listitem>
385	</varlistentry>
386
387	<varlistentry id="stunnel3">
388	<term><command>stunnel3</command></term>
389	<listitem>
390	<para>
391	is a <application>Perl</application> wrapper script to use
392	<command>stunnel</command> 3.x syntax with
393	<command>stunnel</command> 4.05 or later
394	</para>
395	<indexterm zone="stunnel stunnel3">
396	<primary sortas="b-stunnel3">stunnel3</primary>
397	</indexterm>
398	</listitem>
399	</varlistentry>
400
401	<varlistentry id="libstunnel">
402	<term><filename class="libraryfile">libstunnel.so</filename></term>
403	<listitem>
404	<para>
405	contains the API functions required by
406	<application>stunnel</application>
407	</para>
408	<indexterm zone="stunnel libstunnel">
409	<primary sortas="c-libstunnel">libstunnel.so</primary>
410	</indexterm>
411	</listitem>
412	</varlistentry>
413
414	</variablelist>
415
416	</sect2>
417
418	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: