source: postlfs/security/stunnel.xml@ 8e93424

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

  <!ENTITY stunnel-download-http "https://www.stunnel.org/downloads/archive/5.x/stunnel-&stunnel-version;.tar.gz">
  <!ENTITY stunnel-download-ftp  " ">
  <!ENTITY stunnel-md5sum        "23ddd3c3bd92873deb0caadba12f9574">
  <!ENTITY stunnel-size          "876 KB">
  <!ENTITY stunnel-buildsize     "7.5 MB">
  <!ENTITY stunnel-time          "less than 0.1 SBU">
]>

<sect1 id="stunnel" xreflabel="stunnel-&stunnel-version;">
  <?dbhtml filename="stunnel.html"?>


  <title>stunnel-&stunnel-version;</title>

  <indexterm zone="stunnel">
    <primary sortas="a-stunnel">stunnel</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to stunnel</title>

    <para>
      The <application>stunnel</application> package contains a program
      that allows you to encrypt arbitrary TCP connections inside SSL (Secure
      Sockets Layer) so you can easily communicate with clients over secure
      channels. <!--<application>stunnel</application> can be used to add SSL
      functionality to commonly used <application>Inetd</application> daemons
      such as POP-2, POP-3, and IMAP servers, along with standalone daemons
      such as NNTP, SMTP, and HTTP.--> <application>stunnel</application> can
      also be used to tunnel PPP over network sockets without changes to the
      server package source code.
    </para>

    &lfs120_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&stunnel-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&stunnel-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &stunnel-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &stunnel-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &stunnel-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &stunnel-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">stunnel Dependencies</bridgehead>

    <bridgehead renderas="sect4">Optional</bridgehead>
    <para role="optional">
      <xref linkend="libnsl"/>,
      <ulink url="https://netcat.sourceforge.net/">netcat</ulink>
      (required for tests),
      <ulink url="http://ftp.porcupine.org/pub/security/index.html">tcpwrappers</ulink>,
      and
      <ulink url="https://dist.torproject.org/">TOR</ulink>
    </para>

  </sect2>

  <sect2 role="installation">
    <title>Installation of stunnel</title>

    <para>
      The <command>stunnel</command> daemon will be run in a
      <command>chroot</command> jail by an unprivileged user. Create the
      new user and group using the following commands as the
      <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>groupadd -g 51 stunnel &amp;&amp;
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel</userinput></screen>

    <note>
      <para>
        A signed SSL Certificate and a Private Key is necessary to run the
        <command>stunnel</command> daemon. After the package is installed,
        there are instructions to generate them. However, if you own or have
        already created a signed SSL Certificate you wish to use, copy it to
        <filename>/etc/stunnel/stunnel.pem</filename> before starting the
        build (ensure only <systemitem class="username">root</systemitem> has
        read and write access). The <filename class="extension">.pem</filename>
        file must be formatted as shown below:
      </para>

<screen><literal>-----BEGIN PRIVATE KEY-----
<replaceable>&lt;many encrypted lines of private key&gt;</replaceable>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<replaceable>&lt;many encrypted lines of certificate&gt;</replaceable>
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
<replaceable>&lt;encrypted lines of dh parms&gt;</replaceable>
-----END DH PARAMETERS-----</literal></screen>

    </note>

    <para>
      Install <application>stunnel</application> by running the following
      commands:
    </para>

<screen revision="sysv"><userinput>./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var \
            --disable-systemd    &amp;&amp;
make</userinput></screen>

<screen revision="systemd"><userinput>./configure --prefix=/usr        \
            --sysconfdir=/etc    \
            --localstatedir=/var &amp;&amp;
make</userinput></screen>

    <para>
      If you have installed the optional netcat application, the
      regression tests can be run with <command>make check</command>.
    </para>

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>

    <para revision="systemd">
      Install the included systemd unit by running the following command as the
      <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root" revision="systemd"><userinput>install -v -m644 tools/stunnel.service /usr/lib/systemd/system</userinput></screen>

    <para>
      If you do not already have a signed SSL Certificate and Private Key,
      create the <filename>stunnel.pem</filename> file in the
      <filename class="directory">/etc/stunnel</filename> directory using the
      command below. You will be prompted to enter the necessary
      information. Ensure you reply to the
    </para>

<screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen>

    <para>
      prompt with the name or IP address you will be using
      to access the service(s).
    </para>

    <para>
      To generate a certificate, as the
      <systemitem class="username">root</systemitem> user, issue:
    </para>

<screen role="root"><userinput>make cert</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para revision="sysv">
      <parameter>--disable-systemd</parameter>: This switch disables systemd
      socket activation support which is not available in BLFS.
    </para>

    <para>
      <command>make docdir=... install</command>: This command installs the
      package and changes the documentation installation directory to standard
      naming conventions.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring stunnel</title>

    <sect3 id="stunnel-config">
      <title>Config Files</title>

      <para>
        <filename>/etc/stunnel/stunnel.conf</filename>
      </para>

      <indexterm zone="stunnel stunnel-config">
        <primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary>
      </indexterm>

    </sect3>

    <sect3>
      <title>Configuration Information</title>

      <para>
        As the <systemitem class="username">root</systemitem> user,
        create the directory used for the
        <filename class="extension">.pid</filename> file created
        when the <application>stunnel</application> daemon starts:
      </para>

<screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run &amp;&amp;
chown stunnel:stunnel /var/lib/stunnel</userinput></screen>

      <para>
        Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename>
        configuration file using the following commands as the
        <systemitem class="username">root</systemitem> user:
      </para>

<screen role="root"><userinput>cat &gt; /etc/stunnel/stunnel.conf &lt;&lt; "EOF"
<literal>; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0</literal>

EOF</userinput></screen>

      <para>
        Finally, add the service(s) you wish to encrypt to the
        configuration file. The format is as follows:
      </para>

<screen><literal>[<replaceable>&lt;service&gt;</replaceable>]
accept  = <replaceable>&lt;hostname:portnumber&gt;</replaceable>
connect = <replaceable>&lt;hostname:portnumber&gt;</replaceable></literal></screen>

<!--
      <para>
        If you use <application>stunnel</application> to encrypt a daemon
        started from <command>[x]inetd</command>, you may need to disable that
        daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a
        corresponding <replaceable>&lt;service&gt;</replaceable>_stunnel
        service. You may have to add an appropriate entry in
        <filename>/etc/services</filename> as well.
      </para>
-->

      <para>
        For a full explanation of the commands and syntax used in the
        configuration file, issue <command>man stunnel</command>.
      </para>

    </sect3>

    <sect3  id="stunnel-init">
      <title><phrase revision="sysv">Boot Script</phrase>
             <phrase revision="systemd">Systemd Unit</phrase></title>

      <para revision="sysv">
        To automatically start the <command>stunnel</command> daemon when the
        system is booted, install the
        <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
        <xref linkend="bootscripts"/> package.
      </para>

      <para revision="systemd">
        To start the <command>stunnel</command>
        daemon at boot, enable the previously installed
        <application>systemd</application> unit by running the following
        command as the <systemitem class="username">root</systemitem> user:
      </para>

      <indexterm zone="stunnel stunnel-init">
        <primary sortas="f-stunnel">stunnel</primary>
      </indexterm>

<screen role="root" revision="sysv"><userinput>make install-stunnel</userinput></screen>

<screen role="root" revision="systemd"><userinput>systemctl enable stunnel</userinput></screen>

    </sect3>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Library</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          stunnel and stunnel3
        </seg>
        <seg>
          libstunnel.so
        </seg>
        <seg>
          /{etc,lib,var/lib}/stunnel and
          /usr/share/doc/stunnel-&stunnel-version;
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="stunnel-prog">
        <term><command>stunnel</command></term>
        <listitem>
          <para>
            is a program designed to work as an SSL
            encryption wrapper between remote clients and local
            or remote servers
          </para>
          <indexterm zone="stunnel stunnel-prog">
            <primary sortas="b-stunnel">stunnel</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="stunnel3">
        <term><command>stunnel3</command></term>
        <listitem>
          <para>
            is a <application>Perl</application> wrapper script to use
            <command>stunnel</command> 3.x syntax with
            <command>stunnel</command> 4.05 or later
          </para>
          <indexterm zone="stunnel stunnel3">
            <primary sortas="b-stunnel3">stunnel3</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="libstunnel">
        <term><filename class="libraryfile">libstunnel.so</filename></term>
        <listitem>
          <para>
            contains the API functions required by
            <application>stunnel</application>
          </para>
          <indexterm zone="stunnel libstunnel">
            <primary sortas="c-libstunnel">libstunnel.so</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>