Changeset d3469f0
- Timestamp:
- 05/14/2005 04:30:29 PM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 1503942
- Parents:
- 322f172
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/stunnel.xml
r322f172 rd3469f0 15 15 16 16 <sect1 id="stunnel" xreflabel="Stunnel-&stunnel-version;"> 17 <sect1info> 18 <othername>$LastChangedBy$</othername> 19 <date>$Date$</date> 20 </sect1info> 21 <?dbhtml filename="stunnel.html"?> 22 <title>Stunnel-&stunnel-version;</title> 23 <indexterm zone="stunnel"> 24 <primary sortas="a-Stunnel">Stunnel</primary></indexterm> 25 26 <sect2> 27 <title>Introduction to <application>Stunnel</application></title> 28 29 <para>The <application>Stunnel</application> package contains a program that 30 allows you to encrypt arbitrary <acronym>TCP</acronym> connections inside 31 <acronym>SSL</acronym> (Secure Sockets Layer) so you can easily communicate 32 with clients over secure channels. <application>Stunnel</application> can be 33 used to add <acronym>SSL</acronym> functionality to commonly used Inetd 34 daemons like <acronym>POP</acronym>-2, <acronym>POP</acronym>-3, and 35 <acronym>IMAP</acronym> servers, to standalone daemons like 36 <acronym>NNTP</acronym>, <acronym>SMTP</acronym> and <acronym>HTTP</acronym>, 37 and in tunneling <acronym>PPP</acronym> over network sockets without changes 38 to the server package source code.</para> 39 40 <sect3><title>Package information</title> 41 <itemizedlist spacing="compact"> 42 <listitem><para>Download (HTTP): 43 <ulink url="&stunnel-download-http;"/></para></listitem> 44 <listitem><para>Download (FTP): 45 <ulink url="&stunnel-download-ftp;"/></para></listitem> 46 <listitem><para>Download MD5 sum: 47 &stunnel-md5sum;</para></listitem> 48 <listitem><para>Download size: 49 &stunnel-size;</para></listitem> 50 <listitem><para>Estimated disk space required: 51 &stunnel-buildsize;</para></listitem> 52 <listitem><para>Estimated build time: 53 &stunnel-time;</para></listitem></itemizedlist> 54 </sect3> 55 56 <sect3><title>Additional downloads</title> 57 <itemizedlist spacing="compact"> 58 <listitem><para>Required patch: <ulink 59 url="ftp://stunnel.mirt.net/stunnel/stunnel-&stunnel-version;-1_minute_sleep_fix.patch"/></para> 60 </listitem> 61 </itemizedlist> 62 </sect3> 63 64 <sect3><title><application>Stunnel</application> dependencies</title> 65 <sect4><title>Required</title> 66 <para><xref linkend="openssl"/></para> 67 </sect4> 68 69 <sect4><title>Optional</title> 70 <para><xref linkend="tcpwrappers"/></para> 71 </sect4> 72 </sect3> 73 74 </sect2> 75 76 <sect2> 77 <title>Installation of <application>Stunnel</application></title> 78 79 <para>The <command>stunnel</command> daemon will be run in a 80 <command>chroot</command> jail by an unprivileged user. Create the new user, 81 group and <command>chroot</command> home directory structure using the 82 following commands as the root user:</para> 83 84 <screen><userinput role='root'><command>groupadd stunnel && 17 <?dbhtml filename="stunnel.html"?> 18 19 <sect1info> 20 <othername>$LastChangedBy$</othername> 21 <date>$Date$</date> 22 </sect1info> 23 24 <title>Stunnel-&stunnel-version;</title> 25 26 <indexterm zone="stunnel"> 27 <primary sortas="a-Stunnel">Stunnel</primary> 28 </indexterm> 29 30 <sect2 role="package"> 31 <title>Introduction to Stunnel</title> 32 33 <para>The <application>Stunnel</application> package contains a program 34 that allows you to encrypt arbitrary TCP connections inside SSL (Secure 35 Sockets Layer) so you can easily communicate with clients over secure 36 channels. <application>Stunnel</application> can be used to add SSL 37 functionality to commonly used <application>Inetd</application> daemons 38 like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, 39 SMTP and HTTP, and in tunneling PPP over network sockets without changes 40 to the server package source code.</para> 41 42 <bridgehead renderas="sect3">Package Information</bridgehead> 43 <itemizedlist spacing="compact"> 44 <listitem> 45 <para>Download (HTTP): <ulink url="&stunnel-download-http;"/></para> 46 </listitem> 47 <listitem> 48 <para>Download (FTP): <ulink url="&stunnel-download-ftp;"/></para> 49 </listitem> 50 <listitem> 51 <para>Download MD5 sum: &stunnel-md5sum;</para> 52 </listitem> 53 <listitem> 54 <para>Download size: &stunnel-size;</para> 55 </listitem> 56 <listitem> 57 <para>Estimated disk space required: &stunnel-buildsize;</para> 58 </listitem> 59 <listitem> 60 <para>Estimated build time: &stunnel-time;</para> 61 </listitem> 62 </itemizedlist> 63 64 <bridgehead renderas="sect3">Additional Downloads</bridgehead> 65 <itemizedlist spacing="compact"> 66 <listitem> 67 <para>Required patch: <ulink 68 url="ftp://stunnel.mirt.net/stunnel/stunnel-&stunnel-version;-1_minute_sleep_fix.patch"/></para> 69 </listitem> 70 </itemizedlist> 71 72 <bridgehead renderas="sect3">Stunnel Dependencies</bridgehead> 73 74 <bridgehead renderas="sect4">Required</bridgehead> 75 <para><xref linkend="openssl"/></para> 76 77 <bridgehead renderas="sect4">Optional</bridgehead> 78 <para><xref linkend="tcpwrappers"/></para> 79 80 </sect2> 81 82 <sect2 role="installation"> 83 <title>Installation of Stunnel</title> 84 85 <para>The <command>stunnel</command> daemon will be run in a 86 <command>chroot</command> jail by an unprivileged user. Create the 87 new user, group and <command>chroot</command> home directory structure 88 using the following commands as the <systemitem 89 class="username">root</systemitem> user:</para> 90 91 <screen role="root"><userinput>groupadd stunnel && 85 92 useradd -c "Stunnel Daemon" -d /var/lib/stunnel \ 86 93 -g stunnel -s /bin/false stunnel && 87 install -d -m 700 -o stunnel -g stunnel /var/lib/stunnel/run</command></userinput></screen> 88 89 <note><para>A signed <acronym>SSL</acronym> Certificate and a Private Key is 90 necessary to run the <command>stunnel</command> daemon. If you own, or have 91 already created a signed <acronym>SSL</acronym> Certificate you wish to use, 92 copy it to <filename>/etc/stunnel/stunnel.pem</filename> before starting the 93 build, otherwise you will be prompted to create one during the installation 94 process. The <filename>.pem</filename> file must be formatted as shown 95 below:</para> 96 97 <screen>-----BEGIN RSA PRIVATE KEY----- 94 install -d -m 700 -o stunnel -g stunnel /var/lib/stunnel/run</userinput></screen> 95 96 <note> 97 <para>A signed SSL Certificate and a Private Key is necessary to run 98 the <command>stunnel</command> daemon. If you own, or have already 99 created a signed SSL Certificate you wish to use, copy it to 100 <filename>/etc/stunnel/stunnel.pem</filename> before starting the build, 101 otherwise you will be prompted to create one during the installation 102 process. The <filename>.pem</filename> file must be formatted as shown 103 below:</para> 104 105 <screen><literal>-----BEGIN RSA PRIVATE KEY----- 98 106 <replaceable>[many encrypted lines of unencrypted key]</replaceable> 99 107 -----END RSA PRIVATE KEY----- 100 108 -----BEGIN CERTIFICATE----- 101 109 <replaceable>[many encrypted lines of certificate]</replaceable> 102 -----END CERTIFICATE-----</screen></note> 103 104 <para>Install <application>Stunnel</application> by running the following 105 commands:</para> 106 107 <screen><userinput><command>patch -Np1 -i ../stunnel-&stunnel-version;-1_minute_sleep_fix.patch && 110 -----END CERTIFICATE-----</literal></screen> 111 112 </note> 113 114 <para>Install <application>Stunnel</application> by running the following 115 commands:</para> 116 117 <screen><userinput>patch -Np1 -i ../stunnel-&stunnel-version;-1_minute_sleep_fix.patch && 108 118 ./configure --prefix=/usr --sysconfdir=/etc \ 109 119 --localstatedir=/var/lib && 110 make</command></userinput></screen> 111 112 <para>Now, as the root user:</para> 113 114 <screen><userinput role='root'><command>make install</command></userinput></screen> 115 116 </sect2> 117 118 <sect2> 119 <title>Command explanations</title> 120 121 <para><parameter>--sysconfdir=/etc</parameter>: This parameter forces the 122 configuration directory to <filename class='directory'>/etc</filename> instead 123 of <filename class='directory'>/usr/etc</filename>.</para> 124 125 <para><parameter>--localstatedir=/var/lib</parameter>: This parameter 126 causes the installation process to create 127 <filename class='directory'>/var/lib/stunnel</filename> instead of 128 <filename class='directory'>/usr/var/stunnel</filename>.</para> 129 130 <para><command>make install</command>: This command installs the package and, 131 if you did not copy an <filename>stunnel.pem</filename> file to the 132 <filename class='directory'>/etc/stunnel</filename> directory, prompts you for 133 the necessary information to create one. Ensure you reply to the</para> 134 135 <screen><computeroutput>Common Name (FQDN of your server) [localhost]:</computeroutput></screen> 136 137 <para>prompt with the name or <acronym>IP</acronym> address you will be using 138 to access the service.</para> 139 140 </sect2> 141 142 <sect2> 143 <title>Configuring <application>Stunnel</application></title> 144 145 <sect3 id="stunnel-config"><title>Config files</title> 146 <para><filename>/etc/stunnel/stunnel.conf</filename></para> 147 <indexterm zone="stunnel stunnel-config"> 148 <primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary> 149 </indexterm> 150 </sect3> 151 152 <sect3><title>Configuration Information</title> 153 154 <para>Create a basic <filename>/etc/stunnel/stunnel.conf</filename> 155 configuration file using the following commands:</para> 156 157 <screen><userinput role='root'><command>cat >/etc/stunnel/stunnel.conf << "EOF"</command> 158 # File: /etc/stunnel/stunnel.conf 120 make</userinput></screen> 121 122 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 123 124 <screen role="root"><userinput>make install</userinput></screen> 125 126 </sect2> 127 128 <sect2 role="commands"> 129 <title>Command Explanations</title> 130 131 <para><parameter>--sysconfdir=/etc</parameter>: This parameter forces 132 the configuration directory to <filename class='directory'>/etc</filename> 133 instead of <filename class='directory'>/usr/etc</filename>.</para> 134 135 <para><parameter>--localstatedir=/var/lib</parameter>: This parameter 136 causes the installation process to create 137 <filename class='directory'>/var/lib/stunnel</filename> instead of 138 <filename class='directory'>/usr/var/stunnel</filename>.</para> 139 140 <para><command>make install</command>: This command installs the package 141 and, if you did not copy an <filename>stunnel.pem</filename> file to the 142 <filename class='directory'>/etc/stunnel</filename> directory, prompts you 143 for the necessary information to create one. Ensure you reply to the</para> 144 145 <screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen> 146 147 <para>prompt with the name or IP address you will be using 148 to access the service.</para> 149 150 </sect2> 151 152 <sect2 role="configuration"> 153 <title>Configuring Stunnel</title> 154 155 <sect3 id="stunnel-config"> 156 <title>Config Files</title> 157 158 <para><filename>/etc/stunnel/stunnel.conf</filename></para> 159 160 <indexterm zone="stunnel stunnel-config"> 161 <primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary> 162 </indexterm> 163 164 </sect3> 165 166 <sect3> 167 <title>Configuration Information</title> 168 169 <para>Create a basic <filename>/etc/stunnel/stunnel.conf</filename> 170 configuration file using the following commands:</para> 171 172 <screen role="root"><userinput>cat >/etc/stunnel/stunnel.conf << "EOF" 173 <literal># File: /etc/stunnel/stunnel.conf 159 174 160 175 pid = /run/stunnel.pid … … 162 177 client = no 163 178 setuid = stunnel 164 setgid = stunnel 165 166 <command>EOF</command></userinput></screen>167 168 <para>Next, you need to add the service you wish to encrypt to the 169 configuration file. The format is as follows:</para> 170 171 <screen>< userinput role='root'>[<replaceable>[service]</replaceable>]179 setgid = stunnel</literal> 180 181 EOF</userinput></screen> 182 183 <para>Next, you need to add the service you wish to encrypt to the 184 configuration file. The format is as follows:</para> 185 186 <screen><literal>[<replaceable>[service]</replaceable>] 172 187 accept = <replaceable>[hostname:portnumber]</replaceable> 173 connect = <replaceable>[hostname:portnumber]</replaceable></userinput></screen> 174 175 <para>If you use <application>Stunnel</application> to encrypt a daemon 176 started from <command>[x]inetd</command>, you may need to disable that daemon 177 in the <filename>/etc/[x]inetd.conf</filename> file and enable a corresponding 178 <replaceable>[service]</replaceable>_stunnel service. You may have to add an 179 appropriate entry in <filename>/etc/services</filename> as well.</para> 180 181 <para>For a full explanation of the commands and syntax used in the 182 configuration file, run <command>man stunnel</command>. To see a 183 <acronym>BLFS</acronym> example of an actual setup of an 184 <command>stunnel</command> encrypted service, read the 185 <xref linkend="samba3-swat-config"/> in the <application>Samba</application> 186 instructions.</para> 187 188 <para id="stunnel.init">To automatically start the <command>stunnel</command> 189 daemon when the system is rebooted, install the 190 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 191 <xref linkend="intro-important-bootscripts"/> package.</para> 192 <indexterm zone="stunnel stunnel.init"> 193 <primary sortas="f-stunnel.init">stunnel</primary></indexterm> 194 195 <screen><userinput role='root'><command>make install-stunnel</command></userinput></screen> 196 </sect3> 197 198 </sect2> 199 200 <sect2> 201 <title>Contents</title> 202 <segmentedlist> 203 <segtitle>Installed Programs</segtitle> 204 <segtitle>Installed Library</segtitle> 205 <segtitle>Installed Directories</segtitle> 206 <seglistitem> 207 <seg>stunnel and stunnel3</seg> 208 <seg>libstunnel.so</seg> 209 <seg>/etc/stunnel, /var/lib/stunnel and /usr/share/doc/stunnel</seg> 210 </seglistitem> 211 </segmentedlist> 212 213 <variablelist> 214 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 215 <?dbfo list-presentation="list"?> 216 217 <varlistentry id="stunnel-prog"> 218 <term><command>stunnel</command></term> 219 <listitem><para> is a program designed to work as an <acronym>SSL</acronym> 220 encryption wrapper between remote clients and local 221 (<command>[x]inetd</command>-startable) or remote servers.</para> 222 <indexterm zone="stunnel stunnel-prog"> 223 <primary sortas="b-stunnel">stunnel</primary></indexterm> 224 </listitem> 225 </varlistentry> 226 227 <varlistentry id="stunnel3"> 228 <term><command>stunnel3</command></term> 229 <listitem><para>is a <application>Perl</application> wrapper script to use 230 <command>stunnel</command> 3.x syntax with <command>stunnel</command> 231 >=4.05.</para> 232 <indexterm zone="stunnel stunnel3"> 233 <primary sortas="b-stunnel3">stunnel3</primary></indexterm> 234 </listitem> 235 </varlistentry> 236 237 <varlistentry id="libstunnel"> 238 <term><filename class='libraryfile'>libstunnel.so</filename></term> 239 <listitem><para> contains the <acronym>API</acronym> functions required by 240 <application>Stunnel</application>.</para> 241 <indexterm zone="stunnel libstunnel"> 242 <primary sortas="c-libstunnel">libstunnel.so</primary></indexterm> 243 </listitem> 244 </varlistentry> 245 </variablelist> 246 247 </sect2> 188 connect = <replaceable>[hostname:portnumber]</replaceable></literal></screen> 189 190 <para>If you use <application>Stunnel</application> to encrypt a daemon 191 started from <command>[x]inetd</command>, you may need to disable that 192 daemon in the <filename>/etc/[x]inetd.conf</filename> file and enable a 193 corresponding <replaceable>[service]</replaceable>_stunnel service. You 194 may have to add an appropriate entry in <filename>/etc/services</filename> 195 as well.</para> 196 197 <para>For a full explanation of the commands and syntax used in the 198 configuration file, run <command>man stunnel</command>. To see a 199 BLFS example of an actual setup of an <command>stunnel</command> encrypted 200 service, read the <xref linkend="samba3-swat-config"/> in the 201 <application>Samba</application> instructions.</para> 202 203 </sect3> 204 205 <sect3 id="stunnel-init"> 206 <title>Boot Script</title> 207 208 <para>To automatically start the <command>stunnel</command> daemon 209 when the system is rebooted, install the 210 <filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the 211 <xref linkend="intro-important-bootscripts"/> package.</para> 212 213 <indexterm zone="stunnel stunnel-init"> 214 <primary sortas="f-stunnel">stunnel</primary> 215 </indexterm> 216 217 <screen role="root"><userinput>make install-stunnel</userinput></screen> 218 219 </sect3> 220 221 </sect2> 222 223 <sect2 role="content"> 224 <title>Contents</title> 225 226 <segmentedlist> 227 <segtitle>Installed Programs</segtitle> 228 <segtitle>Installed Library</segtitle> 229 <segtitle>Installed Directories</segtitle> 230 231 <seglistitem> 232 <seg>stunnel and stunnel3</seg> 233 <seg>libstunnel.so</seg> 234 <seg>/etc/stunnel, /var/lib/stunnel, and /usr/share/doc/stunnel</seg> 235 </seglistitem> 236 </segmentedlist> 237 238 <variablelist> 239 <bridgehead renderas="sect3">Short Descriptions</bridgehead> 240 <?dbfo list-presentation="list"?> 241 242 <varlistentry id="stunnel-prog"> 243 <term><command>stunnel</command></term> 244 <listitem> 245 <para> is a program designed to work as an SSL 246 encryption wrapper between remote clients and local 247 (<command>[x]inetd</command>-startable) or remote servers.</para> 248 <indexterm zone="stunnel stunnel-prog"> 249 <primary sortas="b-stunnel">stunnel</primary> 250 </indexterm> 251 </listitem> 252 </varlistentry> 253 254 <varlistentry id="stunnel3"> 255 <term><command>stunnel3</command></term> 256 <listitem> 257 <para>is a <application>Perl</application> wrapper script to use 258 <command>stunnel</command> 3.x syntax with <command>stunnel</command> 259 >=4.05.</para> 260 <indexterm zone="stunnel stunnel3"> 261 <primary sortas="b-stunnel3">stunnel3</primary> 262 </indexterm> 263 </listitem> 264 </varlistentry> 265 266 <varlistentry id="libstunnel"> 267 <term><filename class='libraryfile'>libstunnel.so</filename></term> 268 <listitem> 269 <para> contains the API functions required by 270 <application>Stunnel</application>.</para> 271 <indexterm zone="stunnel libstunnel"> 272 <primary sortas="c-libstunnel">libstunnel.so</primary> 273 </indexterm> 274 </listitem> 275 </varlistentry> 276 277 </variablelist> 278 279 </sect2> 248 280 249 281 </sect1> 250
Note:
See TracChangeset
for help on using the changeset viewer.