Stunnel Example

Posted onby

Example scenario. For example, one could use stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assuming the SMTP server expects TCP connections on port 25, one would configure stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. This also explains the behaviour, since stunnel implicitly tries to bin to the IPv4 port in the v6 section. I am unsure if my solution is good practice and if one can rely in the net.ipv6 default. I think there should be a ipv6only option in stunnel, like there is for nginx and socat. Stunnel is a SSL encryption wrapper that can tunnel unencrypted traffic like Redis. Our step by step guide helps you wrap your Redis traffic in SSL with stunnel. The most common use of stunnel is to listen on a network port and establish communication with either a new port via the connect option, or a new program via the exec option. However there is a special case when you wish to have some other program accept incoming connections and launch stunnel, for example with inetd, xinetd, or tcpserver.

Telnet is a client-server protocol that connects to a remote server through TCP over port 23. Telnet does not encrypt data and is considered insecure and passwords can be easily sniffed because data is sent in the clear. However there are still legacy systems that need to use it. This is where stunnel comes to the rescue.

Stunnel is designed to add SSL encryption to programs that have insecure connection protocols. This article shows you how to use it, with telnet as an example.

Server Installation

Install stunnel along with the telnet server and client using sudo:

Add a firewall rule, entering your password when prompted:

Next, generate an RSA private key and an SSL certificate:

Stunnel Configuration Examples

You will be prompted for the following information one line at a time. When asked for Common Name you must enter the correct host name or IP address, but everything else you can skip through by hitting the Enter key.

Merge the RSA key and SSL certificate into a single .pem file, and copy that to the SSL certificate directory:

Now it’s time to define the service and the ports to use for encrypting your connection. Choose a port that is not already in use. This example uses port 450 for tunneling telnet. Edit or create the /etc/stunnel/telnet.conf file:

The accept option is the port the server will listen to for incoming telnet requests. The connect option is the internal port the telnet server listens to.

Stunnel Example

Next, make a copy of the systemd unit file that allows you to override the packaged version:

Edit the /etc/systemd/system/stunnel.service file to add two lines. These lines create a chroot jail for the service when it starts.

Next, configure SELinux to listen to telnet on the new port you just specified:

Finally, add a new firewall rule:

Now you can enable and start telnet and stunnel.

A note on the systemctl command is in order. Systemd and the stunnel package provide an additional template unit file by default. The template lets you drop multiple configuration files for stunnel into /etc/stunnel, and use the filename to start the service. For instance, if you had a foobar.conf file, you could start that instance of stunnel with systemctl start [email protected], without having to write any unit files yourself.

Stunnel

If you want, you can set this stunnel template service to start on boot:

Stunnel Configuration

Client Installation

This part of the article assumes you are logged in as a normal user (with sudo privileges) on the client system. Install stunnel and the telnet client:

Copy the stunnel.pem file from the remote server to your client /etc/pki/tls/certs directory. In this example, the IP address of the remote telnet server is 192.168.1.143.

Create the /etc/stunnel/telnet.conf file:

Stunnel Configuration Examples

The accept option is the port that will be used for telnet sessions. The connect option is the IP address of your remote server and the port it’s listening on.

Stunnel Sni Example

Next, enable and start stunnel:

Stunnel Examples

Test your connection. Since you have a connection established, you will telnet to localhost instead of the hostname or IP address of the remote telnet server: