This is the Stunnel 4.x package for Debian.
* Upgrading from stunnel to stunnel4
Stunnel 3 has been deprecated from Debian. The new stunnel4 has a
different command line syntax and configuration. You will need to
update your scripts.
The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).
* Basic configuration
After installation, you should :
- edit /etc/stunnel/stunnel.conf
- edit /etc/default/stunnel and set ENABLE=1, if you want your
configured tunnels to start automatically on boot.
- generate a certificate for use with stunnel if you want to use server mode
Sergio Rua <srua@debian.org> made a perl front-end for the stunnel
configuration. It is very simple and only includes a couple of configuration
options. This script is located in
/usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl
It requires libgnome2-perl and libgtk2-perl.
* How to create SSL keys for stunnel
The certificates default directory is /etc/ssl/certs, so cd into that dir
and issue the command:
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
Fill in the info requested.
Change 'stunnel.pem' to the name of the certificate you need to
create. stunnel.pem will be used by default by stunnel, but you want
to create different certificates for different services you run with
stunnel. Make sure only root can read the file (or only the user that
needs to read it, if stunnel is run as that user):
chmod 600 stunnel.pem
Now you need to append the DH parameters to the certificate.
First you need to generate some amount of random data:
dd if=/dev/urandom of=temp_file count=2
Use /dev/random if you want a more secure source of data, but make
sure you have enough entropy on you system (the output file should be
at least 512 bytes long).
And now make openssl generate the DH parameters and append them to the
certificate file:
openssl dhparam -rand temp_file 512 >> stunnel.pem
You also want to link the certificate to its hash name so that openssl
can find it also by that means:
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0
Read the manual page for openssl for more info on the various options.
* FIPS
Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However,
using it requires stunnel to be compiled statically against OpenSSL and all
supporting libraries. Thus, this option is disabled in the Debian package.
See the OpenSSL FIPS User Guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
and the OpenSSL notes about FIPS 140-2 at
https://www.openssl.org/docs/fips/fipsnotes.html
- Julien LEMOINE <speedblue@debian.org>, Sun, 19 Feb 2006 17:31:24 +0100
-- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>, Sat, 30 Oct 2007 14:50:54 z
3f780093b7