stunnel: Securing the Insecure with SSL and Creating SSL Tunnels


Introduction to stunnel

Just about every system administrator comes across a time when there is a need to encrypt some service. Perhaps your mail program just can’t handle it. Or maybe you need to take a non-SSL aware VNC server and make it SSL-aware. Maybe you’re just paranoid. For such moments in system administrating there is “stunnel.”


stunnel is a program that can turn any non-SSL or non-encrypted TCP port into an encrypted port. Further, it has the ability to decrypt the data as well. When configured properly stunnel can be a mini, port-only VPN that will allow you safely transmit data across unsecured channels. stunnel is available on most major Linux distributions and Windows. Ports may be available for other operating systems.

stunnel, is however, a TCP only program. Some programs do not work well with stunnel and therefore another solution may be required. UDP programs may require another solution like openVPN or IPSEC in order to secure them appropriately.

Finally, stunnel is a mature program. It is fully supported by Novell and is widely used in the community.

Introduction to SSL security

stunnel, like many other programs relies on secure socket layer encryption, or SSL. SSL has several advantages, in that only a certificate has to be generated. The security of the certificate can be as strong or as weak as you would like.

Most people have been introduced to certificates on the internet when browsing to a website. Usually, the site administrator allowed the certificate to expire or it is a self-signed certificate. Certificates are basically a way of starting a secure communication. At the start of the communication, the server sends its credentials, or certificate to the client. The client then evaluates the certificate and then accepts or rejects the connection. After a key exchange, the client and the server agree on how to talk and a secure channel is established.

There are two pieces of a certificate. The key and the certificate itself. With out the key, a certificate is useless. For this reason, you need to keep the key private.

SSL security both authenticates the source, usually the server and provides for privacy of the data. The security options are usually defined by both the client and the server and can be further defined by the certificate itself. SSL security has the ability to provide for weak and strong encryption. The only limiting factor for the encryption chosen is the version of OpenSSL on the server and the client and the crypto libraries on the server.
Transport layer security is also know as SSLv3 or TLSv1. Both technologies are essentially the same. SSLv2 is considered unsecure and should not be used.

Why stunnel

stunnel is probably the easiest way to provide encryption to programs that don’t provide it themselves. Setup for stunnel takes only minutes and it is very reliable. Finally, the Novell provided binaries provide everything you need to set it up and not have to worry about it.


Install the stunnel RPM from the installation media. “yast -i stunnel” should install the latest version for you automatically assuming that automatic updates is enabled.

Create the certificate

A default certificate is provided with stunnel. Needless to say, the certificate is useless, since the key is known; if the key is known then the certificate is useless.

Option 1: Create a certificate and have it signed

openssl req -new -key server.key -out server.csr

Keep the server.key secret. Send the server.csr to your certificate authority.

Option 2: Obtain a certificate from your certificate authority

If you already have a certificate authority or you want to create one, make sure to copy the key and the certificate here.

Option 3: Create your own and forget about signing

Unless you care about the authenticity of a certificate, this is probably the easiest option. For the sake of this article, I am going to use this option.

openssl req -new -x509 -nodes -out server.pem -keyout server.key -days 365

Configure /etc/stunnel/stunnel.conf

The configuration file is held /etc/stunnel under the name of stunnel.conf. The format is pretty basic; and in most cases the skeleton provided should be sufficient to get started.

The certificate/key section

This section defines where the keys and certificate are. After copying the certificate and key to this directory, change the “cert=” and the “key=” (if appropriate). The “client = yes” line makes it so that any remote connection will use the certificate on the other side; i.e. computer A is listening on a local port that is redirected to computer B; computer B’s certificate would be used.

cert = /etc/stunnel/cert.pem
key  = /etc/stunnel/cert.key
client = yes

Define your services

stunnel works by listening on another port and then redirecting that traffic through to the unsecured port. For example, if you want to secure SMTP, you would have it listen on another port and then forward it to port 25. There are a multiplicity of options and the design is really up to you.

Here are some options.

This example is one for a VNC port. If your VNC viewer understands SSL, then you would point it to host:5959

accept = 5959
connect = 5901

Perhaps you don’t have a VNC viewer that understands SSL. You can use stunnel to handle the connection for you. The example below would make is so that a dumb VNC viewer would have the connection tunneled to another computer.

accept =
connect =

The above example also shows something else. stunnel can listen on a specific address. Using this configuration you can prevent your computer from providing unsecure access to another secure service.

stunnel also interesting mode called “inetd” mode. This allows stunnel to start a program when a connection comes in on that port. The following example is taken from the example configuration file.

accept = 993
exec = /usr/sbin/imapd
execargs = imapd
pty = no

After you get your configuration files defined, make sure that any corresponding configurations are completed on remote servers

Starting it up

To start up stunnel, type:

rcstunnel start

To start up stunnel at boot, type:

chkconfig stunnel on

Side note

Once you get used to stunnel you can do some really cool things. In some cases you can actually get a little better performance using tunnels. I use stunnel for VNC and, running stunnel on Windows, for RDP connections. There are ways to do this with Samba as well. If you are looking at changing traffic which uses UDP, you will want to use another VPN solution like IPSEC or openVPN.

(Visited 1 times, 1 visits today)


  • anonymous says:

    Can we use this in a Netware and Windows workstation only environment?

    If so, is the setup similar?

  • scvenema says:

    As the article points out, stunnel is indeed useful. So why was it omitted from the SLES 11 distribution? Any suggestions on the cleanest way to grab this and get future patches automatically if needed?

  • bvwputnam says:

    Installed stunnel and configured it and VNC. Client can connect via VNC, but they get a blank screen – nothing is rendered.

    What are we missing?

    We can see the VNC connection established in /var/log/messages, and there are no errors. Likewise, there are no errors (actually, there’s nothing at all) in /var/log/rc.stunnel.log.


  • Leave a Reply

    Your email address will not be published. Required fields are marked *