stunnel: Securing the Insecure with SSL and Creating SSL Tunnels
Introduction to stunnel
Just about every system administrator comes across a time when there is a need to encrypt some service. Perhaps your mail program just can’t handle it. Or maybe you need to take a non-SSL aware VNC server and make it SSL-aware. Maybe you’re just paranoid. For such moments in system administrating there is “stunnel.”
stunnel is a program that can turn any non-SSL or non-encrypted TCP port into an encrypted port. Further, it has the ability to decrypt the data as well. When configured properly stunnel can be a mini, port-only VPN that will allow you safely transmit data across unsecured channels. stunnel is available on most major Linux distributions and Windows. Ports may be available for other operating systems.
stunnel, is however, a TCP only program. Some programs do not work well with stunnel and therefore another solution may be required. UDP programs may require another solution like openVPN or IPSEC in order to secure them appropriately.
Finally, stunnel is a mature program. It is fully supported by Novell and is widely used in the community.
Introduction to SSL security
stunnel, like many other programs relies on secure socket layer encryption, or SSL. SSL has several advantages, in that only a certificate has to be generated. The security of the certificate can be as strong or as weak as you would like.
Most people have been introduced to certificates on the internet when browsing to a website. Usually, the site administrator allowed the certificate to expire or it is a self-signed certificate. Certificates are basically a way of starting a secure communication. At the start of the communication, the server sends its credentials, or certificate to the client. The client then evaluates the certificate and then accepts or rejects the connection. After a key exchange, the client and the server agree on how to talk and a secure channel is established.
There are two pieces of a certificate. The key and the certificate itself. With out the key, a certificate is useless. For this reason, you need to keep the key private.
SSL security both authenticates the source, usually the server and provides for privacy of the data. The security options are usually defined by both the client and the server and can be further defined by the certificate itself. SSL security has the ability to provide for weak and strong encryption. The only limiting factor for the encryption chosen is the version of OpenSSL on the server and the client and the crypto libraries on the server.
Transport layer security is also know as SSLv3 or TLSv1. Both technologies are essentially the same. SSLv2 is considered unsecure and should not be used.
stunnel is probably the easiest way to provide encryption to programs that don’t provide it themselves. Setup for stunnel takes only minutes and it is very reliable. Finally, the Novell provided binaries provide everything you need to set it up and not have to worry about it.
Install the stunnel RPM from the installation media. “yast -i stunnel” should install the latest version for you automatically assuming that automatic updates is enabled.
Create the certificate
A default certificate is provided with stunnel. Needless to say, the certificate is useless, since the key is known; if the key is known then the certificate is useless.
Option 1: Create a certificate and have it signed
openssl req -new -key server.key -out server.csr
Keep the server.key secret. Send the server.csr to your certificate authority.
Option 2: Obtain a certificate from your certificate authority
If you already have a certificate authority or you want to create one, make sure to copy the key and the certificate here.
Option 3: Create your own and forget about signing
Unless you care about the authenticity of a certificate, this is probably the easiest option. For the sake of this article, I am going to use this option.
openssl req -new -x509 -nodes -out server.pem -keyout server.key -days 365
The configuration file is held /etc/stunnel under the name of stunnel.conf. The format is pretty basic; and in most cases the skeleton provided should be sufficient to get started.
The certificate/key section
This section defines where the keys and certificate are. After copying the certificate and key to this directory, change the “cert=” and the “key=” (if appropriate). The “client = yes” line makes it so that any remote connection will use the certificate on the other side; i.e. computer A is listening on a local port that is redirected to computer B; computer B’s certificate would be used.
cert = /etc/stunnel/cert.pem key = /etc/stunnel/cert.key client = yes
Define your services
stunnel works by listening on another port and then redirecting that traffic through to the unsecured port. For example, if you want to secure SMTP, you would have it listen on another port and then forward it to port 25. There are a multiplicity of options and the design is really up to you.
Here are some options.
This example is one for a VNC port. If your VNC viewer understands SSL, then you would point it to host:5959
[VNC] accept = 5959 connect = 5901
Perhaps you don’t have a VNC viewer that understands SSL. You can use stunnel to handle the connection for you. The example below would make is so that a dumb VNC viewer would have the connection tunneled to another computer.
[VNC_to_HostB] accept = 127.0.0.1:5959 connect = computerB.network.com:5959
The above example also shows something else. stunnel can listen on a specific address. Using this configuration you can prevent your computer from providing unsecure access to another secure service.
stunnel also interesting mode called “inetd” mode. This allows stunnel to start a program when a connection comes in on that port. The following example is taken from the example configuration file.
[imaps] accept = 993 exec = /usr/sbin/imapd execargs = imapd pty = no
After you get your configuration files defined, make sure that any corresponding configurations are completed on remote servers
Starting it up
To start up stunnel, type:
To start up stunnel at boot, type:
chkconfig stunnel on
Once you get used to stunnel you can do some really cool things. In some cases you can actually get a little better performance using tunnels. I use stunnel for VNC and, running stunnel on Windows, for RDP connections. There are ways to do this with Samba as well. If you are looking at changing traffic which uses UDP, you will want to use another VPN solution like IPSEC or openVPN.