Upgrading to stunnel 4

Upgrading to stunnel 4

stunnel is a great tool. It allows you to encrypt TCP connections inside SSL. And it’s available for both Unix and Windows. I use it to hide various traffic, including the cvsup I run to update this website and the zone files on my DNS servers. See stunnel – another way to avoid plain text passwords and stunnel – encryption and security for my previous articles.

Recently, stunnel 4.0 came out with many new improvements. Much to the annoyance of some users, the command line paramaters changed drastically. Personally, I thought that was a good thing. Version 4 uses a configuration file, and comes with enhanced capability. I like it.

This article will compare my old command line format with the new configuration file format. Hopefull that will help you along the way.

Note that I’ve had success in mixing v3 and v4 of stunnel. Specifically, I’ve run v4 on my clients and v3 on the server. With the success there, I’m quite sure that it would work the other way around too.

man pages – make the migration easier

If you are upgrading to version 4, you probably already have that man page. But what you may not have is the version 3 man page. I found that having the old man page greatly simplified the conversion process. Just look up the old parameter, find out what it does, then look up the same option on the version 4 man page.

How did I create these html files? Like this:

nroff -man ~/tmp/stunnel-3.22/stunnel.8 | man2html -title "stunnel(8) - version 3" > stunnel-v3-man.html
man stunnel | man2html -title "stunnel(8) - version 4" > stunnel-v4-man.html

man2html is in the FreeBSD Ports tree and the home page is at http://www.oac.uci.edu/indiv/ehood/man2html.html. This assumes that I had v4 already installed and that I had extracted the tarball for v3 into the ~/tmp directory.

The startup scripts

This section compares the old and new startup scripts (/usr/local/etc/rc.d/stunnel.sh. As you can see the old script put the parameters right in the script. I prefer the new format.

Old codeNew Code

#!/bin/sh # Where is the program STUNNEL="/usr/local/sbin/stunnel" case "$1" in start) ${STUNNEL} -c -d localhost:5999 -r 192.168.0.73:6000 ;; stop) killall `basename ${STUNNEL}` ;; *) echo "" echo "Usage: basename $0 { start | stop }" echo "" ;; esac #!/bin/sh # # A sample stunnel startup script written by martti.kuparinen@ericsson.com # # $FreeBSD: ports/security/stunnel/files/stunnel.sh,v 1.2 2002/09/20 09:29:11 roam Exp $ # # Where is the program STUNNEL="/usr/local/sbin/stunnel" case "$1" in     start)         ${STUNNEL} /usr/local/etc/stunnel/stunnel.conf         ;;     stop)         killall `basename ${STUNNEL}`         ;;     *)         echo ""         echo "Usage: basename $0 { start | stop }"         echo ""         ;; esac

The configuration format

I will provide a one-to-one mapping for each parameter used in the above example. That should help you get started. The configuration file is /usr/local/etc/stunnel/stunnel.conf. The following is for a client.

See man stunnel for more information.

Old parametersNew Parameters -p /usr/local/etc/stunnel.pem cert = /usr/local/etc/stunnel/stunnel.pem -s stunnel setuid = stunnel -g stunnel setgid = stunnel -c client = yes -d foreground = no default: background in daemon mode localhost:5999accept = 5999-r 192.168.0.73:6000connect = 192.168.0.73:6000

A sample client configuration file

Here is the configuration file I use on my web server in order to access my webserver. The IP address hsa been changed.

ClientServer

cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel # PID is created inside chroot jail pid = /stunnel.pid setuid = stunnel setgid = stunnel client = yes [6000] accept = 5999 connect = 192.168.0.73:6000

cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel # PID is created inside chroot jail pid = /stunnel.pid setuid = stunnel setgid = stunnel client = no [5999] accept = 6000 connect = 5999 The major differences are hightlighted in bold: The client parameter differs (well, dah….) The client accepts connections on localhost port 5999 The client talks to the server at 192.168.0.73 on port 6000 The server accepts connections on localhost port 6000 The server directs connections on port 6000 to port 5999 One of my favourite tools stunnel is one of my basic tools. I use it every day. And it just sits there. And runs. I’ve enver had to restart stunnel daemon because it has failed. It’s great. And very low overhead. A great tool. If you’ve ever worried about getting TCP traffic from one place to another securely and secretly, then stunnel is for you.   6 Responses to “Upgrading to stunnel 4” steeef says: October 19, 2002 at 11:53 pm ok, so i’ve got stunnel set up exactly the way you’ve set it up here. when i connect from the client to localhost:5999, it tunnels fine, but then the cvsup client reports an unexpected EOF (or something to this effect), and the stunnel log says "SSL_connect: Peer suddenly disconnected". any ideas? Log in to Reply Dan Langille says: October 21, 2002 at 5:00 pm steeef wrote: > any ideas? Yes. Post in the FreeBSD Support section of this website. Log in to Reply TatuSalin says: June 14, 2004 at 7:50 am Hello. Did you by the way get that function correctly? I make my practical training ith this same stunnel and get the same log-file … SSL_connect: Peer suddenly disconnected CAn you help me a little bit and say what the problem is?? Log in to Reply Dennis says: August 24, 2004 at 12:14 pm Hi. I’m also encountering this problem. Do you know what the problem is? Log in to Reply Steve says: February 22, 2005 at 12:03 am I realise this is an old thread but has anyone tried ; socket = r:SO_LINGER=1:60 Juggle remote setting with others as necessary. Log in to Reply Kendo says: March 10, 2004 at 10:06 pm Sweet page. I upgraded to 4.x and was having a helluva time figuring out why none of my scripts worked. For some reason the man pages were no help. You are awesome. Log in to Reply  Leave a Reply Cancel reply You must be logged in to post a comment.