Difference between revisions of "User:Regid/stunnel"

From ArchWiki
Jump to navigation Jump to search
(keep edit and save)
(Have created a new page, stunnel. No need for this page any more. deleting it.)
(Tag: Blanking)
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
:[https://www.stunnel.org stunnel] (“Secure Tunnel”) is a multi-platform application used to provide a universal TLS/SSL tunneling service. It is sort of proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. It is designed for security, portability, and scalability (including load-balancing), making it suitable for large deployments. It uses [[openssl]], and distributed under GNU GPL version 2 or later with OpenSSL exception.
Can tunnel only TCP packets. Its [https://www.stunnel.org/faq.html FAQ] has some work around for UDP.
Authentication can be used by the server to allow access only to approved clients.
== Installation ==
[[Install]] {{Pkg|stunnel}} from [[official repositories]].
Depending on your usage, you might also [[Systemd#Editing_provided_units]] to better [[Systemd#Handling_dependencies]]. In order for the stunnel to start up automatically at system boot you must [[enable]] it.
== setup ==
The main configuration file is read from /etc/stunnel/stunnel.conf.
A client is one to accept non TLS encrypted data. It TLS encrypts the data and connects to the server. The server accepts TLS encrypted data and extracts it. It then connects to where the data should be send to.
=== Byte order mark (BOM) ===
The configuration file expects a UTF-8 [https://en.wikipedia.org/wiki/Byte_order_mark byte order mark (BOM)], at the beginning of the file. A BOM is the unicode character U+FEFF. Its UTF-8 representation is the (hexadecimal) byte sequence 0xEF,0xBB,0xBF. Inserting those bytes into the beginning of a file can be done by
# echo -e '\xEF\xBB\xBF' > /etc/stunnel/stunnel.conf
To test if those bytes appear, one can use
# od –-address-radix=n -–format=x1c --read-bytes=4 /etc/stunnel/stunnel.conf
  ef  bb    bf  0a
357 273 277    \n
Note that when printing the file to the screen, such as with cat, or when [[edit]]ing the file with a text editor, the BOM bytes are usually  not displayed. They should be there, though. Which is why you might want to verify that they are still there after editing is completed with the above OD, or similar, command.
=== Authentication ===
At least one of the client and the server, and optionally both, should be authenticated. Either a pre-shared secret, or a key and certificate pair, can be used for authentication. A pre-shared secret has to be transfred to all the involved machines apriory by other means, such as [[scp]]. When such transfer is acceptable, pre-shared key is the fastest method. Its speed might help defending attacks. A simple configuration for a server with a single client that are using a pre-shared secret is:
where /etc/stunnel/psk could be created on one machine by
# openssl rand -base64 -out /etc/stunnel/psk 40
and copied to the other machine by secure means before starting stunnel. The files [[permissions]] for each psk file should be set appropriately.
== Tips and Tricks ==
=== DNS over TLS ===
[[bind]] does not offer builtin facilities for encryption of queries and answers. Bind knowledge base suggests using stunnel. See https://kb.isc.org/docs/aa-01386. The link mentions [[unbound]] at the bottom of the page. A user that have only shell accounts on both the client and the server can still tunnel only his DNS traffic even when both the resolver and the NS support DNS over TLS.
=== Encrypting NFSv4 with Stunnel TLS ===
See [https://www.linuxjournal.com/content/encrypting-nfsv4-stunnel-tls Encrypting NFSv4 with Stunnel TLS]
== See also ==
* [[Wikipedia:stunnel]]
* [https://wiki.debian.org/Pan?highlight=%28stunnel%29#SSL_encryption SSL encryption for Pan]
* [https://www.linuxjournal.com/article/7628 Paranoid Penguin - Rehabilitating Clear-Text Network Applications with Stunnel]

Latest revision as of 22:34, 19 June 2019