See also the Stunnel.org website.

Client configuration

Download CAcert certificate. Take your CAcert in PKCS12 format (with both the public and the private key in it) and convert it to a PEM format certificate with OpenSSL:

Move mycert.pem to your Stunnel configuration directory. Also you will need a certificate chain file, this file needs to be created on the server side. See the Server configuration section below for more information. Name this file ca-chain.pem and move this also to the Stunnel configuration directory.

Here is an example of a client-side stunnel.conf configuration:

# This configurationfile is to use stunnel as a client.
#
# The global settings
#

# Certificate Authority file
CAfile = ca-chain.pem

# Your client certificate in PEM format.
cert = mycert.pem

# Where the private key is kept.
key = mycert.pem

# Run in client mode? (remote service is using SSL)
client = yes

# Debug level (0=nothing, 7 is a lot)||
debug = 5

# Verification level of remote certificate
verify = 2

# Some example definitions of the services that we're running on our localhost
# More examples can be found on the Stunnel.org website.

# Service IMAP
[stunnel.imap]
accept = localhost:143
connect = stunnel.example.com:993

# Service SMTP
[stunnel.smtp]
accept = localhost:25
connect = stunnel.example.com:587
protocol = smtp

# Service SSH
[stunnel.ssh]
accept = localhost:22
connect = stunnel.example.com:8022

Server configuration

information about how to generate the certificate chain and how to use your server certificate will be added later

On the server side, you will need to have a directory in which the client certificates (not the private keys!) that are trusted need to be stored. Place a trusted certificate, in PEM format, in this directory and generate a hash for this certificate. This hash can be created using the following /bin/sh script:

The corresponding Stunnel server configuration file will look like this:

# Configuration file to use Stunnel as a server
#
# The global settings
#

# Certificate Authority file
CAfile = /path/to/cacert_root.crt
# Path to trusted certificates
CApath = /path/to/trusted/certs/

# Debugging level (0=nothing, 7= a lot)
debug = 7

# Verification level of remote certificates
verify = 3

cert = /usr/local/etc/stunnel/ssl.key/stunnel.insecure.pem
key = /usr/local/etc/stunnel/ssl.key/stunnel.insecure.pem

pid = /usr/local/var/stunnel/stunnel.pid
setuid = stunnel
setgid = stunnel

# session-cache
session = 86400

# Service IMAP
[stunnel.imaps]
accept = <ip-address of server>:993
connect = imapserver.example.com:143

# Service SMTP
[stunnel.smtp]
accept = <ip-address of server>:587
connect = smtp.example.com:25
protocol = smtp

# Service SSH
[stunnel.ssh]
accept = <ip-address of server>:8022
connect = sshhost.example.com:22

In the client e-mail application, you can now change the name of your IMAP server to localhost and the name of your SMTP server too. The e-mail client will connect with your local Stunnel daemon, the Stunnel daemon will make an SSL connection to the remote Stunnel server (stunnel.example.com) and the Stunnel server will make a non-SSL connection to the original IMAP and SMTP servers.


StunnelConfiguration (last edited 2011-03-26 00:13:03 by UlrichSchroeter)