[[StunnelConfiguration/CZ|Ĩesky]] | '''english''' See also the [[http://www.stunnel.org/|Stunnel.org]] website. == Client configuration == Download CAcert certificate. Take your CAcert in PKCS12 format (with both the public and the private key in it) and convert it to a PEM format certificate with OpenSSL: ''openssl pkcs12 -clcerts -in cacert.p12 -out mycert.pem'' Move mycert.pem to your Stunnel configuration directory. Also you will need a certificate chain file, this file needs to be created on the server side. See the ''Server configuration'' section below for more information. Name this file ca-chain.pem and move this also to the Stunnel configuration directory. Here is an example of a client-side stunnel.conf configuration: {{{ # This configurationfile is to use stunnel as a client. # # The global settings # # Certificate Authority file CAfile = ca-chain.pem # Your client certificate in PEM format. cert = mycert.pem # Where the private key is kept. key = mycert.pem # Run in client mode? (remote service is using SSL) client = yes # Debug level (0=nothing, 7 is a lot)|| debug = 5 # Verification level of remote certificate verify = 2 # Some example definitions of the services that we're running on our localhost # More examples can be found on the Stunnel.org website. # Service IMAP [stunnel.imap] accept = localhost:143 connect = stunnel.example.com:993 # Service SMTP [stunnel.smtp] accept = localhost:25 connect = stunnel.example.com:587 protocol = smtp # Service SSH [stunnel.ssh] accept = localhost:22 connect = stunnel.example.com:8022 }}} == Server configuration == '''information about how to generate the certificate chain and how to use your server certificate will be added later''' On the server side, you will need to have a directory in which the client certificates ('''not the private keys!''') that are trusted need to be stored. Place a trusted certificate, in PEM format, in this directory and generate a hash for this certificate. This hash can be created using the following ''/bin/sh'' script: ''cd /path/to/trusted/certs/'' ''HASHVALUE=`/usr/bin/openssl x509 -noout -hash -in "trustedcert.pem"`'' ''ln -s "trustedcert.pem" ${HASHVALUE}.0'' The corresponding Stunnel server configuration file will look like this: {{{ # Configuration file to use Stunnel as a server # # The global settings # # Certificate Authority file CAfile = /path/to/cacert_root.crt # Path to trusted certificates CApath = /path/to/trusted/certs/ # Debugging level (0=nothing, 7= a lot) debug = 7 # Verification level of remote certificates verify = 3 cert = /usr/local/etc/stunnel/ssl.key/stunnel.insecure.pem key = /usr/local/etc/stunnel/ssl.key/stunnel.insecure.pem pid = /usr/local/var/stunnel/stunnel.pid setuid = stunnel setgid = stunnel # session-cache session = 86400 # Service IMAP [stunnel.imaps] accept = :993 connect = imapserver.example.com:143 # Service SMTP [stunnel.smtp] accept = :587 connect = smtp.example.com:25 protocol = smtp # Service SSH [stunnel.ssh] accept = :8022 connect = sshhost.example.com:22 }}} In the client e-mail application, you can now change the name of your IMAP server to localhost and the name of your SMTP server too. The e-mail client will connect with your local Stunnel daemon, the Stunnel daemon will make an SSL connection to the remote Stunnel server (stunnel.example.com) and the Stunnel server will make a non-SSL connection to the original IMAP and SMTP servers. ---- . CategorySoftware . CategoryConfiguration