File: FAQ

package info (click to toggle)
stunnel 2%3A3.26-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 1,108 kB
  • ctags: 370
  • sloc: ansic: 3,462; sh: 2,788; makefile: 156; perl: 47
file content (157 lines) | stat: -rw-r--r-- 7,144 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
 
stunnel         Universal SSL tunnel

See the FAQ at http://www.stunnel.org/ which
is updated more often than this file.

Q: Is there a mailing list for stunnel?
A: Sure.  You can subscribe the list in two simple steps:
   1. Send an empty e-mail to stunnel-users-subscribe@mirt.net
   2. Follow the instructions you'll receive.  8-)

Q: What do I need to build stunnel on a UNIX machine?
A: You need:
    - ANSI C compiler;
    - Openssl or SSLeay library.
   You shoud have (not necessary):
    - POSIX threads (make sure your SSL library is built with -DTHREADS);
    - libwrap if you want to have tcp wrappers functionality.

Q: Should I use daemon mode or inetd mode?
A: Use daemon mode, if not sure.  It's better in most cases.

Q: I'd like to use ssl in my IMAP client.  Could you give me an example?
A: Use: "stunnel -d 993 -r imap"
   Or:  "stunnel -d 993 -l /usr/sbin/imapd imapd"

Q: I need to add -s option to my in.pop3d.  How to do that?
   Use: "stunnel -d 995 -l /usr/sbin/in.pop3d -- in.pop3d -s"

Q: "stunnel -d 465 -l /usr/lib/sendmail sendmail" doesn't work...
A: Sure it doesn't.  Sendmail is not a service to be started with inetd.
   Use: "stunnel -d 465 -r smtp" instead.

Q: I'd like to start stunnel from inetd.  Could you give me an example?
A: If possible avoid starting stunnel from inetd.  It's slow (SSL needs
   to be initialized every connection), does not support session cache
   and will use more memory on heavy load.
   The example /etc/inetd.conf line for imapd:
   "imaps stream tcp nowait root \
      /usr/local/sbin/stunnel stunnel -l /usr/sbin/imapd imapd".
   Notice, that for better compatibility above syntax is different
   than the old one (2.x).
   Don't forget to add "imaps 993/tcp" to /etc/services and restart inetd.

Q: Is there a way to delay DNS lookups until connect time?
A: Instead of "-r host:port" option use
   "-l /usr/bin/redir -- redir --inetd --caddr host --cport port".
   "redir" can be downloaded from http://sammy.net/~sammy/hacks/.

Q: How is the service name (for logging and for libwrap) created?
A: Here are the rules:
   1. If the are some arguments (after options) the first one
      (argv[0] for the local service) is used.
   2. Else in remote mode - remote hostname is used, but
      ':' is changed to '.'.
   3. Else in local mode - the execname (w/o path) is used.
   See debug output of stunnel, if you're not sure what is
   the correct service name in your case.

Q: How to correctly use tcpd (tcp wrappers) with stunnel?
A: You don't need to use tcpd with stunnel.  Stunnel can do it by itself.
   Just make sure you have libwrap library installed when building stunnel.

Q: How to setup /etc/hosts.allow with stunnel?  An example?
A: To allow connecting "stunnel -d 9999 -r proxy:3128" only from
   foo.bar.com use: "proxy.3128: foo.bar.com".
   Also look at the answer about creating the service name.

Q: Will stunnel work with [...] protocol?
A: There are some simple rules to check this:
   1. The protocol needs to be based on TCP (not UDP).
   2. The protocol can't use multiple connections (like ftp).
   3. The protocol can't depend on OOB data (like telnet).
   4. Remote site can't use an application-specific protocol
      (like ssltelnet, where SSL is a negotiated option).

Q: Can you give me a list of officially assigned SSL ports numbers?
A: Here it is (from Internet Assigned Numbers Authority):
     nsiiops      261/tcp   # IIOP Name Service over TLS/SSL
     https        443/tcp   # http protocol over TLS/SSL
     smtps        465/tcp   # smtp protocol over TLS/SSL (was ssmtp)
     nntps        563/tcp   # nntp protocol over TLS/SSL (was snntp)
     imap4-ssl    585/tcp   # IMAP4+SSL (use 993 instead)
     sshell       614/tcp   # SSLshell
     ldaps        636/tcp   # ldap protocol over TLS/SSL (was sldap)
     ftps-data    989/tcp   # ftp protocol, data, over TLS/SSL
     ftps         990/tcp   # ftp protocol, control, over TLS/SSL
     telnets      992/tcp   # telnet protocol over TLS/SSL
     imaps        993/tcp   # imap4 protocol over TLS/SSL
     ircs         994/tcp   # irc protocol over TLS/SSL
     pop3s        995/tcp   # pop3 protocol over TLS/SSL (was spop3)
     msft-gc-ssl  3269/tcp  # Microsoft Global Catalog with LDAP/SSL
   Please notice, that not every protocol on that list will work
   with stunnel.

Q: SMTP with SSL doesn't work with Netscape 4.5 (or better).
   What should I do?
A: Netscape uses specific protocol for SMTP - it's not just tunneling.
   You need to use '-n smtp' option.

Q: With my Windows 2000 Build 2195 I have the following errors:
     SSL_accept:error:140760F8:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
     SSL_accept:error:1409B0AB:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:missing tmp rsa key
A: Install 'Critical Updates' for Win2K.  8-)

Q: I have a strange error message:
     SSL_accept: error:00000000::lib(0) :func(0) :reason(0)
   or
     SSL_accept: Peer suddenly disconnected
   What does it mean?
A: The error means that your SSL peer has closed connection before SSL
   negotiation completed.  Your peer probably does not support SSL.

Q: I have strange timeouts with my Outlook Express 4.  What to do?
A: Do *NOT* use SSL of Outlook Express 4.
   Upgrade, if you have to use Microsoft products.
   Workaround: Install stunnel in client mode on your Windows, instead
               of enabling SSL in Outlook.

Q: None of the above helped me...
A: Look into your syslog or use "-f" option.

Q: I don't understand the error.  Please help!
A: Prepare following data:
   1. Description of your problem.
   2. The list of parameters you are using for stunnel, and if you are
           running it standalone or from inetd/xinetd.
   3. Output of "stunnel -f -D 7 <your-parameters>".
   4. Output of "stunnel -V".
   5. Output of "uname -a".
   6. Your libc version if you use Linux.
   7. Output of "gcc -v".
   8. Output of "openssl version" or "ssleay version" depending on your library.
   Subscribe to stunnel-users.
   Send e-mail with the above informations to the list.

Q: How do I use stunnel to create a secure PPP session over the internet?
A: Follow these steps:
   1. Set up your PPP stuff as you would otherwise do for a serial (dialup)
      connection, passwords and all.
   2. Decide on how you want stunnel to run on the server system, i.e. inetd
      vs. daemon mode.
   3. On the server, use something like (observe the -L for pty mode)
      "stunnel -d 2020 -L /usr/sbin/pppd -- pppd local"
   4. On the client system, in order to bring up the secure PPP link run
      "stunnel -c -r server:2020 -L /usr/sbin/pppd -- pppd local"

Q: What is stunnel.so library for?
A: It is preloaded (LD_PRELOAD) to a program started with -l (local mode)
   with -T (transparent proxy) turned on.

Q: How to make a certificate for DNS aliases of my servers (virtual servers)?
A: Uncomment "x.commonName" lines in stunnel.cnf and recreate stunnel.pem with
   "make stunnel.pem".  Add as many lines as you need.
   See http://home.netscape.com/eng/security/ssl_2.0_certificate.html
   too see how Netscape understands commonName.

* THE END *