stunnel: Authentication
Either the TLS client, the TLS server, or both need to be authenticated:
- Server authentication prevents Man-In-The-Middle (MITM) attacks on the encryption protocol.
- Client authentication allows for restricting access for individual clients (access control).
PSK
The easiest way to configure authentication is with PSK (Pre-Shared Key). It provides both client and server authentication. PSK is also the fastest TLS authentication.
PSK authentication requires stunnel version 5.09 or higher.
Server Configuration
A trivial configuration example:
[PSK server] accept = <server_port> connect = <dst_port> ciphers = PSK PSKsecrets = psk.txt
The psk.txt file contains one line for each client:
test1:oaP4EishaeSaishei6rio6xeeph3az test2:yah5uS4aijooxilier8iaphuwah1Lo
Client Configuration
A trivial configuration example:
[PSK client 1] client = yes accept = 127.0.0.1:<src_port> connect = <server_host>:<server_port> PSKsecrets = psk1.txt
The psk1.txt file only needs a single line:
test1:oaP4EishaeSaishei6rio6xeeph3az
Each client needs a separate secret. Otherwise, all the clients sharing the same key will have to be reconfigured if the key is compromised.
Certificates
For simplicity, this tutorial only covers server authentication. The advantage of this configuration is that it does not require individual secrets for each of the clients.
Server Configuration
Unless PSK authentication is configured, each stunnel server needs a certificate with the corresponding private key. The Windows installer of stunnel automatically builds a certificate. On Unix platforms, a certificate can be built with "make cert". A certificate can also be purchased from one of the available commercial certificate authorities.
A trivial configuration example:
[certificate-based server] accept = <server_port> connect = <dst_port> cert = cert.pem key = key.pem
The "key" option may be omitted if cert.pem also contains the private key.
Client Configuration
stunnel can use an existing PKI (Public Key Infrastructure). The following configuration requires stunnel 5.15 or later:
[PKI client] client = yes accept = 127.0.0.1:<src_port> connect = <server_host>:<server_port> verifyChain = yes CAfile = ca-certs.pem checkHost = <server_host>
The ca-certs.pem file contains the certificates of trusted certificate authorities.
Alternatively, a technique known as certificate pinning can be used. The following configuration requires stunnel version 4.46 or higher:
[pinning client] client = yes accept = 127.0.0.1:<src_port> connect = <server_host>:<server_port> verifyPeer = yes CAfile = peer-certificate.pem
The peer-certificate.pem file needs to contain the server certificate.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word