stunnel: Authentication

Either the TLS client, the TLS server, or both need to be authenticated:

  • Server authentication prevents Man-In-The-Middle (MITM) attacks on the encryption protocol.
  • Client authentication allows for restricting access for individual clients (access control).


The easiest way to configure authentication is with PSK (Pre-Shared Key). It provides both client and server authentication. PSK is also the fastest TLS authentication.


PSK authentication requires stunnel version 5.09 or higher.

Server Configuration

A trivial configuration example:

[PSK server]
accept = <server_port>
connect = <dst_port>
ciphers = PSK
PSKsecrets = psk.txt

The psk.txt file contains one line for each client:


Client Configuration

A trivial configuration example:

[PSK client 1]
client = yes
accept =<src_port>
connect = <server_host>:<server_port>
PSKsecrets = psk1.txt

The psk1.txt file only needs a single line:


Each client needs a separate secret. Otherwise, all the clients sharing the same key will have to be reconfigured if the key is compromised.


For simplicity, this tutorial only covers server authentication. The advantage of this configuration is that it does not require individual secrets for each of the clients.

Server Configuration

Unless PSK authentication is configured, each stunnel server needs a certificate with the corresponding private key. The Windows installer of stunnel automatically builds a certificate. On Unix platforms, a certificate can be built with "make cert". A certificate can also be purchased from one of the available commercial certificate authorities.

A trivial configuration example:

[certificate-based server]
accept = <server_port>
connect = <dst_port>
cert = cert.pem
key = key.pem

The "key" option may be omitted if cert.pem also contains the private key.

Client Configuration

stunnel can use an existing PKI (Public Key Infrastructure). The following configuration requires stunnel 5.15 or later:

[PKI client]
client = yes
accept =<src_port>
connect = <server_host>:<server_port>
verifyChain = yes
CAfile = ca-certs.pem
checkHost = <server_host>

The ca-certs.pem file contains the certificates of trusted certificate authorities.

Alternatively, a technique known as certificate pinning can be used. The following configuration requires stunnel version 4.46 or higher:

[pinning client]
client = yes
accept =<src_port>
connect = <server_host>:<server_port>
verifyPeer = yes
CAfile = peer-certificate.pem

The peer-certificate.pem file needs to contain the server certificate.

0 (0)
Article Rating (No Votes)
Rate this article
There are no attachments for this article.
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Tcpdump Examples Linux
Viewed 3451 times since Fri, Nov 16, 2018
RHEL: What is "SysRq key" and how to use it
Viewed 1899 times since Sat, Jun 2, 2018
Logrotate Example for Custom Logs
Viewed 1244 times since Sun, Jan 12, 2020
Linux 20 Netstat Commands for Linux Network Management
Viewed 323 times since Mon, Sep 21, 2020
RHEL: udev rules basics
Viewed 1559 times since Sat, Jun 2, 2018
Method 2 – Use shell scripts How to install yum cron on a CentOS/RHEL 6.x/7.x
Viewed 781 times since Tue, Dec 4, 2018
An easier way to manage disk decryption at boot with Red Hat Enterprise Linux 7.5 using NBDE
Viewed 2834 times since Mon, Aug 6, 2018
sed Delete / Remove ^M Carriage Return (Line Feed / CRLF) on Linux or Unix
Viewed 1474 times since Thu, Feb 7, 2019
How To Ping Specific Port Number
Viewed 921 times since Mon, Jun 1, 2020
SSH Essentials: Working with SSH Servers, Clients, and Keys
Viewed 1544 times since Wed, Jun 27, 2018