stunnel Howto A Guide to create SSL access to a HTTP-only webserver with stunnel -

1. Get the stunnel software

Source is available at http://stunnel.mirt.net/, but many distributions already provide a precompiled package. In this example, I compiled it from scratch.

fm@susie:/home/devel> zcat ../software/stunnel-4.15.tar.gz | tar xf -
fm@susie:/home/devel> ls stunnel-4

2. Prepare the home if not /usr/local/xxx

susie:/home/devel # mkdir /home/stunnel-4.15
susie:/home/devel # ln -s /home/stunnel-4.15 /home/stunnel

3. Compile the software

There is a bug in stunnel when Diffie Hellman support is enabled with --enable-dh in src/ctx.c

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --enable-dh --disable-libwrap

susie:/home/devel/stunnel-4.15 # make

...
ctx.c: In function `init_dh':
ctx.c:170: error: `section' undeclared (first use in this fu
ctx.c:170: error: (Each undeclared identifier is reported on
ctx.c:170: error: for each function it appears in.)
ctx.c:198: error: `ctx' undeclared (first use in this functi
make[1]: *** [ctx.o] Error 1
make[1]: Leaving directory `/home/devel/stunnel-4.15/src'
make: *** [all-recursive] Error 1

Reasons are two missing pointer declarations in src/ctx.c:
SSL_CTX *ctx;
LOCAL_OPTIONS *section;

Since I do not plan to use DH, I removed the option and compilation worked with out any trouble.

fm@susie:/home/devel/stunnel-4.15> ./configure --prefix=/home/stunnel
 --with-ssl=/home/openssl --disable-libwrap
fm@susie:/home/devel/stunnel-4.15> make; su; make install

"make install" calls OpenSSL routines and generates a self-signed certificate together with the private key in a single file. The certificate and key can be displayed with openssl:

susie:~ # openssl x509 -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text
susie:~ # openssl rsa -in /home/stunnel/etc/stunnel/stunnel.pem -noout -text

4. Adjust the stunnel configuration file

For more information, see the stunnel manpage.

susie:~ # vi /home/stunnel/etc/stunnel/stunnel.conf

; ==== stunnel configuration for https to http forwarding ====

; Certificate/key is needed in server mode and optional in client mode
cert = /home/stunnel/etc/stunnel/stunnel.pem

; since private key and certificate are in one file, we don't need
; to specify the key file. Since we do not use authentication with
; client certs, we don't need the CA certificate for verification.
;key = /home/stunnel/etc/stunnel/stunnel-privkey.pem
;CAfile = /home/stunnel/etc/stunnel/cacert.pem

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /home/stunnel/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0

; ==== end of stunnel.conf ====

5. Verify the webserver is running on port 80 and the SSL port 443 is free

susie:~ # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)

6. Start stunnel and verify it is listening on port 443

susie:/home/stunnel # sbin/stunnel
susie:/home/stunnel # lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE NODE NAME
sshd     1153   root    5u  IPv6   2949       TCP *:ssh (LISTEN)
master   1339   root   11u  IPv4   3741       TCP localhost:smtp (LISTEN)
xinetd   1444   root    5u  IPv4   5968       UDP *:tftp
httpd   15216   root   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15217 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15218 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15219 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15220 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
httpd   15221 wwwrun   18u  IPv4  64750       TCP *:http (LISTEN)
stunnel 15229 nobody    6u  IPv4  67679       TCP *:https (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

7. Stop stunnel

susie:~ # kill `cat /home/stunnel/var/lib/stunnel/stunnel.pid`

8. verifying function in syslog logfile

susie:/home/stunnel # tail -f /var/log/messages

May  6 00:24:18 susie stunnel: LOG5[21440:16384]: stunnel 4.15 on
 i686-pc-linux-gnu with OpenSSL 0.9.7e 25 Oct 2004
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: Threading:PTHREAD
 SSL:ENGINE Sockets:POLL,IPv4
May  6 00:24:18 susie stunnel: LOG5[21440:16384]: 500 clients allowed
...
May  6 00:24:35 susie stunnel: LOG5[21445:16386]: https connected from
 127.0.0.1:33108
May  6 00:24:36 susie stunnel: LOG5[21445:16386]: Connection closed: 13079
 bytes sent to SSL, 930 bytes sent to socket

The 'debug' option increases the log level, 0 = no logging, 7 = full logging plus console output. 'debug = 5' logs everything including informational this is the default.