stunnel Universal SSL tunnel Q: Is there a mailing list for stunnel? A: Sure. You can subscribe the list in two simple steps: 1. Send an empty e-mail to stunnel-users-subscribe@mike.daewoo.com.pl 2. Follow the instructions you'll receive. 8-) Q: What do I need to build stunnel on a UNIX machine? A: You need: - ANSI C compiler; - Openssl or SSLeay library. You shoud have (not nessesery): - POSIX threads (make sure your SSL library is built with -DTHREADS); - libwrap if you want to have tcp wrappers functionality. Q: Should I use daemon mode or inetd mode? A: Use daemon mode, if not sure. It's better in most cases. Q: I'd like to use ssl in my IMAP client. Could you give me an example? A: Use: "stunnel -d 993 -r imap" Or: "stunnel -d 993 -l /usr/sbin/imapd imapd" Q: I need to add -s option to my in.pop3d. How to do that? Use: "stunnel -d 995 -l /usr/sbin/in.pop3d -- in.pop3d -s" Q: "stunnel -d 465 -l /usr/lib/sendmail sendmail" doesn't work... A: Sure it doesn't. Sendmail is not a service to be started with inetd. Use: "stunnel -d 465 -r smtp" instead. Q: I'd like to start stunnel from inetd. Could you give me an example? A: If possible avoid starting stunnel from inetd. It's slow (SSL needs to be initialized every connection), does not support session cache and will use more memory on heavy load. The example /etc/inetd.conf line for imapd: "imaps stream tcp nowait root \ /usr/local/sbin/stunnel stunnel -l /usr/sbin/imapd imapd". Notice, that for better compatibility above syntax is different than the old one (2.x). Don't forget to add "imaps 993/tcp" to /etc/services and restart inetd. Q: How is the service name (for logging and for libwrap) created? A: Here are the rules: 1. If the are some arguments (after options) the first one (argv[0] for the local service) is used. 2. Else in remote mode - remote hostname is used, but ':' is changed to '.'. 3. Else in local mode - the execname (w/o path) is used. See debug output of stunnel, if you're not sure what is the correct service name in your case. Q: How to correctly use tcpd (tcp wrappers) with stunnel? A: You don't need to use tcpd with stunnel. Stunnel can do it by itself. Just make sure you have libwrap library installed when building stunnel. Q: How to setup /etc/hosts.allow with stunnel? An example? A: To allow connecting "stunnel -d 9999 -r proxy:3128" only from foo.bar.com use: "proxy.3128: foo.bar.com". Also look at the answer about creating the service name. Q: Will stunnel work with [...] protocol? A: There are some simple rules to check this: 1. The protocol needs to be based on TCP (not UDP). 2. The protocol can't use multiple connections (like ftp). 3. The protocol can't depend on OOB data (like telnet). 4. Remote site can't use an application-specific protocol (like SMTP from Netscape 4.5 or ssltelnet, where SSL is a negotiated option). Q: Can you give ma a list of officially assigned SSL ports numbers? A: Here it is (from Internet Assigned Numbers Authority): nsiiops 261/tcp # IIOP Name Service over TLS/SSL https 443/tcp # http protocol over TLS/SSL smtps 465/tcp # smtp protocol over TLS/SSL (was ssmtp) nntps 563/tcp # nntp protocol over TLS/SSL (was snntp) imap4-ssl 585/tcp # IMAP4+SSL (use 993 instead) sshell 614/tcp # SSLshell ldaps 636/tcp # ldap protocol over TLS/SSL (was sldap) ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL telnets 992/tcp # telnet protocol over TLS/SSL imaps 993/tcp # imap4 protocol over TLS/SSL ircs 994/tcp # irc protocol over TLS/SSL pop3s 995/tcp # pop3 protocol over TLS/SSL (was spop3) msft-gc-ssl 3269/tcp # Microsoft Global Catalog with LDAP/SSL Please notice, that not every protocol on that list will work with stunnel. Q: SMTP with SSL doesn't work with Netscape 4.5. What should I do? A: Netscape uses specific protocol for SMTP - it's not just tunneling. There's no way to use a general-purpose wrapper for this protocol. IMAP works fine, anyway. Workaround: Install stunnel in client mode on your Windows, instead of enabling SSL via SMTP in Netscape client. Q: I have strange timeouts with my Outlook Express 4. What to do? A: Do *NOT* use SSL of Outlook Express 4. Upgrade, if you have to use Microsoft products. Workaround: Install stunnel in client mode on your Windows, instead of enabling SSL in Outlook. Q: None of the above helped me... A: Look into your syslog or use "-f" option. Q: I don't understand the error. Please help! A: Prepare following data: 1. Description of your problem. 2. Output of "stunnel -f -d 7 ". 3. Output of "uname -a". 4. Your libc version if you use Linux. 5. Output of "gcc -v". 6. Output of "openssl version" or "ssleay version" depending of you library. Subscribe stunnel-users. Send e-mail with the above informations to the list. * THE END * .