Stunnel
Encyclopedia
Stunnel is an open-source
multi-platform computer program
, used to provide universal TLS/SSL
tunneling service.
Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. It runs on a variety of operating systems , including most Unix-like
operating systems and Windows
. Stunnel relies on a separate library such as OpenSSL
or SSLeay to implement the underlying TLS or SSL protocol.
Stunnel uses public-key cryptography with X.509
digital certificates
to secure the SSL connection. Clients can optionally be authenticated via a certificate too.
If linked against libwrap
, it can be configured to act as a proxy
-firewall service as well.
Stunnel is maintained by Michał Trojnara. Released under the terms of the GNU General Public License
(GPL) with OpenSSL
exception.
For example, to provide a secure SSL
connection to an existing SMTP
mail server, Stunnel might map the SSL port 465 to port 25 of the mail server. Network traffic from clients connecting to the mail server on port 465 would initially pass over SSL to the Stunnel application, which would then transparently forward unsecured traffic to port 25 of the mail server. The Stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network.
Open-source software
Open-source software is computer software that is available in source code form: the source code and certain other rights normally reserved for copyright holders are provided under a software license that permits users to study, change, improve and at times also to distribute the software.Open...
multi-platform computer program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
, used to provide universal TLS/SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
tunneling service.
Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. It runs on a variety of operating systems , including most Unix-like
Unix-like
A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification....
operating systems and Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
. Stunnel relies on a separate library such as OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
or SSLeay to implement the underlying TLS or SSL protocol.
Stunnel uses public-key cryptography with X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
digital certificates
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
to secure the SSL connection. Clients can optionally be authenticated via a certificate too.
If linked against libwrap
TCP Wrapper
TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on operating systems such as Linux or BSD...
, it can be configured to act as a proxy
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
-firewall service as well.
Stunnel is maintained by Michał Trojnara. Released under the terms of the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
(GPL) with OpenSSL
OpenSSL
OpenSSL is an open source implementation of the SSL and TLS protocols. The core library implements the basic cryptographic functions and provides various utility functions...
exception.
Example scenario
The application can present an external secure SSL port that is mapped to an internal unsecured TCP port of an existing application.For example, to provide a secure SSL
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
connection to an existing SMTP
Simple Mail Transfer Protocol
Simple Mail Transfer Protocol is an Internet standard for electronic mail transmission across Internet Protocol networks. SMTP was first defined by RFC 821 , and last updated by RFC 5321 which includes the extended SMTP additions, and is the protocol in widespread use today...
mail server, Stunnel might map the SSL port 465 to port 25 of the mail server. Network traffic from clients connecting to the mail server on port 465 would initially pass over SSL to the Stunnel application, which would then transparently forward unsecured traffic to port 25 of the mail server. The Stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network.