This is the Stunnel 4.x package for Debian. * Upgrading from stunnel to stunnel4 Stunnel 3 has been deprecated from Debian. The new stunnel4 has a different command line syntax and configuration. You will need to update your scripts. The wrapper script /usr/bin/stunnel3 understands stunnel3 command line syntax and calls stunnel4 with appropriate options. It appears to support every stunnel3 option *except* -S (which controls the defaults used for certificate sources). * Basic configuration After installation, you should : - edit /etc/stunnel/stunnel.conf - edit /etc/default/stunnel and set ENABLE=1, if you want your configured tunnels to start automatically on boot. - generate a certificate for use with stunnel if you want to use server mode Sergio Rua made a perl front-end for the stunnel configuration. It is very simple and only includes a couple of configuration options. This script is located in /usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl It requires libgnome2-perl and libgtk2-perl. * How to create SSL keys for stunnel The certificates default directory is /etc/ssl/certs, so cd into that dir and issue the command: openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem Fill in the info requested. Change 'stunnel.pem' to the name of the certificate you need to create. stunnel.pem will be used by default by stunnel, but you want to create different certificates for different services you run with stunnel. Make sure only root can read the file (or only the user that needs to read it, if stunnel is run as that user): chmod 600 stunnel.pem Now you need to append the DH parameters to the certificate. First you need to generate some amount of random data: dd if=/dev/urandom of=temp_file count=2 Use /dev/random if you want a more secure source of data, but make sure you have enough entropy on you system (the output file should be at least 512 bytes long). And now make openssl generate the DH parameters and append them to the certificate file: openssl dhparam -rand temp_file 512 >> stunnel.pem You also want to link the certificate to its hash name so that openssl can find it also by that means: ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 Read the manual page for openssl for more info on the various options. * FIPS Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However, using it requires stunnel to be compiled statically against OpenSSL and all supporting libraries. Thus, this option is disabled in the Debian package. See the OpenSSL FIPS User Guide at http://www.openssl.org/docs/fips/UserGuide-2.0.pdf and the OpenSSL notes about FIPS 140-2 at http://www.openssl.org/docs/fips/fipsnotes.html - Julien LEMOINE , Sun, 19 Feb 2006 17:31:24 +0100 -- Luis Rodrigo Gallardo Cruz , Sat, 30 Oct 2007 14:50:54 z