This is the Stunnel package for Debian. * Per-config-file systemd services On Debian installations running under systemd, it is possible to enable individual stunnel instances that each use their own configuration file in the /etc/stunnel directory. The `stunnel@.service` template may be used to enable these instances of stunnel; for each instance, it will look for a file in /etc/stunnel with the instance name and a .conf extension. Thus, to configure services described in e.g. the /etc/stunnel/mail.conf file, enable and start a systemd service named `stunnel@mail.service`. Per-config-file stunnel service instances are also available as user services; if enabled via `systemctl --user enable stunnel@.service`, they will look for a ~/.config/stunnel/.conf file. Please note that in both cases, the service files use the "simple" systemd service type, so the configuration must include a "foreground = yes" setting. * Basic configuration After installation, you should : - edit /etc/stunnel/stunnel.conf - edit /etc/default/stunnel and set ENABLE=1, if you want your configured tunnels to start automatically on boot. - generate a certificate for use with stunnel if you want to use server mode Sergio Rua made a perl front-end for the stunnel configuration. It is very simple and only includes a couple of configuration options. This script is located in /usr/share/doc/stunnel4/contrib/StunnelConf-0.1.pl It requires libgnome2-perl and libgtk2-perl. * How to create SSL keys for stunnel The certificates default directory is /etc/ssl/certs, so cd into that dir and issue the command: openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem Fill in the info requested. Change 'stunnel.pem' to the name of the certificate you need to create. stunnel.pem will be used by default by stunnel, but you want to create different certificates for different services you run with stunnel. Make sure only root can read the file (or only the user that needs to read it, if stunnel is run as that user): chmod 600 stunnel.pem Now you need to append the DH parameters to the certificate. First you need to generate some amount of random data: dd if=/dev/urandom of=temp_file count=2 Use /dev/random if you want a more secure source of data, but make sure you have enough entropy on you system (the output file should be at least 512 bytes long). And now make openssl generate the DH parameters and append them to the certificate file: openssl dhparam -rand temp_file 512 >> stunnel.pem You also want to link the certificate to its hash name so that openssl can find it also by that means: ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0 Read the manual page for openssl for more info on the various options. * FIPS Since version 4.21 stunnel includes support for OpenSSL's FIPS mode. However, using it requires stunnel to be compiled statically against OpenSSL and all supporting libraries. Thus, this option is disabled in the Debian package. See the OpenSSL FIPS User Guide at https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and the OpenSSL notes about FIPS 140-2 at https://www.openssl.org/docs/fips/fipsnotes.html - Julien LEMOINE , Sun, 19 Feb 2006 17:31:24 +0100 -- Luis Rodrigo Gallardo Cruz , Sat, 30 Oct 2007 14:50:54 z