From Segfault
Jump to navigation Jump to search


To install stunnel from source:

rsync -av --delete stunnel-rsync
cd stunnel-rsync

Or, to sync only part of the tree:

rsync -av --delete* stunnel-5
cd stunnel-5

Select a version and fetch their PGP key and verify:


curl | gpg --import
gpg --verify stunnel-${VER}.tar.gz.asc 
sha256sum -c stunnel-${VER}.tar.gz.sha256

Extract and compile:

tar -xzf stunnel-${VER}.tar.gz
cd stunnel-${VER}
./configure --prefix=/opt/stunnel && make && sudo make install

HTTP Proxy

Generate an SSL certificate:

openssl req -new -x509 -nodes -days 365 -subj '/CN=localhost/O=Foobar Inc/OU=AYB/C=PL' -newkey rsa:4096 -sha512 -out stunnel.pem -keyout stunnel.pem


For stunnel3, all parameters can be given on the command line:

stunnel3 -f -D 4 -P $TMPDIR/ -p stunnel.pem -d 8443 -r 8080
  • -f - run in foreground
  • -D - log only warning and higher messages
  • -P - PID file
  • -p - certificate file
  • -d - network port to listen on
  • -r - network port to forward to


For stunnel4, a configuration file is needed. Example stunnel.conf:

cert          = /etc/stunnel/stunnel.pem
key           = /etc/stunnel/stunnel.pem

output        = /var/log/stunnel/stunnel.log
pid           = /var/log/stunnel/
syslog        = no
; foreground  = yes
debug         = 4

; See SSL_CTX_set_options(3ssl)
; options     = NO_SSLv2
; options     = NO_SSLv3
sslVersion    = TLSv1.2

; options     = SINGLE_ECDH_USE
; options     = SINGLE_DH_USE

; Turn off the Nagle algorithm for local & remote sockets
; socket      = l:TCP_NODELAY=1
; socket      = r:TCP_NODELAY=1

; Stunnel listens to port 8443 (HTTPS) on any IP and connects to 
; port 80 (HTTP) on localhost.
; NOTE: we act as a server here and the cert and key
; options above are being used!
client        = no
accept        =
connect       =

; Stunnel listens on port 2025 (SMTP) on localhost
; and connects to the mailhub via SMTP.
client        = yes
accept        = localhost:2025
connect       =
protocol      = smtp
; ciphers     = AES256-SHA

Note: The connect address needs to be the same address where the HTTP server's (virtual) host is configured to. Using might not work as expected.

Start stunnel with:

stunnel4 /etc/stunnel/stunnel.conf