Commit c2146ced authored by Rodrigo Gallardo's avatar Rodrigo Gallardo

Upstream 4.35

sha1sum for upstream tarball: b08b95a61f1d65cf9cc44068e0665a17ea5397c3
sha256sum for upstream tarball: a810e220498239483e14fae24eeb2a188a6167e9118958b903f8793768c4460f
parent 94f78914
stunnel Universal SSL tunnel
stunnel authors
Author Michal Trojnara <Michal.Trojnara@mirt.net>
Michal Trojnara <Michal.Trojnara@mirt.net>
stunnel Universal SSL tunnel
stunnel known bugs
KNOWN BUGS
- Shared library to be LD_PRELOADed does not support IPv6.
- Shared library for transparent proxy does not support IPv6.
stunnel Universal SSL tunnel
stunnel license (see COPYRIGHT.GPL for detailed GPL conditions)
Copyright (C) 1998-2008 Michal Trojnara
Copyright (C) 1998-2011 Michal Trojnara
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
......
stunnel Universal SSL tunnel
stunnel change log
Version 4.35, 2011.02.05, urgency: LOW:
* New features
- Updated Win32 DLLs for OpenSSL 1.0.0c.
- Transparent source (non-local bind) added for FreeBSD 8.x.
- Transparent destination ("transparent = destination") added for Linux.
* Bugfixes
- Fixed reload of FIPS-enabled stunnel.
- Compiler options are now auto-detected by ./configure script
in order to support obsolete versions of gcc.
- Async-signal-unsafe s_log() removed from SIGTERM/SIGQUIT/SIGINT handler.
- CLOEXEC file descriptor leaks fixed on Linux >= 2.6.28 with glibc >= 2.10.
Irreparable race condition leaks remain on other Unix platforms.
This issue may have security implications on some deployments.
- Directory lib64 included in the OpenSSL library search path.
- Windows CE compilation fixes (thx to Pierre Delaage).
- Deprecated RSA_generate_key() replaced with RSA_generate_key_ex().
* Domain name changes (courtesy of Bri Hatch)
- http://stunnel.mirt.net/ --> http://www.stunnel.org/
- ftp://stunnel.mirt.net/ --> http://ftp.stunnel.org/
- stunnel.mirt.net::stunnel --> rsync.stunnel.org::stunnel
- stunnel-users@mirt.net --> stunnel-users@stunnel.org
- stunnel-announce@mirt.net --> stunnel-announce@stunnel.org
Version 4.34, 2010.09.19, urgency: LOW:
* New features
......@@ -54,7 +77,7 @@ Version 4.29, 2009.12.02, urgency: MEDIUM:
* New feature sponsored by Searchtech Limited http://www.astraweb.com/
- sessiond, a high performance SSL session cache was built for stunnel.
A new service-level "sessiond" option was added. sessiond is
available for download on ftp://stunnel.mirt.net/stunnel/sessiond/ .
available for download on ftp://ftp.stunnel.org/stunnel/sessiond/ .
stunnel clusters will be a lot faster, now!
* Bugfixes
- "execargs" defaults to the "exec" parameter (thx to Peter Pentchev).
......
stunnel Universal SSL tunnel
stunnel Unix install notes
1. If your machine supports POSIX threads make sure your SSL
library is compiled with -DTHREADS.
......
stunnel Universal SSL tunnel
stunnel FIPS install notes
FIPS support status:
......
stunnel Universal SSL tunnel
stunnel Windows install notes
Building stunnel from source (optional):
......@@ -24,7 +24,7 @@ Building stunnel from source (optional):
cd /usr/src && tar zvxf ~/openssl-(version).tar.gz
4) Build OpenSSL with cross_mingw32.sh script.
ftp://stunnel.mirt.net/stunnel/openssl/cross_mingw32.sh
ftp://ftp.stunnel.org/stunnel/openssl/cross_mingw32.sh
5) Download and unpack stunnel-(version).tar.gz.
......
stunnel Universal SSL tunnel
stunnel Windows CE install notes
Two stunnel executables are available for Windows CE platform:
......@@ -17,7 +17,7 @@ Building stunnel from source (optional):
http://www.mirrorservice.org/sites/ftp.info-zip.org/pub/infozip/WIN32/
2) download the OpenSSL source files (the whole directory):
ftp://stunnel.mirt.net/stunnel/openssl/ce/
ftp://ftp.stunnel.org/stunnel/openssl/ce/
3) your directory should look like this:
build.bat
......
......@@ -35,5 +35,5 @@ sign: dist
../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs \
../dist/$(distdir)-installer.exe
sha1sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha1
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
......@@ -774,7 +774,7 @@ sign: dist
../dist/$(distdir).tar.gz
gpg --yes --armor --detach-sign --force-v3-sigs \
../dist/$(distdir)-installer.exe
sha1sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha1
sha256sum $(distdir).tar.gz | tee ../dist/$(distdir).tar.gz.sha256
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
......
stunnel Universal SSL tunnel
stunnel known port maintainers
Stunnel ports maintainers:
AmigaOS Diego Casorran <dcr8520@amiga.org>
Cygwin Andrew Schulman <andrex@alumni.utexas.net>
Debian Luis Rodrigo Gallardo Cruz <rodrigo@debian.org>
FreeBSD Peter Pentchev <roam@FreeBSD.org>
NetBSD Martti Kuparinen <martti.kuparinen@iki.fi>
OpenBSD Jakob Schlyter <jakob@openbsd.org>
OpenSolaris Mark Fenwick <Mark.Fenwick@sun.com>
RedHat Damien Miller <dmiller@ilogic.com.au>
* AmigaOS
- Diego Casorran <dcr8520@amiga.org>
* Cygwin
- Andrew Schulman <andrex@alumni.utexas.net>
* Debian GNU/Linux
- Luis Rodrigo Gallardo Cruz <rodrigo@nul-unu.com>
* FreeBSD
- Peter Pentchev <roam@FreeBSD.org>
* NetBSD
- Martti Kuparinen <martti.kuparinen@iki.fi>
* OpenBSD
- Jakob Schlyter <jakob@openbsd.org>
* OpenSolaris
- Mark Fenwick <Mark.Fenwick@sun.com>
* OS/2
- Paul Smedley <paul@smedley.info>
* RedHat Linux
- Damien Miller <dmiller@ilogic.com.au>
stunnel Universal SSL tunnel
stunnel overview
Short description
......
stunnel Universal SSL tunnel
stunnel TODO
* High priority features I'm going to support (sponsorship welcomed):
- Add service-level logging.
- Log file rotation with with GUI on Windows.
- In transparent proxy mode add an option to connect destination address
of the the original connection instead of a fixed IP list.
- Support SSL_CTX_set_tlsext_servername_callback.
- Support for CryptoAPI certificates and private keys with CAPI engine.
- Support for Server Name Indication SSL extension
with SSL_CTX_set_tlsext_servername_callback.
- Service-level logging configuration (separate verbosity and destination).
* Low priority features I'm going to support (sponsorship welcomed):
- Replace protocol.c with a scripting engine.
- Add some scripting capabilities *after* SSL negotiations.
- Key renegotiation (re-handshake) for long connections.
- Internationalization of logged messages (i18n).
- Logging to NT eventlog.
- SOCKS 4 protocol support.
http://archive.socks.permeo.com/protocol/socks4.protocol
- Add support for Server Name Indication SSL extension.
- Key renegotiation (re-handshake) for long connections.
- Logging to NT EventLog on Windows.
- Log file rotation with with GUI on Windows.
- Internationalization of logged messages (i18n).
- Generic scripting engine instead or static protocol.c.
* Features I'd prefer NOT to support (waiting for a wealthy sponsor):
- Authentication based on reverse DNS lookup matching CN of X.509.
- HTTP protocol support (adding X-Forwarded-For header to each request,
URL rewriting).
- SMTP protocol support (adding X-Forwarded-For header to each email).
* Features I prefer *not* to support (waiting for a wealthy sponsor):
- Additional certificate checks (including wildcard comparison) based on
CN and X509v3 Subject Alternative Name.
- Protocol support *after* SSL is negotiated.
- Support for adding X-Forwarded-For to HTTP request headers.
- Support for adding X-Forwarded-For to SMTP email headers.
This diff is collapsed.
# Process this file with autoconf to produce a configure script.
AC_INIT([stunnel],[4.34])
AC_INIT([stunnel],[4.35])
AC_MSG_NOTICE([**************************************** initialization])
AC_CONFIG_AUX_DIR(auto)
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(stunnel, 4.34)
AM_INIT_AUTOMAKE(stunnel, 4.35)
AC_CONFIG_SRCDIR([src/stunnel.c])
AC_DEFINE(_GNU_SOURCE)
AC_CANONICAL_HOST
AC_SUBST(host)
......@@ -16,9 +17,6 @@ AC_DEFINE_UNQUOTED(esc(VENDOR_$host_vendor))
AC_DEFINE_UNQUOTED(esc(OS_$host_os))
AC_PROG_CC
if test "$GCC" = "yes"
then CFLAGS="$CFLAGS -Wall -Wextra -pedantic -Wno-long-long"
fi
AC_PROG_INSTALL
AC_PROG_MAKE_SET
......@@ -28,6 +26,31 @@ AC_PROG_MAKE_SET
# AC_TYPE_PID_T
# AC_HEADER_TIME
AC_MSG_NOTICE([**************************************** C compiler flags])
AC_MSG_CHECKING([whether $CC accepts -Wall])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wall"
AC_COMPILE_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wextra])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wextra"
AC_COMPILE_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -pedantic])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -pedantic"
AC_COMPILE_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_CHECKING([whether $CC accepts -Wno-long-long])
valid_CFLAGS="$CFLAGS"; CFLAGS="$CFLAGS -Wno-long-long"
AC_COMPILE_IFELSE([int main() {return 0;}],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no]); CFLAGS="$valid_CFLAGS"])
AC_MSG_NOTICE([**************************************** libtool])
LT_INIT([disable-static])
AC_SUBST([LIBTOOL_DEPS])
......@@ -107,6 +130,13 @@ AC_CHECK_HEADERS([sys/socket.h])
AC_CHECK_MEMBERS([struct msghdr.msg_control],
[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL])], [],
[@%:@include <sys/socket.h>])
AC_CHECK_HEADERS([linux/netfilter_ipv4.h], , ,
[[
#include <limits.h>
#include <linux/types.h>
#include <sys/socket.h>
#include <netdb.h>
]] )
AC_MSG_NOTICE([**************************************** libraries])
# Checks for standard libraries
......@@ -233,6 +263,8 @@ darwin*)
AC_MSG_RESULT([no])
;;
esac
# GNU extensions
AC_CHECK_FUNCS(pipe2 accept4)
AC_MSG_NOTICE([**************************************** SSL])
checkssldir() { :
......@@ -280,7 +312,7 @@ AC_DEFINE_UNQUOTED(ssldir, "$ssldir")
# Add SSL includes and libraries
CFLAGS="$CFLAGS -I$ssldir/include"
LIBS="$LIBS -L$ssldir/lib -lssl -lcrypto"
LIBS="$LIBS -L$ssldir/lib64 -L$ssldir/lib -lssl -lcrypto"
# Check for obsolete RSAref library
AC_MSG_CHECKING([for obsolete RSAref library])
......
......@@ -12,7 +12,7 @@ doc_DATA = stunnel.html stunnel.pl.html stunnel.fr.html
SUFFIXES = .pod .8 .html
.pod.8:
pod2man --section=8 --release=4.34 --center=stunnel \
pod2man --section=8 --release=4.35 --center=stunnel \
--date=`date +%Y.%m.%d` -u $< $@
stunnel.html: stunnel.pod
......
......@@ -462,7 +462,7 @@ uninstall-man: uninstall-man8
.pod.8:
pod2man --section=8 --release=4.34 --center=stunnel \
pod2man --section=8 --release=4.35 --center=stunnel \
--date=`date +%Y.%m.%d` -u $< $@
stunnel.html: stunnel.pod
......
......@@ -62,7 +62,7 @@
.\" ========================================================================
.\"
.IX Title "STUNNEL 8"
.TH STUNNEL 8 "2010.09.15" "4.34" "stunnel"
.TH STUNNEL 8 "2011.02.05" "4.35" "stunnel"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
......@@ -181,7 +181,22 @@ select hardware engine
.Sp
default: software-only cryptography
.Sp
There's an example in '\s-1EXAMPLES\s0' section.
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.Sp
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.IP "\fBengineCtrl\fR = command[:parameter]" 4
.IX Item "engineCtrl = command[:parameter]"
control hardware engine
......@@ -303,9 +318,12 @@ If no host specified, defaults to all \s-1IP\s0 addresses for the local host.
Certificate Authority directory
.Sp
This is the directory in which \fBstunnel\fR will look for certificates when using
the \fIverify\fR. Note that the certificates in this directory should be named
the \fIverify\fR. Note that the certificates in this directory should be named
\&\s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1DER\s0 encoded subject of the
cert (the first 4 bytes of the \s-1MD5\s0 hash in least significant byte order).
cert.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICApath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCAfile\fR = certfile" 4
......@@ -350,7 +368,10 @@ Certificate Revocation Lists directory
.Sp
This is the directory in which \fBstunnel\fR will look for CRLs when
using the \fIverify\fR. Note that the CRLs in this directory should
be named \s-1XXXXXXXX\s0.0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
be named \s-1XXXXXXXX\s0.r0 where \s-1XXXXXXXX\s0 is the hash value of the \s-1CRL\s0.
.Sp
The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.
.Sp
\&\fICRLpath\fR path is relative to \fIchroot\fR directory if specified.
.IP "\fBCRLfile\fR = certfile" 4
......@@ -506,57 +527,121 @@ time to wait to connect a remote host
.IP "\fBTIMEOUTidle\fR = seconds" 4
.IX Item "TIMEOUTidle = seconds"
time to keep an idle connection
.IP "\fBtransparent\fR = yes | no (Unix only)" 4
.IX Item "transparent = yes | no (Unix only)"
transparent proxy mode
.IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
.IX Item "transparent = none | source | destination | both (Unix only)"
enable transparent proxy support on selected platforms
.Sp
Supported options:
.RS 4
.IP "\fBnone\fR" 4
.IX Item "none"
Disable transparent proxy support. This is the default.
.IP "\fBsource\fR" 4
.IX Item "source"
Re-write address to appear as if wrapped daemon is connecting
from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR.
.Sp
This option is currently available in:
.RS 4
.IP "Remote mode (\fBconnect\fR option) on \fBLinux >=2.6.28\fR" 4
.IX Item "Remote mode (connect option) on Linux >=2.6.28"
This configuration requires stunnel to be executed as root and without
\&\fBsetuid\fR option.
.Sp
.Vb 3
\& remote mode (I<connect> option) on Linux >=2.6.28
\& remote mode (I<connect> option) 2.2.x
\& local mode (I<exec> option)
.Ve
.Sp
\&\fBRemote mode\fR (either 2.2.x and >=2.6.28) requires stunnel to be executed as
root. \fBsetuid\fR option will also break this functionality.
.Sp
\&\fBLinux >=2.6.28\fR requires the following setup for iptables and routing
This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 6
.Vb 7
\& iptables \-t mangle \-N DIVERT
\& iptables \-t mangle \-A PREROUTING \-p tcp \-m socket \-j DIVERT
\& iptables \-t mangle \-A DIVERT \-j MARK \-\-set\-mark 1
\& iptables \-t mangle \-A DIVERT \-j ACCEPT
\& ip rule add fwmark 1 lookup 100
\& ip route add local 0.0.0.0/0 dev lo table 100
\& echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
.Ve
.Sp
\&\fBLinux 2.2.x\fR requires kernel to be compiled with \fItransparent proxy\fR option.
\&\fBstunnel\fR must also to be executed as root and without \fBsetuid\fR option.
.IP "Remote mode (\fBconnect\fR option) on \fBLinux 2.2.x\fR" 4
.IX Item "Remote mode (connect option) on Linux 2.2.x"
This configuration requires kernel to be compiled with \fItransparent proxy\fR option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the stunnel box.
.Sp
\&\fBLocal mode\fR works by LD_PRELOADing env.so shared library.
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
\&\fBstunnel\fR must also to be executed as root and without \fBsetuid\fR option.
.IP "Remote mode (\fBconnect\fR option) on \fBFreeBSD >=8.0\fR" 4
.IX Item "Remote mode (connect option) on FreeBSD >=8.0"
This configuration requires additional firewall and routing setup.
\&\fBstunnel\fR must also to be executed as root and without \fBsetuid\fR option.
.IP "Local mode (\fBexec\fR option)" 4
.IX Item "Local mode (exec option)"
This configuration works by pre-loading \fBlibstunnel.so\fR shared library.
_RLD_LIST environment variable is used on Tru64, and \s-1LD_PRELOAD\s0 variable on
other platforms.
.RE
.RS 4
.RE
.IP "\fBdestination\fR" 4
.IX Item "destination"
Original destination is used instead of \fBconnect\fR option.
.Sp
A service section for transparent destination may look like this:
.Sp
.Vb 4
\& level 1 \- verify peer certificate if present
\& level 2 \- verify peer certificate
\& level 3 \- verify peer with locally installed certificate
\& default \- no verify
\& [transparent]
\& client=yes
\& accept=<stunnel_port>
\& transparent=destination
.Ve
.Sp
This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):
.Sp
.Vb 2
\& /sbin/iptables \-I INPUT \-i eth0 \-p tcp \-\-dport <stunnel_port> \-j ACCEPT
\& /sbin/iptables \-t nat \-I PREROUTING \-i eth0 \-p tcp \-\-dport <redirected_port> \-j DNAT \-\-to\-destination <local_ip>:<stunnel_port>
.Ve
.Sp
Transparent destination option is currently only supported on Linux.
.IP "\fBboth\fR" 4
.IX Item "both"
Use both \fBsource\fR and \fBdestination\fR transparent proxy.
.RE
.RS 4
.Sp
Two legacy options are also supported for backward compatibility:
.IP "\fByes\fR" 4
.IX Item "yes"
This options has been renamed to \fBsource\fR.
.IP "\fBno\fR" 4
.IX Item "no"
This options has been renamed to \fBnone\fR.
.RE
.RS 4
.RE
.IP "\fBverify\fR = level" 4
.IX Item "verify = level"
verify peer certificate
.RS 4
.IP "\fBlevel 1\fR \- verify peer certificate if present" 4
.IX Item "level 1 - verify peer certificate if present"
.PD 0
.IP "\fBlevel 2\fR \- verify peer certificate" 4
.IX Item "level 2 - verify peer certificate"
.IP "\fBlevel 3\fR \- verify peer with locally installed certificate" 4
.IX Item "level 3 - verify peer with locally installed certificate"
.IP "\fBdefault\fR \- no verify" 4
.IX Item "default - no verify"
.RE
.RS 4
.PD
.Sp
It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
dedicated \s-1CA\s0 should be used with level 2, and not a generic \s-1CA\s0 commonly used
for webservers. Level 3 is preferred for point-to-point connections.
.RE
.SH "RETURN VALUE"
.IX Header "RETURN VALUE"
\&\fBstunnel\fR returns zero on success, non-zero on error.
......@@ -630,23 +715,6 @@ Note there must be no \fI[service_name]\fR section.
\& exec = /usr/sbin/imapd
\& execargs = imapd
.Ve
.PP
Here is an example of advanced engine configuration to read private key from an
OpenSC engine
.PP
.Vb 7
\& engine=dynamic
\& engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
\& engineCtrl=ID:pkcs11
\& engineCtrl=LIST_ADD:1
\& engineCtrl=LOAD
\& engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc\-pkcs11.so
\& engineCtrl=INIT
\&
\& [service]
\& engineNum=1
\& key=id_45
.Ve
.SH "NOTES"
.IX Header "NOTES"
.SS "\s-1RESTRICTIONS\s0"
......@@ -762,12 +830,9 @@ access control facility for internet services
.IP "\fIinetd\fR\|(8)" 4
.IX Item "inetd"
internet 'super\-server'
.IP "\fIhttp://stunnel.mirt.net/\fR" 4
.IX Item "http://stunnel.mirt.net/"
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.stunnel.org/\fR" 4
.IX Item "http://www.stunnel.org/"
\&\fBstunnel\fR Frequently Asked Questions
\&\fBstunnel\fR homepage
.IP "\fIhttp://www.openssl.org/\fR" 4
.IX Item "http://www.openssl.org/"
OpenSSL project website
......
This diff is collapsed.
This diff is collapsed.
......@@ -606,13 +606,9 @@ Service de contr
«E<nbsp>super-serveurE<nbsp>» internet
=item F<http://stunnel.mirt.net/>
Page de référence de B<stunnel>
=item F<http://www.stunnel.org/>
Foire aux questions B<stunnel>
Page de référence de B<stunnel>
=item F<http://www.openssl.org/>
......
......@@ -206,7 +206,20 @@ generator. (Available only if compiled with OpenSSL 0.9.5a or higher)</p>
<dd>
<p>select hardware engine</p>
<p>default: software-only cryptography</p>
<p>There's an example in 'EXAMPLES' section.</p>
<p>Here is an example of advanced engine configuration to read private key from an
OpenSC engine</p>
<pre>
engine=dynamic
engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
engineCtrl=ID:pkcs11
engineCtrl=LIST_ADD:1
engineCtrl=LOAD
engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
engineCtrl=INIT</pre>
<pre>
[service]
engineNum=1
key=id_45</pre>
</dd>
<dt><strong><a name="enginectrl_command_parameter" class="item"><strong>engineCtrl</strong> = command[:parameter]</a></strong></dt>
......@@ -340,9 +353,11 @@ below.</p>
<dd>
<p>Certificate Authority directory</p>
<p>This is the directory in which <strong>stunnel</strong> will look for certificates when using
the <em>verify</em>. Note that the certificates in this directory should be named
the <em>verify</em>. Note that the certificates in this directory should be named
XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
cert (the first 4 bytes of the MD5 hash in least significant byte order).</p>
cert.</p>
<p>The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.</p>
<p><em>CApath</em> path is relative to <em>chroot</em> directory if specified.</p>
</dd>
<dt><strong><a name="cafile_certfile" class="item"><strong>CAfile</strong> = certfile</a></strong></dt>
......@@ -390,7 +405,9 @@ round-robin algorithm.</p>
<p>Certificate Revocation Lists directory</p>
<p>This is the directory in which <strong>stunnel</strong> will look for CRLs when
using the <em>verify</em>. Note that the CRLs in this directory should
be named XXXXXXXX.0 where XXXXXXXX is the hash value of the CRL.</p>
be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.</p>
<p>The hash algorithm has been changed in OpenSSL 1.0.0. It is required to
c_rehash the directory on upgrade from OpenSSL 0.x.x to OpenSSL 1.x.x.</p>
<p><em>CRLpath</em> path is relative to <em>chroot</em> directory if specified.</p>
</dd>
<dt><strong><a name="crlfile_certfile" class="item"><strong>CRLfile</strong> = certfile</a></strong></dt>
......@@ -576,20 +593,30 @@ connections via HTTP proxy.</p>
<dd>
<p>time to keep an idle connection</p>
</dd>
<dt><strong><strong>transparent</strong> = yes | no (Unix only)</strong></dt>
<dt><strong><a name="both" class="item"><strong>transparent</strong> = none | source | destination | both (Unix only)</a></strong></dt>
<dd>
<p>enable transparent proxy support on selected platforms</p>
<p>Supported options:</p>
<dl>
<dt><strong><a name="none" class="item"><strong>none</strong></a></strong></dt>
<dd>
<p>Disable transparent proxy support. This is the default.</p>
</dd>
<dt><strong><a name="source" class="item"><strong>source</strong></a></strong></dt>
<dd>
<p>transparent proxy mode</p>
<p>Re-write address to appear as if wrapped daemon is connecting
from the SSL client machine instead of the machine running <strong>stunnel</strong>.</p>
<p>This option is currently available in:</p>
<pre>
remote mode (I&lt;connect&gt; option) on Linux &gt;=2.6.28
remote mode (I&lt;connect&gt; option) 2.2.x
local mode (I&lt;exec&gt; option)</pre>
<p><strong>Remote mode</strong> (either 2.2.x and &gt;=2.6.28) requires stunnel to be executed as
root. <strong>setuid</strong> option will also break this functionality.</p>
<p><strong>Linux &gt;=2.6.28</strong> requires the following setup for iptables and routing
<dl>
<dt><strong><a name="mode" class="item">Remote mode (<strong>connect</strong> option) on <strong>Linux &gt;=2.6.28</strong></a></strong></dt>
<dd>
<p>This configuration requires stunnel to be executed as root and without
<strong>setuid</strong> option.</p>
<p>This configuration requires the following setup for iptables and routing
(possibly in /etc/rc.local or equivalent file):</p>
<pre>
iptables -t mangle -N DIVERT
......@@ -597,21 +624,84 @@ root. <strong>setuid</strong> option will also break this functionality.</p>
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100</pre>
<p><strong>Linux 2.2.x</strong> requires kernel to be compiled with <em>transparent proxy</em> option.
ip route add local 0.0.0.0/0 dev lo table 100
echo 0 &gt;/proc/sys/net/ipv4/conf/lo/rp_filter</pre>
<p><strong>stunnel</strong> must also to be executed as root and without <strong>setuid</strong> option.</p>
</dd>
<dt><strong>Remote mode (<strong>connect</strong> option) on <strong>Linux 2.2.x</strong></strong></dt>
<dd>
<p>This configuration requires kernel to be compiled with <em>transparent proxy</em> option.
Connected service must be installed on a separate host.
Routing towards the clients has to go through the stunnel box.</p>
<p><strong>Local mode</strong> works by LD_PRELOADing env.so shared library.</p>
<p><strong>stunnel</strong> must also to be executed as root and without <strong>setuid</strong> option.</p>
</dd>
<dt><strong>Remote mode (<strong>connect</strong> option) on <strong>FreeBSD &gt;=8.0</strong></strong></dt>
<dd>
<p>This configuration requires additional firewall and routing setup.
<strong>stunnel</strong> must also to be executed as root and without <strong>setuid</strong> option.</p>
</dd>
<dt><strong>Local mode (<strong>exec</strong> option)</strong></dt>
<dd>
<p>This configuration works by pre-loading <strong>libstunnel.so</strong> shared library.
_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
other platforms.</p>
</dd>
</dl>
</dd>
<dt><strong><a name="destination" class="item"><strong>destination</strong></a></strong></dt>
<dd>
<p>Original destination is used instead of <strong>connect</strong> option.</p>
<p>A service section for transparent destination may look like this:</p>
<pre>
[transparent]
client=yes
accept=&lt;stunnel_port&gt;
transparent=destination</pre>
<p>This configuration requires the following setup for iptables
(possibly in /etc/rc.local or equivalent file):</p>
<pre>
/sbin/iptables -I INPUT -i eth0 -p tcp --dport &lt;stunnel_port&gt; -j ACCEPT
/sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport &lt;redirected_port&gt; -j DNAT --to-destination &lt;local_ip&gt;:&lt;stunnel_port&gt;</pre>
<p>Transparent destination option is currently only supported on Linux.</p>
</dd>
<dt><strong><strong>both</strong></strong></dt>
<dd>
<p>Use both <strong>source</strong> and <strong>destination</strong> transparent proxy.</p>
</dd>
</dl>
<p>Two legacy options are also supported for backward compatibility:</p>
<dl>
<dt><strong><a name="yes" class="item"><strong>yes</strong></a></strong></dt>
<dd>
<p>This options has been renamed to <strong>source</strong>.</p>
</dd>
<dt><strong><strong>no</strong></strong></dt>
<dd>
<p>This options has been renamed to <strong>none</strong>.</p>
</dd>
</dl>
</dd>
<dt><strong><a name="verify_level" class="item"><strong>verify</strong> = level</a></strong></dt>
<dd>
<p>verify peer certificate</p>
<pre>
level 1 - verify peer certificate if present
level 2 - verify peer certificate
level 3 - verify peer with locally installed certificate
default - no verify</pre>
<dl>
<dt><strong><a name="level_1_verify_peer_certificate_if_present" class="item"><strong>level 1</strong> - verify peer certificate if present</a></strong></dt>
<dt><strong><a name="level_2_verify_peer_certificate" class="item"><strong>level 2</strong> - verify peer certificate</a></strong></dt>
<dt><strong><a name="level_3_verify_peer_with_locally_installed_certificate" class="item"><strong>level 3</strong> - verify peer with locally installed certificate</a></strong></dt>
<dt><strong><a name="default_no_verify" class="item"><strong>default</strong> - no verify</a></strong></dt>
</dl>
<p>It is important to understand, that this option was solely designed for access
control and not for authorization. Specifically for level 2 every non-revoked
certificate is accepted regardless of its Common Name. For this reason a
......@@ -698,20 +788,6 @@ Note there must be no <em>[service_name]</em> section.</p>
<pre>
exec = /usr/sbin/imapd
execargs = imapd</pre>
<p>Here is an example of advanced engine configuration to read private key from an
OpenSC engine</p>
<pre>
engine=dynamic
engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
engineCtrl=ID:pkcs11
engineCtrl=LIST_ADD:1
engineCtrl=LOAD
engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so