This page depreciated

This FAQ for stunnel is no longer being updated. Please go to the FAQ section on www.stunnel.org instead.

About Stunnel

This section should answer general questions about stunnel and what it does and doesn't do.

What is stunnel?

Quoted directly from the README:

The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel.
stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.

What encryption algorithms does stunnel use?

Stunnel will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package.

What forms of authentication does stunnel support?

Stunnel supports standard SSL encryption with three levels of Authentication:

No peer certificate authentication
Peer certificate authentication
Peer certificate authentication with locally installed certs only

See the information in chapter 4 for more information about these levels.

What does stunnel protect against?

Interception of data by intermediate hosts
Manipulation of data by intermediate hosts

And additionally, if compiled with libwrap support:

IP source routing, where a host can pretend that an IP packet comes from another, trusted host.
DNS spoofing, where an attacker forges name server records

What doesn't stunnel protect against?

Stunnel will not help you with anything that compromises your host's security in some other way. Once an attacker has gained root access to a machine, he can then subvert stunnel, too.

Who maintains stunnel?

Stunnel was created by, and is maintained by Michal Trojnara.

Various ports and their maintainers are listed in the table below.

System Maintainer
FreeBSD Martti Kuparinen <martti.kuparinen@ericsson.com>
Debian Linux Paolo Molaro <lupus@debian.org>
RedHat Linux Damien Miller <dmiller@ilogic.com.au>
http://www.mindrot.org/misc

System	Maintainer
FreeBSD	Martti Kuparinen <martti.kuparinen@ericsson.com>
Debian Linux	Paolo Molaro <lupus@debian.org>
RedHat Linux	Damien Miller <dmiller@ilogic.com.au> http://www.mindrot.org/misc

Can I run stunnel legally?

Most likely. It depends on your country's laws for cryptography, and how stunnel was compiled (ie which ciphers were used in the SSLeay or OpenSSL libraries used for compilation) Check out the information on licensing, cryptography laws, and patents on cryptographic algorithms below.

Licensing

The source code for stunnel is distributed under the GNU General Public License which means it is public domain software. You are free to use and change the code as you wish, with only a few restrictions (related mostly to keeping the software free).

Since stunnel requires either OpenSSL or SSLeay, you are additionally restricted to the (equally liberal) license of whichever package you choose.

The windows stunnel binary is distributed under the SSLeay license.

Cryptography laws

In some countries, particularly France, Russia, Iraq, and Pakistan, it may be illegal to use any encryption at all without a special permit.

If you are in the United States, you should be aware that, while stunnel was written outside the United States using information publicly available everywhere, the US Government may consider it a criminal offence to export this software from the US once it has been imported, including putting it on a ftp site. Contact the Office of Defense Trade Controls if you need more information.

There's a really good link that keeps up to date with the Wassenaar Agreement and the cryptography laws throughout the world. Check out Bert-Jaap Koops Crypto Law Survey.

Patents on Cryptographic algorithms

The algorithms RSA and IDEA, which are used by stunnel, are claimed as patented in different countries, including the US. Linking against the RSAREF library, which is possible, may or may not make it legal to use stunnel for non-commercial purposes in the US. You may need to obtain licenses for commercial use of IDEA; stunnel can be configured without IDEA and works perfectly fine without it.

For information on software patents in general, see the Leauge for Programming Freedom's homepage at http://lpf.ai.mit.edu/.

What operating systems does stunnel run on?

Stunnel has been successfully compiled and well tested on the following platforms:

Solaris
Linux
FreeBSD
Win32 (Window 9x, NT, 2000, etc)

Essentially, stunnel should build on any unix machine that has

an ANSI C compiler (gcc, etc)
a compiled OpenSSL or SSLeay library