Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<About> <Credits> <Legalese>
Stunnel does not contain any crytographic code itself -- instead it relies on external SSL libraries. It works with both OpenSSL and it's precursor SSLeay.

Both of these packages are capable of strong (128 bit) cryptography, and Stunnel will negotiate SSL connections of the highest strength available between client and server. Since all the crypto code is contained in the SSL libraries, your compilation of said libraries will dictate what algororithms will be used. Thus, for example, you can easily turn off patented algorithms in your base SSL library and Stunnel will not use them.

In some countries various algorithms may be patented (for example RSA used to be patented in the United States, while IDEA is still patented throughout much of the world) so simply removing them from your SSL library is sufficient to make them unavailable to Stunnel.

Since RSA is no longer patented, under no circumstances should you even consider compiling Stunnel or your SSL library with RSAref. It's no longer needed, and RSAref has not been supported by RSA in years.

Stunnel can work by either:

  • Receiving unencrypted data and sending it to an SSL server
  • Receiving encrypted data and
    • Sending the decrypted data to an arbitrary port on that or another machine
    • Launching a local program (as does inetd) to talk to the remote machine over the encrypted channel.

On unix machines, Stunnel can be run out of inetd, much like telnetd or ftpd, or it can be run as a standalone daemon, which in general is the prefered method. On NT it can only be run from a command prompt (DOS window,) not as a true NT service. We list several 'hacks' that let you do this, however, in the FAQ.

Stunnel has support for:

  • Being an SSL client
  • Being an SSL server
  • Server and client side certificate verification
  • TCP wrapper support
  • IDENT lookups
  • SMTP protocol negotiation
  • Source address rewriting (transparency) (where supported by the OS)
  • Restricting allowed SSL ciphers
Stunnel can help:
  • Protect interception of data
  • Prevent manipulation of data

  • And, if compiled with libwrap support:
    • Defend against IP source routing, (one host sending packets as if they came from somewhere else)
    • DNS spoofing (an attacker forging name server records)
The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.