Stunnel: widely used SSL encryption package (1)

Stunnel is used to encapsulate the SSL encryption between the remote client and the local machine that can start inetd: inetd-startable) or between the remote server. It can add SSL functions to POP2, POP3, and IMAP servers using inetd daemon without modifying any code. It establishes an SSL connection by using the OpenSSL or SSLeay library.

Download link: http://down.51cto.com/data/157863

> Go to the treasure chest of network security tools and check out other security tools.

One way is to seamlessly Add the encryption function to a network connection without messing up the base address of your original code segment. Stunnel is a program that can use the OpenSSL library to encrypt any TCP session. It runs outside the program as a server. The Stunnel server implements two main functions: first, it receives unencrypted data streams, performs SSL encryption, and then sends data streams over the network. Second, it decrypts the data streams encrypted by SSL, and send it to another program through the network. This program usually resides on the same machine to avoid Snoop attacks on the local network ).

In this way, when necessary, you can easily run unencrypted programs. When you want to "sniff" the network to see if something is going through the network, this is useful.

Even if you are a system administrator rather than a developer, Stunnel is a powerful weapon for you because it can add SSL to server software that does not enable SSL. For example, I have used Stunnel to protect POP, SMTP, and IMAP servers. The only thing that is unsatisfactory is to use the secure version of these servers. The client must be able to recognize SSL.

Stunnel requires that OpenSSL has been installed. It has been transplanted to Windows and most UNIX platforms.

Once Stunnel is installed, it is easy to use it to protect the server. For example, you can bind a regular service to a local host to enable SSL for the IMAP server, and then run Stunnel at the external IP address, assuming that the IMAP server is already running and the external address is 192.168.100.1:

 
 

  
  
stunnel -d 192.168.100.1:imap2 -r 127.0.0.1:imap2 
 
 

-D indicates the port we want to use to run our own security service. The imap2 string specifies to use the Standard IMAP port; we can also set it to 143. Stunnel checks the "/etc/services" file to map the symbol name to the port number. Not all machines own this file. Some machines do not list all standard services. Therefore, it is easier to use numbers than to use service names.

-R indicates the port on which the unencrypted IMAP server runs.

This solution requires that your IMAP Server only listen on the loopback interface. If the IMAP server is bound to the IP address "0.0.0.0", It listens to information on each IP address on the machine, including 192.168.100.1. This will cause an error message, it indicates that our security service port is in use. Most services can be configured to be bound to only one interface. Otherwise, you may need to change a line of code.

In addition, you can set an unencrypted server on a non-standard port. For example, you can run IMAP on port 1143 and then forward the secure IMAP Data stream to the port. Generally, you do not want users on other machines to access your unencrypted services. The Personal Firewall on the machine running the service can enhance this policy.

One problem with using Stunnel to protect services such as IMAP is that the server only receives connections from the Stunnel server we provide. Therefore, all connections seem to come from local machines. In Linux, the-T flag can be passed to avoid this problem. Passing the-T flag can make the Stunnel server transparently proxy information packets, in this way, the real server can obtain the correct source address in all received information packets.