Sniffing & Spoofingssltlstunnelproxyencryptioninetd

stunnel4

Universal TLS encryption wrapper for network daemons. Adds TLS functionality to non-TLS aware services without code changes.

Description

The stunnel program works as a TLS encryption wrapper between remote clients and local (inetd-startable) or remote servers. It enables non-TLS aware daemons like POP-2, POP-3, IMAP, NNTP, SMTP, and HTTP to communicate securely over TLS channels. This is particularly useful for legacy services that lack native TLS support.

stunnel supports both client and server modes, acting as a TLS offloading and load-balancing proxy. It can tunnel protocols like PPP over network sockets and handle multiple connect targets with failover strategies. Configuration uses a file-based format with global and service-level options for fine-grained control.

Common use cases include securing mail servers, adding TLS to database connections, creating VPN tunnels via SOCKS, and proxying HTTP CONNECT requests. The tool includes compatibility wrappers and supports advanced features like OCSP validation, hardware engines, and protocol-specific negotiations.

How It Works

stunnel reads a configuration file defining services in sections marked by [service_name]. Each service specifies accept addresses for incoming TLS connections and connect targets for forwarding decrypted traffic. Global options control chroot jails, logging, randomness seeding, and OpenSSL engines. Service options handle certificates (cert/key), peer verification (CAfile/CApath, checkHost), ciphers, curves, and protocols like SMTP STARTTLS or HTTP CONNECT. Multiple connect targets enable load balancing (rr/prio failover). inetd mode executes local programs via exec, passing environment variables like SSL_CLIENT_DN. TLS negotiation occurs before protocol-specific handshakes when protocol option is set.

Installation

bash
sudo apt install stunnel4

Flags

FILEUse specified configuration file
-fd N (Unix only)Read the config file from specified file descriptor
-helpPrint stunnel help menu
-versionPrint stunnel version and compile time defaults
-socketsPrint default socket options
-optionsPrint supported TLS options
-install (Windows NT and later only)Install NT Service
-uninstall (Windows NT and later only)Uninstall NT Service

Examples

Start stunnel with specified configuration file
stunnel [FILE]
Read config from file descriptor N (Unix only)
Display the stunnel help menu
stunnel -help
Show stunnel version and compile-time defaults
stunnel -version
Print default socket options
stunnel -sockets
List supported TLS options
stunnel -options
Access the stunnel manual page for full documentation
man stunnel
Install stunnel4 package on Kali Linux
sudo apt install stunnel4
Updated 2026-04-16kali.org ↗