stunnel4

The stunnel program works as a TLS encryption wrapper between remote clients and local (inetd-startable) or remote servers. It enables non-TLS aware daemons like POP-2, POP-3, IMAP, NNTP, SMTP, and HTTP to communicate securely over TLS channels. This is particularly useful for legacy services that lack native TLS support.

stunnel supports both client and server modes, acting as a TLS offloading and load-balancing proxy. It can tunnel protocols like PPP over network sockets and handle multiple connect targets with failover strategies. Configuration uses a file-based format with global and service-level options for fine-grained control.

Common use cases include securing mail servers, adding TLS to database connections, creating VPN tunnels via SOCKS, and proxying HTTP CONNECT requests. The tool includes compatibility wrappers and supports advanced features like OCSP validation, hardware engines, and protocol-specific negotiations.

stunnel reads a configuration file defining services in sections marked by [service_name]. Each service specifies accept addresses for incoming TLS connections and connect targets for forwarding decrypted traffic. Global options control chroot jails, logging, randomness seeding, and OpenSSL engines. Service options handle certificates (cert/key), peer verification (CAfile/CApath, checkHost), ciphers, curves, and protocols like SMTP STARTTLS or HTTP CONNECT. Multiple connect targets enable load balancing (rr/prio failover). inetd mode executes local programs via exec, passing environment variables like SSL_CLIENT_DN. TLS negotiation occurs before protocol-specific handshakes when protocol option is set.