cryptography standards that they require. The openssl command can be used by an administrative user for
the following:
• Creation of RSA, DH, and DSA parameters.
• Generation of 1024-bit RSA keys.
• Creation of X.509 certificates, CSRs, and CRLs.
• Calculation of message digests.
• Encryption and Decryption with ciphers.
• SSL and TLS client and server tests.
• Handling of S/MIME signed or encrypted mail.
For detailed information about the openssl command and its usage, see:
http://www.openssl.org/docs/apps/openssl.html.
5.12.4.5 stunnel
stunnel is designed to work as an SSL encryption wrapper between remote clients and local or remote
servers. stunnel can be used to add SSL functionality to commonly used daemons such as POP and IMAP
servers, to standalone daemons like SMTP and HTTP, and in tunneling PPP over network sockets without
changes to the source code.
The most common use of stunnel is to listen on a network port and establish communications with either a
new port via the connect option, or a new program via the exec option. There is also an option that allows a
program to accept incoming connections and then launch stunnel.
Each SSL-enabled daemon needs to present a valid X.509 certificate to the peer. The SSL-enabled daemon
also needs a private key to decrypt incoming data. stunnel is built on top of SSL, so on the TOE the
private key and the certificate can be generated by OpenSSL utilities. These private keys are stored in the
/etc/stunnel/stunnel.pem file.
stunnel uses the openssl library, and therefore can use the cipher suites implemented by that library. They
are:
• SSL_RSA_WITH_RC4_128_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
stunnel is configured by the /etc/stunnel/stunnel.conf file. The file is a simple ASCII file
that can be edited by the administrative user to secure SSL-unaware servers. Each service to be secured is
named in a square bracket, followed by “option_name = option_value” pairs for that service. Global
parameters such as location of the private key file are listed at the beginning of the file. An example follows:
# Global parameters
cert = /etc/stunnel/stunnel.pem
pid = /tmp/stunnel.pid
setuid = nobody
setgid = nogroup
195