[stunnel-users] Access control/TCP wrappers

Craig Watkinson craig_watkinson at hotmail.com
Fri Feb 19 17:54:09 CET 2010


We're using stunnel to provide a secure interface to an old server that doesn't support HTTPS natively. I'd like to implement some access control so that connections are only supported from specific IP addresses. I am using v4.27 of stunnel that I downloaded from HPs website, and am running it from inittab to ensure it is always running. Unfortunately I don't think it's compiled with libwrap. Should I see libwrap listed when I run ldd against the binary (see below for output)?

I think it's possible to run stunnel from inetd. Could I wrapper it here? Is the following entry correct?  
    stunnel  stream tcp nowait root /usr/lbin/tcpd /opt/iexpress/stunnel/bin/stunnel stunnel

I think this would work, but I'm concerned that if stunnel was to crash or be killed that there would be nothing restarting it if we ran it from inetd.

Any advice much appreciated


# ./stunnel -version
stunnel 4.27 on ia64-hp-hpux11.23 with OpenSSL 0.9.7m 23 Feb 2007

Global options
debug           = 5
pid             = /opt/iexpress/stunnel/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /opt/iexpress/stunnel/etc/stunnel/stunnel.pem
ciphers         = ALL:!aNULL:!eNULL+RC4:@STRENGTH
key             = /opt/iexpress/stunnel/etc/stunnel/stunnel.pem
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

# ldd ./stunnel
        libdl.so.1 =>   /usr/lib/hpux32/libdl.so.1
        libnsl.so.1 =>  /usr/lib/hpux32/libnsl.so.1
        libpthread.so.1 =>      /usr/lib/hpux32/libpthread.so.1
        libunwind.so.1 =>       /usr/lib/hpux32/libunwind.so.1
        libc.so.1 =>    /usr/lib/hpux32/libc.so.1
        libxti.so.1 =>  /usr/lib/hpux32/libxti.so.1
        libuca.so.1 =>  /usr/lib/hpux32/libuca.so.1
        libdl.so.1 =>   /usr/lib/hpux32/libdl.so.1

Do you have a story that started on Hotmail? Tell us now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100219/d01e3a09/attachment.html>

More information about the stunnel-users mailing list