[HOWTO]: Use Pan with Stunnel4 Secure Sockets Layer (SSL)

[norcal]

thank you for the How to, very helpful. Question: Does stunnel4 provide me anonymity like tor when i access a newserver? if not can it be configured to go through proxy servers?

[mikezila]

thank you for the How to, very helpful. Question: Does stunnel4 provide me anonymity like tor when i access a newserver? if not can it be configured to go through proxy servers?

It doesn't make you anonymous, but it makes is very, very difficult for anyone to see your traffic, or rather to make out what it is. They can still intercept it, and tell it's yours, but they won't really be able to do anything with it.

[mikezila]

Edited because it was probably wrong.

[mikezila]

Having some trouble. Everything is setup correctly (or it seems to be), it's just that wireshark is still seeing a bunch of plain TCP packets, with no "SSL Continuation Data" at all, leading me to believe that it just isn't working. Here's some details.

I'm using giganews, and I have SSL enabled on my account. Diamond plan baby!

I'm using Pan, and Pan is connecting to localhost at port 119

stunnel is configured exactly as in OP's post, save for my nntp section, which is:

Code:

[nntp]
accept = localhost:119
connect = news.giganews.com:563

stunnel is also ENABLED=1, so I know that's not it.

Pan connects and works correctly, but when I fire up Wireshark to monitor my tubes, they're clogged with normal TCP traffic! What gives! I need my tinfoil headgear!

[killabee44]

Guys,

Thanks to the OP for this helpful post. I got stunnel going with Astraweb. Had to use:

secure.news.astraweb.com:563

for some reason ssl.astranews.com:563 didn't work.

Anyhow, since stunnel requires sudo to start, is there a way to automatically start it at boot? I thought programs that required sudo could not be started without password. Im new to Linux, so that might be a very simple thing..

Thanks.

[russetaylor]

Guys,

Anyhow, since stunnel requires sudo to start, is there a way to automatically start it at boot? I thought programs that required sudo could not be started without password. Im new to Linux, so that might be a very simple thing..

Thanks.

You can do this

Code:

export EDITOR=gedit && sudo visudo

Add the following line at the end of the /etc/sudoers file (use down arrow to move cursor down to bottom)

Code:

johndoe ALL= NOPASSWD: /etc/init.d/stunnel4 restart

Replace "johndoe" by the name of the user or the group which can use sudo and do the modification.
Finally you need to add stunnel to the startup programs list from [System] [Preferences] [Startup Applications] [Add]
Name: stunnel4
Command: bash -c "sleep 45; sudo /etc/init.d/stunnel4 restart --start-hidden"
Comment: whatever

Note the 45 seconds is the pause before the stunnel starts. You may want to adjust this pause or not have one at all. I don't jump right into using pan after boot so I set a long pause.

[GavinP]

I set the local port listening for stunnel to 11900 instead of 119 and this seems to get around the sudo problem.

I can now boot the PC, logon on as a non-sudoer user and it just works when starting pan without any command line instructions.

I had to change the server setup in Pan to also point to localhost 11900.

Thanks

Gavin

[RickKnight]

Great HOWTO. I'm using PAN to connect to UsenetMonster. Configuring Stunnel and PAN together was simple and worked first time.

Thanks!

[kevpatts]

Hey guys,

I can't seem to get past the "You should check that you have specified the pid= in you configuration file" error. My config file is:

Code:

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of the chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = /var/log/stunnel4/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini

[Eucalyptus for Landscape]
accept  = landscape.canonical.com:443
connect = localhost:8773

and ls -al /etc/ssl/certs/stunnel.pem returns:

Code:

-rw-r--r-- 1 root root 3432 2012-02-09 11:41 /etc/ssl/certs/stunnel.pem

any idea what I'm doing wrong? Using Lucid server by the way, trying to get this working.

Kevpatts

[robby8550]

Is it possible to set up stunnel4 for multiple servers? I would like to add gmane.org to the news-server I already have set and working.

pan 0.136 with stunnel4 operational on Mint 11 AMD64