AP1 <-> [stunnel client] <- SSL connection -> [stunnel server] <-> AP2
stunnel client accepts a TCP connection, establish a SSL connection to stunnel server, and exchanges data between TCP connection and SSL connection,
stunnel server accepts a SSL connection, establish a TCP connection to AP2, and exchanges data between SSL connection and TCP connection.
In general, the SSL connection could be used to protect MIB to observe/intercept/modify the data in it. And only server-side SSL certificate is verified. But it is possible to let SSL server to verify the client-side SSL certificate.
Here is the procedure:
1. create key/certificate for client.
# openssl genrsa 1024 > client-key.pem
# openssl req -new -key client-key.pem -x509 -days 3650 -out client-cert.pem
2. create key/certificate for server.
# openssl genrsa 1024 > client-key.pem
# openssl req -new -key client-key.pem -x509 -days 3650 -out client-cert.pem
3. create stunnel config file for client.
cert = client-cert.pem
key = client-key.pem
chroot = /usr/local/stunnel/
setuid = nobody
setgid = nobody
pid = /client.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CApath = /client
client = yes
[ap1]
accept = 127.0.0.1:2399
connect =
TIMEOUTclose = 0
4. create stunnel config file for server.
cert = server-cert.pem
key = server-key.pem
chroot = /usr/local/stunnel/
setuid = nobody
setgid = nobody
pid = /server.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 2
CApath = /server
[ap2]
accept =
connect = 127.0.0.1:2341
TIMEOUTclose = 0
5.
In host running ap1 and stunnel client, put client-key.pem/client-cert.pem in /usr/local/stunnel, and put server-cert.pem in /usr/local/stunnel/client. then run
# c_rehash /usr/local/stunnel/client
6.In host running ap2 and stunnel server, put server-key.pem/server-cert.pem in /usr/local/stunnel, and put client-cert.pem in /usr/local/stunnel/server. then run
# c_rehash /usr/local/stunnel/server
7. start the stunnel client/server.
In stunnel client host,
# stunnel /usr/local/stunnel/client.conf
In stunnel server host,
# stunnel /usr/local/stunnel/server.conf