• Stunnel, a practical solution for SSL/TLS

    10-09-2010Author: basdenooijer

    TLS/SSL encryption is generaly a good thing to use, however it can in some cases be hard to implement. Stunnel is a small program that provides SSL/TLS capabilities to clients and/or servers that don’t speak SSL/TLS natively. It basically works like a proxy, transparently adding an encryption layer to the communication layer; or removing it.

    There are two main use cases:

    • connecting to an encrypted service using a plaintext client
    • publish an encrypted service, while the actual backend is plaintext

    There can be multiple reasons to use Stunnel instead of an implementation directly in the client or server application. You might be using an application that you cannot change. Or it might cost to much time. And Stunnel might in some cases even offer some features that are hard to achieve otherwise.

    I’ll give two real world examples of both use cases. The examples are related to PHP as this is my main focus, but the same examples can be applied to almost any application. Stunnel is completely transparent so the server / client should not even notice the use of encryption.

    Case 1: accessing an NNTP+TLS server with a plain NNTP client

    There are several opensource PHP projects to publish the contents of a news server (NNTP). If your news server is using TLS on top of NNTP your choices are limited, not all clients support TLS. So you have 2 choices. You can use one that does support TLS, limiting your options. Or you can use the one you like best and add TLS support to it. That might actually be a good exercise and you would offcourse contribute your efforts to the project 😉
    However you might not have the time and/or budget to do so. In that case Stunnel can expose a non-TLS version of the NNTP server as a local proxy, and you can connect any NNTP client to it.

    Case 2: SOAP client over HTTPS in PHP

    Yes you’re right, you can do this using plain PHP. It can however be quite hard, especially when client certificates are being used for authentication. An Stunnel config of just a few lines will probably be a lot less work.
    But besides from the ease of use there is a big extra bonus in this specific case. SSL handshakes are quite slow, subsequent requests are a lot faster. But the stateless nature of PHP between requests causes the PHP client to do a new handshake for every request to the backend service. Stunnel is a separate daemon that maintains a connection pool for the SSL service. So while the very first request might be slow because of the handshake, any following requests (within the keepalive timeout) will be faster.
    I’ve implemented this setup for a heavily used transactional service. The reuse of existing SSL connections more than doubled the performance and also lowered the number of connection errors (Stunnel can even retry connections for you)

    How to use Stunnel

    First of all install Stunnel. It’s available in most package managers, otherwise see http://www.stunnel.org/
    Secondly, configure Stunnel. There are many examples on the Stunnel website, here is one:

    client=yes
    verify=0
    [psuedo-https]
    accept  = 8080
    connect = mybloghost.mydomain:443
    TIMEOUTclose = 0
    

    That’s it! start stunnel and you should be up and running. It might also be a good idea to install Stunnel as a service.
    An actual production might be a bit bigger, depending on your needs. For all the details see the Stunnel documentation.

    , ,
  • Comments are closed.