How to Install/Uninstall the stunnel SSL in WHM/cPanel Server

In this article, we'll demonstrate how to install and uninstall stunnel SSL in WHM/cPanel Server. Please note that to follow either of these options you need to have root access to your dedicated server.

Installing stunnel

1) Run one of the following commands to install the stunnel:

# yum install stunnel
  • To start and enable the service:
# systemctl start stunnel

# systemctl disable stunnel

# systemctl status stunnel


2) Configuring stunnel as a TLS Wrapper

  • To create a self-signed certificate for stunnel, enter the '/etc/stunnel/' directory and type the following command as root:
certs]# make stunnel.pem
  • The stunnel RPM package contains the /etc/stunnel/ directory, in which you can store the configuration file. Although stunnel does not require any special format of the file name or its extension, use /etc/stunnel/stunnel.conf

3) The following content configures stunnel as a TLS wrapper:

# vi /etc/stunnel/stunnel.conf
cert = /etc/stunnel/cert.pem
key = /etc/stunnel/cert.key

; Allow only TLS, thus avoiding SSL
sslVersion = TLSv1

[Alternatively, you can avoid SSL by replacing the line containing sslVersion = TLSv1 with the following lines:

options = NO_SSLv2 or options = NO_SSLv3]

chroot = /var/run/stunnel
pid = /var/run/stunnel.pid

[service_name]
accept = port
connect = port

Example:

# vi /etc/stunnel/stunnel.conf
sslVersion = TLSv1.2

#sslVersion = all
output = /var/log/stunnel.log

client=no
[shoutcast4]
accept=9981
connect=example.com:9994
cert = /etc/stunnel/example.pem

The purpose of the options is as follows:

cert            — the path to your certificate
SSL version     — the version of SSL; note that you can use TLS here even though SSL and TLS are two independent cryptographic protocols
chroot          — the changed root directory in which the stunnel process runs, for greater security
setuid, setgid  — the user and group that the stunnel process runs as; nobody is a restricted system account
pid             — The file in which stunnel saves its process ID, relative to chroot
socket          — local and remote socket options; in this case, disable Nagle's algorithm to improve network latency
[service_name]  — the beginning of the service definition; the options used below this line apply to the given service only, whereas the options above affect stunnel globally
accept          — the port to listen on
connect         — the port to connect to; this must be the port that the service you are securing uses
TIMEOUTclose    — how many seconds to wait for the close_notify alert from the client; 0 instructs stunnel not to wait at all
options         — OpenSSL library options

4) Create the chroot directory and give the user specified by the setuid option write access to it. To do so, enter the following commands as root:

# mkdir /var/run/stunnel
# chown nobody:nobody /var/run/stunnel

This allows stunnel to create the PID file.

5) Starting, Stopping, and Restarting stunnel:

  • To start stunnel, enter the following command as root:
# stunnel /etc/stunnel/stunnel.conf
  • To terminate stunnel, kill the process by running the following command as root:
# kill `cat /var/run/stunnel/stunnel.pid`

Note: If you edit the configuration file while stunnel is running, terminate stunnel and start it again for your changes to take effect.

6) Allow the port to CSF firewall configuration file:

# vi /etc/csf/csf.conf
Allowed port 9994 in TCP_OUT
  • Restart the CSF firewall to apply these changes.
# csf -r

Conclusion:

Our support team has provided a complete explanation in this post and we have also covered the details of how to display the results of the operation.

Subscribe to The MakInfraTek Blogs

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe