Manual page



stunnel - universal SSL tunnel


stunnel [-T] [-p pemfile] [-v level] [-a directory] [-t timeout] [-u username] [-n protocol] [-d [ip:]port [-f]] [ -l program | -r [ip:]port | -L program [-- args] ]

stunnel {-c} [-p pemfile] [-v level] [-a directory] [-t timeout] [-u username] [-n protocol] -r [ip:]port [ -d [ip:]port [-f] | -l program | -L program [-- args] ]


The stunnel program is designed to work as SSL encryption wrapper between remote clients and local (inetd-startable) or remote servers. The concept is that having non-SSL aware daemons running on your system you can easily set them up to communicate with clients over secure SSL channels.

stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without changes to the source code.

This product includes cryptographic software written by Eric Young (


-c client mode (remote service uses SSL)
default: server mode

-T transparent proxy mode (on hosts that support it)

-p pemfile certificate (*.pem) file name

default: /usr/local/ssl/certs/stunnel.pem for server mode, none for client mode

-v level verify peer certificate

level 1 - verify peer certificate if present level 2 - verify peer certificate level 3 - verify peer with locally installed certificate default: no verify

-a directory client certificate directory for -v 3 option

default: /usr/local/ssl/certs/trusted

-t timeout session cache timeout

default: 300 s.

-u user Use IDENT (RFC 1413) username checking

-n proto Negotiate SSL with specified protocol

currenty supported: smtp

-d [ip:]port daemon mode (ip defaults to INADDR_ANY)

default: inetd mode

-f foreground mode (don't fork, log to stderr)

default: background in daemon mode

-l program [-- args]

execute local inetd-type program

-L program [-- args]

open local pty and execute program

-s username

setuid() to username in daemon mode

-r [ip:]port connect to remote service

(ip defaults to INADDR_LOOPBACK)


In order to provide SSL encapsulation to your local imapd service, use
stunnel -d 993 -l /usr/sbin/imapd -- imapd

If you want to provide tunneling to your pppd daemon on port 2020, use something like

stunnel -d 2020 -L /usr/sbin/pppd -- pppd local


Each SSL enabled daemon needs to present a valid X.509 certificate to the peer. It also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free openssl package. You can find more information on certificates generation on pages listed below.

Two things are important when generating certificate-key pairs for stunnel. The private key cannot be encrypted, because the server has no way to obtain the password from the user. To produce an unencrypted key add the -nodes option when running the req command from the openssl kit.

The order of contents of the .pem file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this:

[encoded key]
[empty line]
[encoded certificate]
[empty line]


stunnel cannot be used for the FTP daemon because of the nature of the FTP protocol which utilizes multiple ports for data transfers. There are available SSL enabled versions of FTP and telnet daemons, however.


tcpd (8), inetd (8) Stunnel homepage OpenSSL project website


Michal Trojnara <>

Adam Hernik <>

Pawel Krawczyk <>

PTY support by Dirk O. Siebnich <>