46.1. Introduction to SSL and STunnel

SSL is a protocol for encrypting data in a TCP connection as it travels over the network. It was originally developed to protect the traffic between web browsers and servers, but can be used to encrypt any kind of data stream that would normally be sent via the TCP protocol.

The SSL protocol allows clients and servers to authenticate themselves to each other, so that a client can be sure it is really connecting to the host it thinks it is. This is done using certificates that are issued by a certificate authority recognized by the client (so that they can be verified) and associated with a particular hostname. Without certificates, an attacker could redirect an SSL connection to his own server and capture sensitive information from a client that thinks it is talking to the real server.

Any data that travels across the Internet unencrypted can be captured and read by an attacker with access to one of the networks through which it passes. Even data traveling between a client and server system on a LAN can be easily listened in on. When you connect to a telnet, FTP, or POP3 server, your password is sent over the network and can be captured by an attacker.

SSL can be used to protect data in these kinds of situations, but only if both the client and server support it. Most web browsers and mail clients can make SSL-encrypted HTTP, POP3, and IMAP connections, but not all web and POP3 servers can accept them. POP3 in particular is hard to protect, because the standard server that comes with most UNIX systems does not support SSL at all. Fortunately, though, there is a solution—STunnel.

STunnel is a simple program that converts an unencrypted connection into an SSL-encrypted one. It is typically set up to be run from a super server like inetd or xinetd, and then run some other program like the POP3 server that does not support SSL. This design allows it to protect any server that is normally run from inetd, such as telnet, NNTP, and IMAP servers.

Not all servers can be usefully protected with encryption, however, because no client exists to use them in SSL mode. For example, I have never heard of a telnet or FTP client that can use SSL because the common SSH package already allows encrypted remote logins and file transfers.