stunnel

Start stunnel with a configuration file

$ stunnel [/etc/stunnel/stunnel.conf]

$ stunnel -fd 0

$ stunnel -help

$ stunnel -sockets

$ stunnel -options

stunnel [configfile] | -fd n | -help | -version | -sockets | -options

stunnel is a TLS/SSL proxy that wraps arbitrary TCP connections with encryption. It adds TLS functionality to existing services without modifying application code.
In server mode, stunnel accepts encrypted connections and forwards them unencrypted to a backend service. In client mode, it accepts unencrypted connections and establishes TLS tunnels to remote servers.
The proxy uses OpenSSL for cryptography and supports modern TLS versions. It can run as a daemon or be launched by inetd/systemd for on-demand connections.

configfile

Path to configuration file

Read configuration from file descriptor n

Display help message

Display version information

Show available socket options

Show available TLS/SSL options

Key configuration directives:
accept

Accept connections on specified host:port

Connect to specified host:port

Path to certificate file

Path to private key file

Set to "yes" for client mode

Execute local program instead of connecting

SSLv2 and SSLv3 are disabled by default due to security vulnerabilities. Certificate verification should be enabled in production. Transparent proxy mode requires specific kernel support.

stunnel was created by Michał Trojnara in 1998 as a universal TLS wrapper. It became widely used for adding SSL to legacy protocols and continues active development, supporting modern TLS standards.

openssl(1), nginx(8), haproxy(1)