Table of Contents

1. Overview
2. Module Description - A Puppet module for managing stunnel
3. Setup - The basics of getting started with pupmod-simp-stunnel
   • What pupmod-simp-stunnel affects
   • Setup requirements
   • Beginning with stunnel
4. Usage - Configuration options and additional functionality
5. Reference - An under-the-hood peek at what the module is doing and how
6. Limitations - OS compatibility, etc.
7. Development - Guide for contributing to the module

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

If you find any issues, they can be submitted to our JIRA.

Please read our Contribution Guide and visit our developer wiki.

Module Description

This module sets up stunnel and allows the creation of stunnel connections for services.

Setup

What simp stunnel affects

simp/stunnel will install the latest version of stunnel, ensure the service is running, generate the stunnel user, manage /etc/stunnel/stunnel.conf, /etc/rc.d/init.d/stunnel, a chroot directory, and if simp/iptables is installed and $use_iptables is set to true, will manage the iptables required for stunnel.

Setup Requirements

simp/stunnel requires the simp/rsync module to add a service-based stunnel connection.

Beginning with stunnel

You can set up stunnel on a node by:

include stunnel

or

---
classes:
  - stunnel

Usage

I want to add a connection to the stunnel server

# Add an stunnel client entry for rsync.
stunnel::add { 'rsync':
  connect => ['stunnel.server.int:8730'],
  accept  => '127.0.0.1:873'
}

I want to build a connection on the stunnel server

# Add an stunnel client entry for rsync.
stunnel::add { 'rsync':
  client  => false,
  connect => ['873'],
  accept  => '8730'
}

Reference

Public Classes

• stunnel
• stunnel::add

stunnel

Parameters

• chroot: The location of the chroot jail. Do NOT make this anything under /var/run. Type: Absolute Path. Default: '/var/stunnel'.

• key: Path and name of the private SSL key file. Type: Absolute Path. Default: /etc/pki/private/${::fqdn}.pem.

• cert: Path and name of the public SSL certificate. Type: Absolute Path. Default: /etc/pki/public/${::fqdn}.pub.

• ca_source: Since stunnel runs in a chroot, you need to copy the appropriate CA certificates in from an external source. This should be the full path to a directory containing hashed versions of the CA certificates. Type: Absolute Path. Default: '/etc/pki/cacerts'.

• crl_source: Since stunnel runs in a chroot, you need to copy the appropriate CRL in from an external source. Type: Absolute Path. Default: '/etc/pki/crl'.

• pid: The PID file. Relative to the chroot jail! Let the startup script handle it by default. Type: Absolute Path. Default: '/var/run/stunnel/stunnel.pid'.

• setuid: The user stunnel should run as. Type: String. Default: 'stunnel'.

• setgid: The group stunnel should run as. Type: String. Default: 'stunnel'.

• stunnel_debug: The debug level for logging. Type: String. Default: 'err'.

• syslog: Whether or not to log to syslog. Type: Boolean. Default: true.

• compression: The compression type to use for this service. Anything other than 'zlib' and 'rle' is ignored. Type: ['zlib'|'rle']. Default: None.

• egd: If set, is the path to the Entropy Gathering Daemon socket used to feed the OpenSSL RNG. Type: Absolute Path. Default: false.

• engine: If $egd is set, sets the Hardware Engine to be used. Type: String. Default: auto.

• engine_ctrl: If set, $egd is set, sets the Hardware Engine Control parameters. Type: String. Default: false.

• fips: If true, set the fips global option. We don't enable FIPS mode by default since we want to be able to use TLS1.2. This has no effect on RHEL/CentOS 6 or earlier due to stunnel not accepting the fips option in that version of stunnel. Type: Boolean. Default: hiera('use_fips',false).

• output: If set, provides the path to a log output file to use. Type: Absolute Path. Default: false.

• rnd_bytes: The number of bytes to read from the random seed file. Type: Integer. Default: false.

• rnd_file: If set, provides the path to the random seed data file. Type: Absolute Path. Default: false.

• rnd_overwrite: If set, Stunnel should overwrite the random seed file with new random data. Type: Boolean. Default: false.

• socket_options: If populated, provides an array of socket options of the form '^(a|l|r):.+=.+(:.+)?$'. Type: Array of Strings. Default: [].

• use_haveged: If true, include haveged to assist with entropy generation. Type: Boolean. Default: true.

• use_simp_pki: If true, use the SIMP PKI module for key management. Note: This module needsthe pki::copy method from the SIMP pki module but does not need to have SIMP actuallly manage the keys. Type: Boolean. Default: true.

stunnel::add

• name : The service name. Valid Option: String.

• accept: Address and port upon which to accept connections. For a client, this is generally localhost. For a server, it should be whichever external address is appropriate. If this is omitted, then connections are accepted on all addresses. Valid Options: String [hostname/ip:port].

  Examples:

    '1.2.3.4:3000'
    '3000'

• connect: Address and port to which to forward connections. For a client, this is the port of the stunnel server. For the stunnel server, this is the listening port of the tunneled service. See stunnel.conf(5) for more information. Valid Options: Array of [hostname/ip:port] Entries.

  Examples:

    ['my.server:3000','my.server2:3001']
    ['my.server:3000']
    ['3000']

• client: Whether this instance of stunnel should behave as a client. Valid Options: Boolean. Default: true.

• cert: Path and name of the public SSL certificate. Valid Options: Absolute Path Default: $::stunnel::cert.

• ca_path: Path to the OpenSSL compatible CA certificates. Note, this path is relative to the chroot path if set and is expected to be a directory. Valid Options: Absolute Path Default: /etc/pki/cacerts.

• client_nets: Set this if you don't want to allow all IP addresses to access this encrypted channel. This only makes sense for servers.

  Example:

 stunnel::add ('rsync':
   accept       => '873',
   connect_addr => ['1.2.3.4:8730']
 }

• ciphers: OpenSSL compatible array of ciphers to allow on the system. Valid Options: Array Default: ['HIGH','-SSLv2'].

• crl_path: Path to the OpenSSL compatible CRL directory. Valid Options: Absolute Path Default: /etc/pki/crl.

• curve: The ECDH curve name to use. To get a list of supported curves use: openssl ecparam -list_curves on your client. This option is only valid on RHEL/CentOS 7+. Valid Options: String. Default: None.

• failover: The failover strategy for multiple connect targets. Valid Options: [rr|prio]. Default: rr.

• key: Path and name of the private SSL key file. Valid Options: Absolute Path. Default: $::stunnel::key.

• sni: See the 'sni' option documentation in stunnel. This option is only valid on RHEL/CentOS 7+. Valid Options: [service_name|service_name:server_name_pattern]. Default: None.

• ssl_version: Dictate the SSL version that can be used on the system. You only get one choice from the options listed above. This default, combined with the default $ciphers, the system will only negotiate at TLSv1.1 or higher. Valid Options: String. Allowed Values (RHEL6): [all|SSLv2|SSLv3|TLSv1] Allowed Values (RHEL7): [all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2] Default: None (let the system decide).

• options: The OpenSSL library options. Valid Options: Array. Default: None.

• verify: Level of mutual authentication to perform. Valid Options: Integer. (see below) Default: 2.

RHEL 6 Options:
  level 1 - verify peer certificate if present
  level 2 - verify peer certificate
  level 3 - verify peer with locally installed certificate
  default - no verify

RHEL 7 Options:
  level 0 - Request and ignore peer certificate.
  level 1 - Verify peer certificate if present.
  level 2 - Verify peer certificate.
  level 3 - Verify peer with locally installed certificate.
  level 4 - Ignore CA chain and only verify peer certificate.
  default - No verify

• ocsp: The OCSP responder to use for certificate validation. Valid Options: URL Default: None.

• ocsp_flags: The OCSP server flags. Valid Options: 'NOCERTS', 'NOINTERN NOSIGS', 'NOCHAIN', 'NOVERIFY', 'NOEXPLICIT', 'NOCASIGN', 'NODELEGATED', 'NOCHECKS', 'TRUSTOTHER', 'RESPID_KEY', 'NOTIME'. Default: [].

• local: The outgoing IP to which to bind. By default, stunnel binds to all interfaces. Valid Options: IP Address Default: None.

• protocol: The application protocol to negotiate SSL. Valid Options: cifs|connect|imap|nntp|pgsql|pop3|proxy|smtp], proxy only working on RHEL/CentOS 7+. Default: None.

• protocol_authentication: Authentication type for protocol negotiations. Valid Options: [basic|NTLM] Default: None.

• protocol_host: The destination address for protocol negotiations. Valid Options: Hostname or IP Address Default: None.

• protocol_password: The password for protocol negotiations. Valid Options: String. Default: None.

• protocol_username: The username for protocol negotiations. Valid Options: String. Default: None.

• delay: Delay DNS lookup for 'connect' option Valid Options: Boolean. Default: false.

• engine_num: The engine number from which to read the private key. This option is only supported on RHEL/CentOS 7+. Valid Options: Integer. Default: None.

• pty: Reserve and assign a pty to a program that is run by stunnel inetd-style using the exec option. Valid Options: Boolean. Default: false.

• renegotiation: Support SSL renegotiation. Valid Options: Boolean. Default: true.

• reset: Attempt to use TCP RST flag to indicate an error. Valid Options: Boolean. Default: true.

• retry: Reconnect a connect+exec session after it has been disconnected. Valid Options: Boolean. Default: false.

• session_cache_size: The maximum number of internal session cache entries. Set to 0 for unlimited (not advised). This option is only valid on RHEL/CentOS 7+. Valid Options: Integer. Default: None.

• session_cache_timeout: The number of seconds to keep cached SSL sessions. Corresponds to the 'session_timeout' variable in RHEL/CentOS 6. Valid Options: Integer. Default: None.

• stack: Thread stack size in bytes. Valid Options: Integer. Default: None.

• timeout_busy: Time to wait for expected data in seconds. Valid Options: Integer. Default: None.

• timeout_close: Time to wait for close notify in seconds. Valid Options: Integer. Default: None.

• timeout_connect: Time to wait for a remote host connection in seconds. Valid Options: Integer. Default: None.

• timeout_idle: Time to keep an idle connection in seconds. Valid Options: Integer. Default: None.

Limitations

This module is only designed to work in RHEL or CentOS 6 and 7. Any other operating systems have not been tested and results cannot be guaranteed.

Development

Please see the SIMP Contribution Guidelines.

General developer documentation can be found on Confluence. Visit the project homepage on GitHub, chat with us on our HipChat, and look at our issues on JIRA.

• Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com,Ryan Russell-Yates ryan.russellyates@gmail.com - 4.2.8-0

• Validate compliance_markup mapping
• Create Functional README.md for Forge

• Fri Jul 08 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.7-0

• Incorrectly referenced the global $::use_simp_pki in ::stunnel

• Wed Jul 06 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.6-0

• Ensure that the PKI copy is performed prior to copying the system cacerts into the stunnel chroot.

• Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.5-0

• Use_haveged is now a global catalyst.

• Mon Jun 27 2016 Nick Markowski nmarkowski@keywcorp.com - 4.2.4-0

• Pupmod-haveged now included by default to assist with entropy generation.

• Tue Jun 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.3-0

• Ensure that $use_iptables is handled properly.

• Wed May 18 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.2.2-0

• Sanitize code for STRICT_VARIABLES=yes

• Sat Mar 19 2016 Trevor Vaughan tvaughan@onyxpoint.comm - 4.2.1-0

• Migrated use_simp_pki to a global catalyst.
• Fixed several ordering issues.
• Increase safety by moving the public and private keys out of the chroot jail.

• Tue Mar 01 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.2.0-11

• Added compliance function support

• Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.2.0-10

• migration to simplib and simpcat (lib/ only)

• Tue Jul 21 2015 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-9

• Moved stunnel's default pid location back to /var/run/stunnel/stunnel.pid.
• Stunnel's init script now only creates and chowns the pid file directory if it does not exist.

• Wed Jul 01 2015 Nick Markowski nmarkowski@keywcorp.com - 4.2.0-8

• Stunnel's default pid file location moved from /var/run/stunnel/stunnel.pid to /var/run/stunnel.pid

• Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-7

• Fixed a scoping error in the template

• Fri Feb 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-6

• Fixed a non-scoped call to @options in the stunnel ERB file.

• Thu Feb 19 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-5

• Migrated to the new 'simp' environment.

• Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-4

• Changed puppet-server requirement to puppet

• Thu Nov 06 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-3

• Fix chroot detection in SELinux mode.

• Tue Nov 04 2014 Trevor Vaughan tvaughan@onxypoint.com - 4.2.0-2

• Ensure that renegotiation and reset only apply on RHEL>6 systems.

• Sun Nov 02 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-1

• Updated to add the FIPS global option to the stunnel configuration.

• Tue Oct 21 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0

• CVE-2014-3566: Updated protocols to mitigate POODLE.
• Updated all of the stunnel module to properly handle both RHEL6 and RHEL7.
• Now support multiple connect options.
• The connect/accept hosts and ports are no longer separate.

• Fri Aug 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

• Change 'delay' to 'no' by default to ensure that DNS lookups happen before entering the chroot jail. This currently does not work in RHEL7.
• Add nsswitch.conf to the chroot jail.

• Fri Aug 08 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

• Move stunnel outside of a chroot jail when SELinux is set to enforcing.

• Fri Apr 04 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-3

• Now simply include 'stunnel' in 'stunnel::add' instead of raising an exception.

• Wed Mar 26 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

• Moved stunnel::stunnel_add to stunnel::add
• Replaced all of the PKI copy code with a call to the new pki::copy define.
• Fixed a bug with the CA path and CRL path in the stunnel configuration file.

• Wed Mar 12 2014 Nick Markowski nmarkowski@keywcorp.com - 4.1.0-1

• Updated module for hiera/puppet3, and lint tests.
• Copied pki keys and certs to <chroot_path>/etc/stunnel/pki
• Added rspec tests.

• Tue Jan 28 2014 Kendall Moore kmoore@keywcorp.com 4.1.0-0

• Update to remove warnings about IPTables not being detected. This is a nuisance when allowing other applications to manage iptables legitimately.

• Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 4.0.0-12

• Updated all erb templates to properly scope variables.

• Fri Jun 07 2013 Kendall Moore kmoore@keywcorp.com 4.0.0-11

• Updated the stunnel start script to allow for the occurence of both pid and chroot to appear in a hostname

• Mon Jan 07 2013 Maintenance 4.0.0-10

• Created a test to install and configure stunnel and to make sure that the stunnel service is running.
• Created a test to add an stunnel on the first open port start at number 1024 and ensure that the chosen port is in state LISTEN and owned by stunnel.

• Tue Nov 27 2012 Maintenance 4.0.0-9

• Fixed the stunnel init script to have proper startup output.
• Updated to set the umask for stunnel open files to 1048576 for heavily loaded systems.
• Updated the stunnel init script to allow unlimited processes since there is one per connection.

• Mon Nov 05 2012 Maintenance 4.0.0-8

• Removed the useless CRL copy exec.
• Removed the PKI Cert copy exec and replaced it with a recursive copy/purge file resource.

• Fri Sep 28 2012 Maintenance 4.0.0-7

• Moved the chroot run directory for stunnel from /var/run/stunnel to /var/stunnel since /var/run gets cleaned out upon reboot.

• Fri Aug 10 2012 Maintenance 4.0.0-6

• Update to set max open files ulimit to unlimited in the init script.

• Wed Apr 11 2012 Maintenance 4.0.0-5

• Moved mit-tests to /usr/share/simp...
• Updated pp files to better meet Puppet's recommended style guide.

• Fri Mar 02 2012 Maintenance 4.0.0-4

• Improved test stubs.

• Mon Dec 26 2011 Maintenance 4.0-3

• Updated the spec file to not require a separate file list.
• Scoped all of the top level variables.

• Tue Oct 25 2011 Maintenance 4.0-2

• Added a note about the transparent mode of stunnel not working properly in RHEL6.

• Mon Oct 10 2011 Maintenance 4.0-1

• Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

• Tue Jul 12 2011 Maintenance 4.0-0

• Stunnel doesn't care if we're using LDAP or not, so don't check for the value when setting up key permissions.

• Mon Apr 18 2011 Maintenance - 2.0.0-1

• Changed puppet://$puppet_server/ to puppet:///
• Ensure that stunnel does not restart when 'resolv.conf' or 'hosts' is updated.
• Ensure that the stunnel service watches for changes in the entire certificate space.
• Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
• Updated to use concat_build and concat_fragment types.

• Tue Jan 11 2011 Maintenance 2.0.0-0

• Refactored for SIMP-2.0.0-alpha release

• Tue Oct 26 2010 Maintenance - 1-2

• Converting all spec files to check for directories prior to copy.

• Wed Jul 14 2010 Maintenance 1.0-1

• Updated stunnel to start at runlevel 15 and ensured that it updated its chkconfig entires approprately

• Tue May 25 2010 Maintenance 1.0-0

• Code refactoring.

• Thu Feb 18 2010 Maintenance 0.1-11

• Added a paramater $client_nets to the stunnel_add define to allow users to lock down access to the encrypted port via IPTables.

• Thu Oct 08 2009 Maintenance 0.1-10

• Finally fixed the problem with cert verification. All uses of stunnel can now set verify to 1 or 2.