
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
Stunnel and OpenSSL: Concepts
|
145
Microsoft’s SMB (CIFS) file- and print-sharing protocol can function similarly when
limited to TCP port 139, albeit to varying degrees depending on your client OS, and
can thus be tunneled as well. See David Lechnyr’s excellent Samba Tutorial at http://
hr.uoregon.edu/davidrl/samba.html. Section 4 of this tutorial, “Tunneling SMB over
SSH,” explains how Samba behaves the same in either case—although written with
SSH in mind rather than Stunnel.
OpenSSL
Stunnel relies on OpenSSL for all its cryptographic functions. Therefore, to use Stun-
nel, you must first obtain and install OpenSSL on each host on which you intend to
use Stunnel. The current versions of most Linux distributions now include binary
packages for OpenSSL v0.9.7 or later. Your distribution’s base OpenSSL package
will probably suffice, but if you have trouble building Stunnel, try installing the
openssl-devel package (or your distribution’s equivalent).
OpenSSL has had a number of security vulnerabilities over the years,
including buffer overflows, timing attacks, ASN.1 parse errors, and
arcane but dangerous cryptographic flaws. As with OpenSSH, this is
much more a function of how hard it is to build a secure cryptosystem
implementation than of sloppiness on the part of the OpenSSL team.