Stunnel adds TLS en­cryp­tion to your clients with­out any pro­gram­ming

Created: Sun Mar 10 21:30:56 CET 2019

Last mod­i­fied: Sun Mar 10 21:54:43 CET 2019

I just dis­cov­ered a re­ally nice tool called stun­nel which ba­si­cally fills the gap be­tween suck­lesss irc clients and mod­ern ones such as hex­chat (GUI) or irssi, which is ncurses-based.

They of­ten lack sup­port of SSL/TLS. In short, you can’t use ii(1) to connect to Freenode safely.

To un­der­stand how stun­nel ad­dresses this is­sue, let’s look at a sam­ple con­fig­u­ra­tion file:

[IRC client 1]
client = yes
accept =
connect =

Pretty self-ex­plana­tory right? You can now point your un­se­cure irc client to irc://localhost:6667 and stun­nel(8) will take care of SSL-izing the con­nec­tion for you!

Last re­lease was in December 2018.

Of course, there is more to it than this, for ex­am­ple, it can be used on servers. If your HTTP server does­n’t han­dle HTTPS con­nec­tions (darkhttpd I’m look­ing at you) you can con­fig­ure stun­nel to di­gest the se­cure traffic be­fore it reaches it.

Install and con­fig­ure stun­nel

pkg install stunnel
$EDITOR '/usr/local/etc/stunnel/stunnel.conf'

You might want to turn on some se­cu­rity fea­tures that are doc­u­mented in stunnel.conf-sample.

source code