Perforce Public Knowledge Base - Using Stunnel with Perforce
Reset Search
 

 

Article

Using Stunnel with Perforce

« Go Back

Information

 
Problem

I need to set up bi-directional communications between a Perforce client and a Perforce server across an untrusted network.

How do I secure the Perforce network transport?
How do I use Stunnel with Perforce?

NOTE: Beginning with release 2012.1, the Perforce Server natively supports SSL encryption of client-server communications. Instructions on how to configure Perforce with SSL can be found in the Advance Perforce administration section of the Perforce Administrator's Guide. See also the following KB articles regarding Enabling SSL Support for the Perforce Server/Broker/Proxy and Migrating to SSL Server

NOTE: For securing P4Web, see: Creating and Optimizing a Secure P4Web Connection With "stunnel".
Solution

Prior to Perforce Server release 2012.1, securing communication between a Perforce Server (P4D) and client required using a third-party tool to encrypt network traffic between the two. Network encryption tools include ssh, proprietary VPNs, and stunnel. This article describes using stunnel with Perforce.

Stunnel is an open-source encryption package that allows users to set up SSL tunnels between client(s) and server(s). Using stunnel allows you to set up a port that accepts SSL connections from an SSL-enabled client or another stunnel server. Because both the Perforce server (p4d) and its clients (p4, p4v, p4win) do not support SSL, this article demonstrates how to set up two stunnel servers to talk to each other:

  • One on the client machine, to accept client requests, encrypt them, and forward them on.
  • One on the server machine, which accepts the encrypted connection, decrypts it and passes it on to the Perforce server.
The following information is used to demonstrate how to set up Stunnel:
 
  • The server machine in named foo. It runs Perforce on localhost:1666, and wants to accept incoming SSL connections for Perforce on foo:2666.
  • The client machine is named bar. Stunnel will be set up so that client requests to localhost:1666 are forwarded, encrypted, to foo:2666 (the server machine).
 

 
Why set up Perforce on localhost:1666? This prevents anyone from contacting the server without first going through the stunnel. However, this is not a requirement - stunnel can forward the connection to any host and port.

Creating an Self-Signed SSL Certificate

Before you can set up stunnel, you need to create a self-signed SSL certificate for the stunnel server to provide to stunnel clients contacting it. While any SSL software should be able to do this, the quickest way to do it is via the OpenSSL package. When you have OpenSSL installed, run the following command to generate your certificate:

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem

When you have the certificate, you are ready to set up Stunnel.

Stunnel, version 4

The most recent version of Stunnel, as of this writing, is 4.34. The following information applies to version 4.x of Stunnel. Version 3.x uses a substantially different format, please see the Version 3 section below for information on how to set up version 3 of stunnel.

Stunnel is available as part of the base distribution for a lot of Linuxes and some Unixes.  Check the documentation for your particular OS, or go and grab the source.

Windows users should use this package: http://www.stunnel.org/download/binaries.html

Client Configuration (Unix/Linux)

Place the following in a file named "stunnel_client.cnf". Place that file somewhere that stunnel can access it.

; stunnel_client.cnf
pid=/var/run/stunnel.pid
[p4]
accept=localhost:1666
connect=foo:2666
client=yes

Start the client-side stunnel on Linux/Unix with:

stunnel <path_to>/stunnel_client.cnf

Client Configuration (Windows)

cert = stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = stunnel.log

client = yes

[p4s]
accept = 1666
connect = <server_host>:2666

Now start the stunnel program.

Any client requests to port 1666 on the local machine are encrypted and forwarded to foo:2666.

Server Configuration(Unix/Linux)

Place the following in a file named "stunnel_server.cnf", and place that file somewhere that stunnel can access it.

; stunnel_server.cnf
pid=/var/run/stunnel.pid
[p4d]
cert=/etc/ssl/certs/stunnel.pem
accept=2666
connect=localhost:1666

Start the server the same way as the client:

stunnel <path_to>/stunnel_server.cnf

Now the server is set up to listen for incoming SSL requests to port 2666 and forward them on to port 1666 on the localhost.

Server Configuration (Windows)

Edit the service's "stunnel.conf" and place the following within it:
 
cert = stunnel.pem
key = stunnel.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

debug = 7
output = stunnel.log

client = no

[p4s]
accept = 2666 
connect = 1666 

Now start the stunnel program.  Incoming requests to port 2666 will now be decrypted and sent to port 1666.

Stunnel, version 3

If you are using version 3 of Stunnel, then you do not need to set up configuration files - you can specify everything on the command line.

Setting up the Server Stunnel

stunnel -p <path_to>/stunnel.pem -d 2666 -r localhost:1666

The above command sets up stunnel to listen to port 2666 and pass connections on to localhost:1666.

Setting up the Client Stunnel

stunnel -c -d localhost:1666 -r foo:2666

The above command sets up stunnel to forward requests to port 1666 on to foo:2666.

Related Links

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255