We use it solely on 100s of our customer’s Unix computers.  My suggestion (that not everyone agrees with) is to run it under inetd.  Unix does not function without inetd (or related like xinetd).  You don’t have to start or manage a server.  It is dead reliable and when processes die it cleans it up and so forth.  You connect to localhost on some port, have a configuration that directs it to the right place, off to the races.

 

I am not sure what you mean by container hardening.  When connecting to localhost it never touches the network – the TCP/IP goes directly to the TCP/IP stack on the local machine.

 

I am really sure I don’t know what check out is J

 

If you give me more info I can probably be of more use.

 

Eric

 

From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Brent Kimberley
Sent: Wednesday, May 29, 2019 11:53 AM
To: stunnel-users@stunnel.org
Subject: [stunnel-users] RE stunnel process owner

 

Hi Dan.

 

>>Wondering what user people are running the stunnel process under on a unix server?

Any suggestions re container hardening & check-out (a la SCAP)?