Once we installed stunnel on the server, it was a simple matter to set it up to recieve connections on a certain port (TCP 2305) from another instance of stunnel on a user's computer. This way, encrypted data comes from the user's system into an SSL daemon on our server and is decrypted, and the decrypted data is passed across the loopback interface (localhost, IP address 127.0.0.1) to the Chantry's engine (TCP 2422). The invocation goes as follows:
/usr/local/sbin/stunnel -d 2305 -r 2422 -t 900 -p /usr/local/ssl\ /certs/stunnel.pem -N schantry
The '-d' option puts the stunnel system into daemon mode, where it listens on all present network interfaces by default on TCP port 2305. The '-r' option opens a connection to another system or service (in this case, the local host) to TCP port 2422. The '-t' option will set the timeout of a given stunnel daemon to 900 seconds of no activity before it will drop the connection and terminate itself. The '-p' option explicitly sets the path to the encryption certificate stunnel will use. The '-N' option is used to set the name of the service referenced in the /etc/services file for the purposes of TCP wrapper protection (which adds access permissions to a system service).