Stunnel can be used to provide secure encrypted connections for clients or servers that do not speak TLS or SSL natively. It runs on a variety of operating systems, including most Unix-like operating systems and Windows. Stunnel relies on a separate library such as OpenSSL or SSLeay to implement the underlying TLS or SSL protocol.
Stunnel uses public-key cryptography with X.509digital certificates to secure the SSL connection. Clients can optionally be authenticated via a certificate too.
For example, one could use Stunnel to provide a secure SSL connection to an existing non-SSL-aware SMTP mail server. Assume the SMTP server expects TCP connections on port 25. One would configure Stunnel to map the SSL port 465 to non-SSL port 25. A mail client connects via SSL to port 465. Network traffic from the client initially passes over SSL to the Stunnel application, which transparently encrypts/decrypts traffic and forwards unsecured traffic to port 25 locally. The mail server sees a non-SSL mail client.
The Stunnel process could be running on the same or a different server from the unsecured mail application; however, both machines would typically be behind a firewall on a secure internal network (so that an intruder could not make its own unsecured connection directly to port 25).