TLS support

Metadefender ICAP does not natively support theTransport Layer Security portocol, but you can use stunnel to TLS encrypt ICAP messages between the ICAP client and ICAP server.

Overview of stunnel

What is stunnel?

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. [stunnel's website]

Stunnel can be configured to accept ICAP requests from an SSL connection, decrypt the request, and pass it to the local Metadefender ICAP Server.


Installation on Windows

  1. Download the Windows installer from stunnel's download page

  2. Start the installer and follow its steps (use default values if you are not sure)

  3. During the installation you will be asked to generate a certificate file. Fill in the required fields with your information

  4. Make sure that "Start stunnel after installation" is not checked at the end of the setup


  1. Locate and open the stunnel.conf file. It should be under the config directory in the stunnel installation directory. (e.g., "C:\Program Files (x86)\stunnel\config\stunnel.conf")

  2. Add the following lines at the end of the file

    ICAP service in stunnel
    accept = 11344
    connect = 1344
    cert = stunnel.pem
  3. Save and close the configuration file

Explanation of configuration properties

  • accept: The port number where stunnel listens for TLS connections for the given service

  • connect: The port number where the decrypted connections are forwarded to. (This should be the port used by Metadefender ICAP Server)

  • cert: The TLS certification used by the service. You can set your own or use the one generated during stunnel setup (which is stunnel.pem next to stunnel.conf)

Starting stunnel

After setting the configuration you are ready to start and use stunnel.

There are two ways of doing this:

  1. Starting it with GUI: Execute stunnel.exe under <stunnel installation directory>\bin\

  2. Installing and starting it as a service:

    1. Install as a service: execute stunnel.exe with -install option

    2. Start as a service: execute stunnel.exe with -start option or start it from Windows Services

For more information, FAQ and HOWTO please check the official stunnel documentation.