How to use stunnel with SIP2 self-check machines

Before we migrated to Innovative’s hosting service recently, we set up stunnel to encrypt the SIP2 traffic between our self check machines and our server; otherwise, we would be sending confidential patron information in clear text through the internet. Here some details, in case anyone’s interested.

Stunnel is an open-source SSL encryption wrapper licensed under the GPL that eEncrypts SIP2 network traffic between your self-check and your Sierra or Polaris server. It’s free. It works with Sierra 4.1 and later.

The basic how-to:

  1. Sierra: Allow in Limit Network Access - SELFCHECK - TUNNEL.
  2. Open the port on your firewall if necessary (from self check to server).
  3. Ask Innovative to open the port on your Sierra server (or open it yourself if you’re software-only).
  4. Install and configure stunnel on your self-check.

Optional: Get and configure a certificate/key pair (we haven’t done that at this point).

More specific installation and configuration information:

Download from
Edit stunnel.conf, replacing everything with the following:

; **************************************************************************
; * Global options *
; **************************************************************************
; Debugging stuff (may useful for troubleshooting)
debug = 7
;output = stunnel.log

; Enable FIPS 140-2 mode if needed it for compliance
fips = no
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

[Sierra Profile]
; cert = cert.pem
; key = key.pem

client = yes
accept = 192.168.999.999:5001 ; IP address of this self-check machine
connect = ; your catalog (Sierra app server)
TIMEOUTclose = 0
TIMEOUTconnect = 200

Start or restart the stunnel service.

Self-check software
Configure the self check to use the IP address of the local machine and the port that stunnel is using, instead of the address and port of the server.

System requirements:
Sierra 4.1 or later

Manual reference:
Sierra Guide > Using Circulation > Self-Checkout > SIP2 Circulation Interface