| ; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2015 |
| ; Some options used here may be inadequate for your particular configuration |
| ; This sample file does *not* represent stunnel.conf defaults |
| ; Please consult the manual for detailed description of available options |
| |
| ; ************************************************************************** |
| ; * Global options * |
| ; ************************************************************************** |
| |
| ; It is recommended to drop root privileges if stunnel is started by root |
| ;setuid = nobody |
| ;setgid = @DEFAULT_GROUP@ |
| |
| ; PID file is created inside the chroot jail (if enabled) |
| ;pid = @localstatedir@/run/stunnel.pid |
| |
| ; Debugging stuff (may be useful for troubleshooting) |
| ;foreground = yes |
| ;debug = info |
| ;output = @localstatedir@/log/stunnel.log |
| |
| ; Enable FIPS 140-2 mode if needed for compliance |
| ;fips = yes |
| |
| ; ************************************************************************** |
| ; * Service defaults may also be specified in individual service sections * |
| ; ************************************************************************** |
| |
| ; Enable support for the insecure SSLv3 protocol |
| ;options = -NO_SSLv3 |
| |
| ; These options provide additional security at some performance degradation |
| ;options = SINGLE_ECDH_USE |
| ;options = SINGLE_DH_USE |
| |
| ; ************************************************************************** |
| ; * Include all configuration file fragments from the specified folder * |
| ; ************************************************************************** |
| |
| ;include = @sysconfdir@/stunnel/conf.d |
| |
| ; ************************************************************************** |
| ; * Service definitions (remove all services for inetd mode) * |
| ; ************************************************************************** |
| |
| ; ***************************************** Example TLS client mode services |
| |
| ; The following examples use /etc/ssl/certs, which is the common location |
| ; of a hashed directory containing trusted CA certificates. This is not |
| ; a hardcoded path of the stunnel package, as it is not related to the |
| ; stunnel configuration in @sysconfdir@/stunnel/. |
| |
| [gmail-pop3] |
| client = yes |
| accept = 127.0.0.1:110 |
| connect = pop.gmail.com:995 |
| verify = 2 |
| CApath = /etc/ssl/certs |
| checkHost = pop.gmail.com |
| OCSPaia = yes |
| |
| [gmail-imap] |
| client = yes |
| accept = 127.0.0.1:143 |
| connect = imap.gmail.com:993 |
| verify = 2 |
| CApath = /etc/ssl/certs |
| checkHost = imap.gmail.com |
| OCSPaia = yes |
| |
| [gmail-smtp] |
| client = yes |
| accept = 127.0.0.1:25 |
| connect = smtp.gmail.com:465 |
| verify = 2 |
| CApath = /etc/ssl/certs |
| checkHost = smtp.gmail.com |
| OCSPaia = yes |
| |
| ; ***************************************** Example TLS server mode services |
| |
| ;[pop3s] |
| ;accept = 995 |
| ;connect = 110 |
| ;cert = @sysconfdir@/stunnel/stunnel.pem |
| |
| ;[imaps] |
| ;accept = 993 |
| ;connect = 143 |
| ;cert = @sysconfdir@/stunnel/stunnel.pem |
| |
| ;[ssmtp] |
| ;accept = 465 |
| ;connect = 25 |
| ;cert = @sysconfdir@/stunnel/stunnel.pem |
| |
| ; TLS front-end to a web server |
| ;[https] |
| ;accept = 443 |
| ;connect = 80 |
| ;cert = @sysconfdir@/stunnel/stunnel.pem |
| ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel |
| ; Microsoft implementations do not use TLS close-notify alert and thus they |
| ; are vulnerable to truncation attacks |
| ;TIMEOUTclose = 0 |
| |
| ; Remote shell protected with PSK-authenticated TLS |
| ; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs |
| ;[shell] |
| ;accept = 1337 |
| ;exec = /bin/sh |
| ;execArgs = sh -i |
| ;ciphers = PSK |
| ;PSKsecrets = @sysconfdir@/stunnel/secrets.txt |
| |
| ; vim:ft=dosini |
