| ; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2015 | |
| ; Some options used here may be inadequate for your particular configuration | |
| ; This sample file does *not* represent stunnel.conf defaults | |
| ; Please consult the manual for detailed description of available options | |
| ; ************************************************************************** | |
| ; * Global options * | |
| ; ************************************************************************** | |
| ; Debugging stuff (may be useful for troubleshooting) | |
| ;debug = info | |
| ;output = stunnel.log | |
| ; Enable FIPS 140-2 mode if needed for compliance | |
| ;fips = yes | |
| ; Microsoft CryptoAPI engine allows for authentication with private keys | |
| ; stored in the Windows certificate store | |
| ; Each section using this feature also needs the "engineId = capi" option | |
| ;engine = capi | |
| ; ************************************************************************** | |
| ; * Service defaults may also be specified in individual service sections * | |
| ; ************************************************************************** | |
| ; Enable support for the insecure SSLv3 protocol | |
| ;options = -NO_SSLv3 | |
| ; These options provide additional security at some performance degradation | |
| ;options = SINGLE_ECDH_USE | |
| ;options = SINGLE_DH_USE | |
| ; ************************************************************************** | |
| ; * Include all configuration file fragments from the specified folder * | |
| ; ************************************************************************** | |
| ;include = conf.d | |
| ; ************************************************************************** | |
| ; * Service definitions (at least one service has to be defined) * | |
| ; ************************************************************************** | |
| ; ***************************************** Example TLS client mode services | |
| [gmail-pop3] | |
| client = yes | |
| accept = 127.0.0.1:110 | |
| connect = pop.gmail.com:995 | |
| verify = 2 | |
| CAfile = ca-certs.pem | |
| checkHost = pop.gmail.com | |
| OCSPaia = yes | |
| [gmail-imap] | |
| client = yes | |
| accept = 127.0.0.1:143 | |
| connect = imap.gmail.com:993 | |
| verify = 2 | |
| CAfile = ca-certs.pem | |
| checkHost = imap.gmail.com | |
| OCSPaia = yes | |
| [gmail-smtp] | |
| client = yes | |
| accept = 127.0.0.1:25 | |
| connect = smtp.gmail.com:465 | |
| verify = 2 | |
| CAfile = ca-certs.pem | |
| checkHost = smtp.gmail.com | |
| OCSPaia = yes | |
| ; Encrypted HTTP proxy authenticated with a client certificate | |
| ; located in the Windows certificate store | |
| ;[example-proxy] | |
| ;client = yes | |
| ;accept = 127.0.0.1:8080 | |
| ;connect = example.com:8443 | |
| ;engineId = capi | |
| ; ***************************************** Example TLS server mode services | |
| ;[pop3s] | |
| ;accept = 995 | |
| ;connect = 110 | |
| ;cert = stunnel.pem | |
| ;[imaps] | |
| ;accept = 993 | |
| ;connect = 143 | |
| ;cert = stunnel.pem | |
| ;[ssmtp] | |
| ;accept = 465 | |
| ;connect = 25 | |
| ;cert = stunnel.pem | |
| ; TLS front-end to a web server | |
| ;[https] | |
| ;accept = 443 | |
| ;connect = 80 | |
| ;cert = stunnel.pem | |
| ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel | |
| ; Microsoft implementations do not use TLS close-notify alert and thus they | |
| ; are vulnerable to truncation attacks | |
| ;TIMEOUTclose = 0 | |
| ; Remote cmd.exe protected with PSK-authenticated TLS | |
| ; Create "secrets.txt" containing IDENTITY:KEY pairs | |
| ;[cmd] | |
| ;accept = 1337 | |
| ;exec = c:\windows\system32\cmd.exe | |
| ;execArgs = cmd.exe | |
| ;ciphers = PSK | |
| ;PSKsecrets = secrets.txt | |
| ; vim:ft=dosini |