; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2015 | |
; Some options used here may be inadequate for your particular configuration | |
; This sample file does *not* represent stunnel.conf defaults | |
; Please consult the manual for detailed description of available options | |
; ************************************************************************** | |
; * Global options * | |
; ************************************************************************** | |
; Debugging stuff (may be useful for troubleshooting) | |
;debug = info | |
;output = stunnel.log | |
; Enable FIPS 140-2 mode if needed for compliance | |
;fips = yes | |
; Microsoft CryptoAPI engine allows for authentication with private keys | |
; stored in the Windows certificate store | |
; Each section using this feature also needs the "engineId = capi" option | |
;engine = capi | |
; ************************************************************************** | |
; * Service defaults may also be specified in individual service sections * | |
; ************************************************************************** | |
; Enable support for the insecure SSLv3 protocol | |
;options = -NO_SSLv3 | |
; These options provide additional security at some performance degradation | |
;options = SINGLE_ECDH_USE | |
;options = SINGLE_DH_USE | |
; ************************************************************************** | |
; * Include all configuration file fragments from the specified folder * | |
; ************************************************************************** | |
;include = conf.d | |
; ************************************************************************** | |
; * Service definitions (at least one service has to be defined) * | |
; ************************************************************************** | |
; ***************************************** Example TLS client mode services | |
[gmail-pop3] | |
client = yes | |
accept = 127.0.0.1:110 | |
connect = pop.gmail.com:995 | |
verify = 2 | |
CAfile = ca-certs.pem | |
checkHost = pop.gmail.com | |
OCSPaia = yes | |
[gmail-imap] | |
client = yes | |
accept = 127.0.0.1:143 | |
connect = imap.gmail.com:993 | |
verify = 2 | |
CAfile = ca-certs.pem | |
checkHost = imap.gmail.com | |
OCSPaia = yes | |
[gmail-smtp] | |
client = yes | |
accept = 127.0.0.1:25 | |
connect = smtp.gmail.com:465 | |
verify = 2 | |
CAfile = ca-certs.pem | |
checkHost = smtp.gmail.com | |
OCSPaia = yes | |
; Encrypted HTTP proxy authenticated with a client certificate | |
; located in the Windows certificate store | |
;[example-proxy] | |
;client = yes | |
;accept = 127.0.0.1:8080 | |
;connect = example.com:8443 | |
;engineId = capi | |
; ***************************************** Example TLS server mode services | |
;[pop3s] | |
;accept = 995 | |
;connect = 110 | |
;cert = stunnel.pem | |
;[imaps] | |
;accept = 993 | |
;connect = 143 | |
;cert = stunnel.pem | |
;[ssmtp] | |
;accept = 465 | |
;connect = 25 | |
;cert = stunnel.pem | |
; TLS front-end to a web server | |
;[https] | |
;accept = 443 | |
;connect = 80 | |
;cert = stunnel.pem | |
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel | |
; Microsoft implementations do not use TLS close-notify alert and thus they | |
; are vulnerable to truncation attacks | |
;TIMEOUTclose = 0 | |
; Remote cmd.exe protected with PSK-authenticated TLS | |
; Create "secrets.txt" containing IDENTITY:KEY pairs | |
;[cmd] | |
;accept = 1337 | |
;exec = c:\windows\system32\cmd.exe | |
;execArgs = cmd.exe | |
;ciphers = PSK | |
;PSKsecrets = secrets.txt | |
; vim:ft=dosini |