1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
; Sample stunnel configuration file for Unix by Michal Trojnara 1998-2018
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options
; **************************************************************************
; * Global options *
; **************************************************************************
; It is recommended to drop root privileges if stunnel is started by root
;setuid = stunnel4
;setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
;pid = @localstatedir@/run/stunnel.pid
; Debugging stuff (may be useful for troubleshooting)
;foreground = yes
;debug = info
;output = @localstatedir@/log/stunnel.log
; Enable FIPS 140-2 mode if needed for compliance
;fips = yes
; The pkcs11 engine allows for authentication with cryptographic
; keys isolated in a hardware or software token
; MODULE_PATH specifies the path to the pkcs11 module shared library,
; e.g. softhsm2.dll or opensc-pkcs11.so
; Each section using this feature also needs the "engineId = pkcs11" option
;engine = pkcs11
;engineCtrl = MODULE_PATH:/usr/lib/softhsm/libsofthsm2.so
;engineCtrl = PIN:1234
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE
; **************************************************************************
; * Include all configuration file fragments from the specified folder *
; **************************************************************************
;include = @sysconfdir@/stunnel/conf.d
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; ***************************************** Example TLS client mode services
; The following examples use /etc/ssl/certs, which is the common location
; of a hashed directory containing trusted CA certificates. This is not
; a hardcoded path of the stunnel package, as it is not related to the
; stunnel configuration in @sysconfdir@/stunnel/.
[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995
verifyChain = yes
CApath = @sysconfdir/ssl/certs
checkHost = pop.gmail.com
OCSPaia = yes
[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993
verifyChain = yes
CApath = @sysconfdir/ssl/certs
checkHost = imap.gmail.com
OCSPaia = yes
[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
verifyChain = yes
CApath = @sysconfdir/ssl/certs
checkHost = smtp.gmail.com
OCSPaia = yes
; Encrypted HTTP proxy authenticated with a client certificate
; located in a cryptographic token
;[example-pkcs11]
;client = yes
;accept = 127.0.0.1:8080
;connect = example.com:8443
;engineId = pkcs11
;cert = pkcs11:token=MyToken;object=MyCert
;key = pkcs11:token=MyToken;object=MyKey
; ***************************************** Example TLS server mode services
;[pop3s]
;accept = 995
;connect = 110
;cert = @sysconfdir@/stunnel/stunnel.pem
;[imaps]
;accept = 993
;connect = 143
;cert = @sysconfdir@/stunnel/stunnel.pem
; Either only expose this service to trusted networks, or require
; authentication when relaying emails originated from loopback.
; Otherwise the following configuration creates an open relay.
;[ssmtp]
;accept = 465
;connect = 25
;cert = @sysconfdir@/stunnel/stunnel.pem
; TLS front-end to a web server
;[https]
;accept = 443
;connect = 80
;cert = @sysconfdir@/stunnel/stunnel.pem
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
; Microsoft implementations do not use TLS close-notify alert and thus they
; are vulnerable to truncation attacks
;TIMEOUTclose = 0
; Remote shell protected with PSK-authenticated TLS
; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
;[shell]
;accept = 1337
;exec = /bin/sh
;execArgs = sh -i
;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
;[mysql]
;cert = @sysconfdir@/stunnel/stunnel.pem
;accept = 3307
;connect = /run/mysqld/mysqld.sock
; vim:ft=dosini
|
