2017-03-28 10:18:03 +02:00
|
|
|
; Sample stunnel configuration file for Unix by Michal Trojnara 2002-2013
|
2017-03-28 09:58:13 +02:00
|
|
|
; Some options used here may be inadequate for your particular configuration
|
|
|
|
|
; This sample file does *not* represent stunnel.conf defaults
|
|
|
|
|
; Please consult the manual for detailed description of available options
|
|
|
|
|
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
; * Global options *
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
|
|
|
|
|
; A copy of some devices and system files is needed within the chroot jail
|
|
|
|
|
; Chroot conflicts with configuration file reload and many other features
|
|
|
|
|
chroot = @prefix@/var/lib/stunnel/
|
|
|
|
|
; Chroot jail can be escaped if setuid option is not used
|
|
|
|
|
setuid = nobody
|
|
|
|
|
setgid = @DEFAULT_GROUP@
|
|
|
|
|
|
|
|
|
|
; PID is created inside the chroot jail
|
|
|
|
|
pid = /stunnel.pid
|
|
|
|
|
|
|
|
|
|
; Debugging stuff (may useful for troubleshooting)
|
|
|
|
|
;debug = 7
|
|
|
|
|
;output = stunnel.log
|
|
|
|
|
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
; * Service defaults may also be specified in individual service sections *
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
|
|
|
|
|
; Certificate/key is needed in server mode and optional in client mode
|
|
|
|
|
cert = @prefix@/etc/stunnel/mail.pem
|
|
|
|
|
;key = @prefix@/etc/stunnel/mail.pem
|
|
|
|
|
|
|
|
|
|
; Authentication stuff needs to be configured to prevent MITM attacks
|
|
|
|
|
; It is not enabled by default!
|
|
|
|
|
;verify = 2
|
|
|
|
|
; Don't forget to c_rehash CApath
|
|
|
|
|
; CApath is located inside chroot jail
|
|
|
|
|
;CApath = /certs
|
|
|
|
|
; It's often easier to use CAfile
|
|
|
|
|
;CAfile = @prefix@/etc/stunnel/certs.pem
|
|
|
|
|
; Don't forget to c_rehash CRLpath
|
|
|
|
|
; CRLpath is located inside chroot jail
|
|
|
|
|
;CRLpath = /crls
|
|
|
|
|
; Alternatively CRLfile can be used
|
|
|
|
|
;CRLfile = @prefix@/etc/stunnel/crls.pem
|
|
|
|
|
|
|
|
|
|
; Disable support for insecure SSLv2 protocol
|
|
|
|
|
options = NO_SSLv2
|
|
|
|
|
; Workaround for Eudora bug
|
|
|
|
|
;options = DONT_INSERT_EMPTY_FRAGMENTS
|
|
|
|
|
|
|
|
|
|
; These options provide additional security at some performance degradation
|
|
|
|
|
;options = SINGLE_ECDH_USE
|
|
|
|
|
;options = SINGLE_DH_USE
|
|
|
|
|
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
; * Service definitions (remove all services for inetd mode) *
|
|
|
|
|
; **************************************************************************
|
|
|
|
|
|
|
|
|
|
; Example SSL server mode services
|
|
|
|
|
|
|
|
|
|
[pop3s]
|
|
|
|
|
accept = 995
|
|
|
|
|
connect = 110
|
|
|
|
|
|
|
|
|
|
[imaps]
|
|
|
|
|
accept = 993
|
|
|
|
|
connect = 143
|
|
|
|
|
|
|
|
|
|
[ssmtp]
|
|
|
|
|
accept = 465
|
|
|
|
|
connect = 25
|
|
|
|
|
|
|
|
|
|
; Example SSL client mode services
|
|
|
|
|
|
|
|
|
|
;[gmail-pop3]
|
|
|
|
|
;client = yes
|
|
|
|
|
;accept = 127.0.0.1:110
|
|
|
|
|
;connect = pop.gmail.com:995
|
|
|
|
|
|
|
|
|
|
;[gmail-imap]
|
|
|
|
|
;client = yes
|
|
|
|
|
;accept = 127.0.0.1:143
|
|
|
|
|
;connect = imap.gmail.com:993
|
|
|
|
|
|
|
|
|
|
;[gmail-smtp]
|
|
|
|
|
;client = yes
|
|
|
|
|
;accept = 127.0.0.1:25
|
|
|
|
|
;connect = smtp.gmail.com:465
|
|
|
|
|
|
|
|
|
|
; Example SSL front-end to a web server
|
|
|
|
|
|
|
|
|
|
;[https]
|
|
|
|
|
;accept = 443
|
|
|
|
|
;connect = 80
|
|
|
|
|
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
|
|
|
|
|
; Microsoft implementations do not use SSL close-notify alert and thus
|
|
|
|
|
; they are vulnerable to truncation attacks
|
|
|
|
|
;TIMEOUTclose = 0
|
|
|
|
|
|
|
|
|
|
; vim:ft=dosini
|
