|TLS Version||Select the version of TLS or SSL protocol to use.|
TLS protocol versions are more secure than SSL. Select "all" to allow the client and server to negotiate the protocol.
|Compression||Selet the type of data compression to use |
Select 'none', 'zlib', or 'rle'.
|Verify Certificate||Select whether (and how) to use certificate verification for authentication to an TLS/SSL server. A security certificate is optional for a client but required on a server.|
The number after the option indicates the "verify=" stunnel value:
NO certificate verification
ALWAYS require peer cert (2)
Request and ignore peer cert (0)
Validate only if cert is present (1)
Verify peer with locally installed cert (3)
Ignore CA chain & only verify peer cert (4)
|Certificate File||If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the certificate chain PEM file. If used, this property must begin with "cert = ".|
NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; cert = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.
The certificate file must be obtained from an appropriate certificate authority containing credentials for this device, which are also known by the TLS/SSL server. The certificate file must be put on the device in the specified location, and must be in PEM format.
If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the private key assocated with the certificate. If used, this property must begin with "key = ".
NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; key = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.
|CA File||If the TLS/SSL server's certificate must be validated with a Certificate Authority before connecting to it, a file identifying the CA must be stored on the Linux file system. If used, this property must begin with "CAfile = " (case-sensitive).|
The CA file must be in PEM format.
|CRL Path||If using a Certificate Revocation List file(s) to confirm the validity of the server's certificate, this property is used to identify the directory on the Linux file system where the CRL file(s) will be stored|
Only two options are available:
If using CRL files, they must be stored in the above directory in PEM format.
|Connect Timeout||Select the amount of time to wait for a TLS/SSL connection to be established.|
Default selection is 10 seconds.
|Idle Timeout||Select the amount of time to keep an idle connection open when there is no data transmitted.|
Default selection is 1 hour.
|Busy Timeout||Select the amount of time to wait for expected data in case of a busy network.|
Default selection is 5 minutes.
|FIPS mode||Select whether to use FIPS 140-2 encryption mode.|
Default is no. (FIPS mode is not currently supported.)
|Cipher List||Enter a list of encryption ciphers to allow for the TLS/SSL connection. This property must begin with "ciphers = " and must contain some criteria for the list of ciphers to include or exclude. Use a colon ( to separate cipher names or criteria. (This property is not required and may be disabled by adding a semicolon before "ciphers" or by clearing the property entirely.)|
Example: ciphers = !SSLv3:DH+AES:ECDH:-AES128
In Linux, the ciphers available in the system may be listed using the command: openssl ciphers -v
or (for example): openssl ciphers -v '!SSLv3:DH+AES:ECDH:-AES128'
The openssl command lists ciphers of various strengths, including those used by SSL or TLS protocol versions. In order to ensure more robust encryption, the list may be filtered to allow only more secure ciphers.
In the above example, "!SSLv3" excludes all ciphers used with the older SSLv3. "DH+AES" includes ciphers that use DH or AES, but excludes those using RSA. "ECDH" includes protocols that use ECDH. "-AES128" filters the list of whatever ciphers may have been included in the previous list by excluding those which use AES with 128-bit encryption, but allows those with 256-bit or better. Consult 'openssl' documentation for further information.
|Renegotiation||Select whether to support connection renegotiation.|
|Delay DNS||Select whether to delay DNS lookup until connection.|
|Debug Level||Select the debugging level for TLS/SSL diagnostics|
The default level is 5 (notice). Use level 7 for a greater quantity of diagnostic messages in the Log File to troubleshoot connection problems.
|Log File||This property is hard-coded and indicates where the TLS/SSL debug messages may be found.|
Only option is /var/log/messages
|Socket option 1||Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.|
Default value is "socket = l:TCP_NODELAY=1"
|Socket option 2||Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.|
Default value is "socket = r:TCP_NODELAY=1"
PIDName of PID file used by Linux for the TLS/SSL process.
This option is hard-coded to /var/run/stunnel.pid
|PID||Name of PID file used by Linux for the TLS/SSL process.|
This option is hard-coded to /var/run/stunnel.pid
|Param 1||Additional (optional) stunnel parameters. If used, these fields must be|
|Param 2||Formatted as proper 'stunnel' configuration options and will be placed|
|Param 3||verbatim in the stunnel.conf Linux configuration file.|
|Client Mode||Choose whether to use client mode for the TLS/SSL connection. In Client Mode, this will listen for a local (non-secure) connection to be made to its listener port, and then initiate a connection to a remote server. If set to Server Mode, this will operate as a TLS/SSL server, waiting for a connection to be made to it from another secure client.|
|In the STUNNEL Parameters field, enter a series of properties that are used to define one or more TLS/SSL tunnel between a non-secure and a secure port connection.|
|Tunnel Name||Enter a unique logical name of the stunnel service (limited to 16 characters) for each tunnel being defined.|
|Accept Connection|| Enter a string that defines the port which will receive the connection, and an optional IP address. Some examples of port or "IP:port" are given below:|
|Connect To||Enter a string that defines the address and IP port to which a connection will be made after receiving a socket on the "Accept Connection" port. The address being connected to must be accessible using the system's DNS and routing rules. Some examples are:|