Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PropertiesValues
TLS VersionSelect the version of TLS or SSL protocol to use.
TLS protocol versions are more secure than SSL. Select "all" to allow the client and server to negotiate the protocol. 
CompressionSelet the type of data compression to use 
Select 'none', 'zlib', or 'rle'. 
Verify CertificateSelect whether (and how) to use certificate verification for authentication to an TLS/SSL server. A security certificate is optional for a client but required on a server.
The number after the option indicates the "verify=" stunnel value:
NO certificate verification
ALWAYS require peer cert (2)
Request and ignore peer cert (0)
Validate only if cert is present (1)
Verify peer with locally installed cert (3)
Ignore CA chain & only verify peer cert (4) 
Certificate FileIf the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the certificate chain PEM file. If used, this property must begin with "cert = ".
NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; cert = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.
The certificate file must be obtained from an appropriate certificate authority containing credentials for this device, which are also known by the TLS/SSL server. The certificate file must be put on the device in the specified location, and must be in PEM format. 
Key File

If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the private key assocated with the certificate. If used, this property must begin with "key = ".

NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; key = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.
The key file is typically created along with the certificate and must be put on the device in the specified location, and must be in PEM format. 

CA FileIf the TLS/SSL server's certificate must be validated with a Certificate Authority before connecting to it, a file identifying the CA must be stored on the Linux file system. If used, this property must begin with "CAfile = " (case-sensitive).
The CA file must be in PEM format. 
CRL PathIf using a Certificate Revocation List file(s) to confirm the validity of the server's certificate, this property is used to identify the directory on the Linux file system where the CRL file(s) will be stored
Only two options are available:
none
/etc/stunnel/crls
If using CRL files, they must be stored in the above directory in PEM format. 
Connect TimeoutSelect the amount of time to wait for a TLS/SSL connection to be established.
Default selection is 10 seconds. 
Idle TimeoutSelect the amount of time to keep an idle connection open when there is no data transmitted.
Default selection is 1 hour. 
Busy TimeoutSelect the amount of time to wait for expected data in case of a busy network.
Default selection is 5 minutes. 
FIPS modeSelect whether to use FIPS 140-2 encryption mode.
Default is no. (FIPS mode is not currently supported.)
Cipher ListEnter a list of encryption ciphers to allow for the TLS/SSL connection. This property must begin with "ciphers = " and must contain some criteria for the list of ciphers to include or exclude. Use a colon ((smile) to separate cipher names or criteria. (This property is not required and may be disabled by adding a semicolon before "ciphers" or by clearing the property entirely.)
Example: ciphers = !SSLv3:DH+AES:ECDH:-AES128 
In Linux, the ciphers available in the system may be listed using the command: openssl ciphers -v
or (for example): openssl ciphers -v '!SSLv3:DH+AES:ECDH:-AES128'
The openssl command lists ciphers of various strengths, including those used by SSL or TLS protocol versions. In order to ensure more robust encryption, the list may be filtered to allow only more secure ciphers.
In the above example, "!SSLv3" excludes all ciphers used with the older SSLv3. "DH+AES" includes ciphers that use DH or AES, but excludes those using RSA. "ECDH" includes protocols that use ECDH. "-AES128" filters the list of whatever ciphers may have been included in the previous list by excluding those which use AES with 128-bit encryption, but allows those with 256-bit or better. Consult 'openssl' documentation for further information. 
RenegotiationSelect whether to support connection renegotiation. 
Delay DNSSelect whether to delay DNS lookup until connection. 
Debug LevelSelect the debugging level for TLS/SSL diagnostics
The default level is 5 (notice). Use level 7 for a greater quantity of diagnostic messages in the Log File to troubleshoot connection problems. 
Log FileThis property is hard-coded and indicates where the TLS/SSL debug messages may be found.
Only option is /var/log/messages 
Socket option 1Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.
Default value is "socket = l:TCP_NODELAY=1" 
Socket option 2Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.
Default value is "socket = r:TCP_NODELAY=1" 
PIDName of PID file used by Linux for the TLS/SSL process.
This option is hard-coded to /var/run/stunnel.pid 
PIDName of PID file used by Linux for the TLS/SSL process.
This option is hard-coded to /var/run/stunnel.pid 
Param 1Additional (optional) stunnel parameters. If used, these fields must be
Param 2Formatted as proper 'stunnel' configuration options and will be placed
Param 3verbatim in the stunnel.conf Linux configuration file. 
Client ModeChoose whether to use client mode for the TLS/SSL connection. In Client Mode, this will listen for a local (non-secure) connection to be made to its listener port, and then initiate a connection to a remote server. If set to Server Mode, this will operate as a TLS/SSL server, waiting for a connection to be made to it from another secure client. 
STUNNEL 
Parameters
In the STUNNEL Parameters field, enter a series of properties that are used to define one or more TLS/SSL tunnel between a non-secure and a secure port connection. 
Tunnel NameEnter a unique logical name of the stunnel service (limited to 16 characters) for each tunnel being defined. 
Accept Connection Enter a string that defines the port which will receive the connection, and an optional IP address. Some examples of port or "IP:port" are given below:
443
127.0.0.2:1883
192.168.1.2:3040 
Connect ToEnter a string that defines the address and IP port to which a connection will be made after receiving a socket on the "Accept Connection" port. The address being connected to must be accessible using the system's DNS and routing rules. Some examples are:
10.1.2.1:443
xyz.com:20000
127.0.0.3:3040

...