stunnel 5.39 on x86_64-pc-linux-gnu platform Compiled/running with OpenSSL 1.0.2g 1 Mar 2016 Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Global options: debug = daemon.notice pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 debug = notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none

stunnel 5.39 on x86_64-pc-linux-gnu platform Compiled/running with OpenSSL 1.0.2g 1 Mar 2016 Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP Global options: chroot = directory to chroot stunnel process compression = compression type debug = [facility].level (e.g. daemon.info) EGD = path to Entropy Gathering Daemon socket engine = auto|engine_id engineCtrl = cmd[:arg] engineDefault = TASK_LIST fips = yes|no FIPS 140-2 mode foreground = yes|quiet|no foreground mode (don't fork, log to stderr) log = append|overwrite log file output = file to append log messages pid = pid file (empty to disable creating) RNDbytes = bytes to read from random seed files RNDfile = path to file with random seed data RNDoverwrite = yes|no overwrite seed datafiles with new random data service = service name socket = a|l|r:option=value[:value] set an option on accept/local/remote socket syslog = yes|no send logging messages to syslog Service-level options: accept = [host:]port accept connections on specified host:port CApath = CA certificate directory for 'verify' option CAfile = CA certificate file for 'verify' option cert = certificate chain checkEmail = peer certificate email address checkHost = peer certificate host name pattern checkIP = peer certificate IP address ciphers = list of permitted TLS ciphers client = yes|no client mode (remote service uses TLS) config = command[:parameter] to execute connect = [host:]port to connect CRLpath = CRL directory CRLfile = CRL file curve = ECDH curve name debug = level (e.g. info) delay = yes|no delay DNS lookup for 'connect' option engineId = ID of engine to read the key from engineNum = number of engine to read the key from exec = file execute local inetd-type program execArgs = arguments for 'exec' (including $0) failover = rr|prio failover strategy ident = username for IDENT (RFC 1413) checking key = certificate private key libwrap = yes|no use /etc/hosts.allow and /etc/hosts.deny local = IP address to be used as source for remote connections logId = connection identifier type ocsp = OCSP responder URL OCSPaia = yes|no check the AIA responders from certificates OCSPflag = OCSP responder flags OCSPnonce = yes|no send and verify the OCSP nonce extension options = TLS option to set/reset protocol = protocol to negotiate before TLS initialization currently supported: cifs, connect, imap, nntp, pgsql, pop3, proxy, smtp, socks protocolAuthentication = authentication type for protocol negotiations protocolDomain = domain for protocol negotiations protocolHost = host:port for protocol negotiations protocolPassword = password for protocol negotiations protocolUsername = username for protocol negotiations PSKidentity = identity for PSK authentication PSKsecrets = secrets for PSK authentication pty = yes|no allocate pseudo terminal for 'exec' option redirect = [host:]port to redirect on authentication failures renegotiation = yes|no support renegotiation requireCert = yes|no require client certificate retry = yes|no send TCP RST on error retry = yes|no retry connect+exec section setgid = groupname for setgid() setuid = username for setuid() sessionCacheSize = session cache size sessionCacheTimeout = session cache timeout (in seconds) sessiond = [host:]port use sessiond at host:port sni = master_service:host_name for an SNI virtual service sslVersion = all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2 TLS method stack = thread stack size (in bytes) TIMEOUTbusy = seconds to wait for expected data TIMEOUTclose = seconds to wait for close_notify TIMEOUTconnect = seconds to connect remote host TIMEOUTidle = seconds to keep an idle connection transparent = none|source|destination|both transparent proxy mode verify = level of peer certificate verification level 0 - request and ignore peer cert level 1 - only validate peer cert if present level 2 - always require a valid peer cert level 3 - verify peer with locally installed cert level 4 - ignore CA chain and only verify peer cert verifyChain = yes|no verify certificate chain verifyPeer = yes|no verify peer certificate