stunnel4 -version (return code: 0)
stunnel 5.39 on x86_64-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.2g 1 Mar 2016
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Global options:
debug = daemon.notice
pid = /var/run/stunnel4.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = FIPS (with "fips = yes")
ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no")
curve = prime256v1
debug = notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
stunnel4 -help (return code: 0)
stunnel 5.39 on x86_64-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.2g 1 Mar 2016
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Global options:
chroot = directory to chroot stunnel process
compression = compression type
debug = [facility].level (e.g. daemon.info)
EGD = path to Entropy Gathering Daemon socket
engine = auto|engine_id
engineCtrl = cmd[:arg]
engineDefault = TASK_LIST
fips = yes|no FIPS 140-2 mode
foreground = yes|quiet|no foreground mode (don't fork, log to stderr)
log = append|overwrite log file
output = file to append log messages
pid = pid file (empty to disable creating)
RNDbytes = bytes to read from random seed files
RNDfile = path to file with random seed data
RNDoverwrite = yes|no overwrite seed datafiles with new random data
service = service name
socket = a|l|r:option=value[:value]
set an option on accept/local/remote socket
syslog = yes|no send logging messages to syslog
Service-level options:
accept = [host:]port accept connections on specified host:port
CApath = CA certificate directory for 'verify' option
CAfile = CA certificate file for 'verify' option
cert = certificate chain
checkEmail = peer certificate email address
checkHost = peer certificate host name pattern
checkIP = peer certificate IP address
ciphers = list of permitted TLS ciphers
client = yes|no client mode (remote service uses TLS)
config = command[:parameter] to execute
connect = [host:]port to connect
CRLpath = CRL directory
CRLfile = CRL file
curve = ECDH curve name
debug = level (e.g. info)
delay = yes|no delay DNS lookup for 'connect' option
engineId = ID of engine to read the key from
engineNum = number of engine to read the key from
exec = file execute local inetd-type program
execArgs = arguments for 'exec' (including $0)
failover = rr|prio failover strategy
ident = username for IDENT (RFC 1413) checking
key = certificate private key
libwrap = yes|no use /etc/hosts.allow and /etc/hosts.deny
local = IP address to be used as source for remote connections
logId = connection identifier type
ocsp = OCSP responder URL
OCSPaia = yes|no check the AIA responders from certificates
OCSPflag = OCSP responder flags
OCSPnonce = yes|no send and verify the OCSP nonce extension
options = TLS option to set/reset
protocol = protocol to negotiate before TLS initialization
currently supported: cifs, connect, imap,
nntp, pgsql, pop3, proxy, smtp, socks
protocolAuthentication = authentication type for protocol negotiations
protocolDomain = domain for protocol negotiations
protocolHost = host:port for protocol negotiations
protocolPassword = password for protocol negotiations
protocolUsername = username for protocol negotiations
PSKidentity = identity for PSK authentication
PSKsecrets = secrets for PSK authentication
pty = yes|no allocate pseudo terminal for 'exec' option
redirect = [host:]port to redirect on authentication failures
renegotiation = yes|no support renegotiation
requireCert = yes|no require client certificate
retry = yes|no send TCP RST on error
retry = yes|no retry connect+exec section
setgid = groupname for setgid()
setuid = username for setuid()
sessionCacheSize = session cache size
sessionCacheTimeout = session cache timeout (in seconds)
sessiond = [host:]port use sessiond at host:port
sni = master_service:host_name for an SNI virtual service
sslVersion = all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2 TLS method
stack = thread stack size (in bytes)
TIMEOUTbusy = seconds to wait for expected data
TIMEOUTclose = seconds to wait for close_notify
TIMEOUTconnect = seconds to connect remote host
TIMEOUTidle = seconds to keep an idle connection
transparent = none|source|destination|both transparent proxy mode
verify = level of peer certificate verification
level 0 - request and ignore peer cert
level 1 - only validate peer cert if present
level 2 - always require a valid peer cert
level 3 - verify peer with locally installed cert
level 4 - ignore CA chain and only verify peer cert
verifyChain = yes|no verify certificate chain
verifyPeer = yes|no verify peer certificate