SF.net SVN: gar:[25038] csw/mgar/pkg/stunnel/trunk
dmichelsen at users.sourceforge.net
dmichelsen at users.sourceforge.net
Sun May 31 22:36:14 CEST 2015
Revision: 25038
http://sourceforge.net/p/gar/code/25038
Author: dmichelsen
Date: 2015-05-31 20:36:13 +0000 (Sun, 31 May 2015)
Log Message:
-----------
stunnel/trunk: Intermediate commit
Modified Paths:
--------------
csw/mgar/pkg/stunnel/trunk/Makefile
csw/mgar/pkg/stunnel/trunk/checksums
Added Paths:
-----------
csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
Modified: csw/mgar/pkg/stunnel/trunk/Makefile
===================================================================
--- csw/mgar/pkg/stunnel/trunk/Makefile 2015-05-30 19:06:35 UTC (rev 25037)
+++ csw/mgar/pkg/stunnel/trunk/Makefile 2015-05-31 20:36:13 UTC (rev 25038)
@@ -7,7 +7,7 @@
# Test on Solaris 8 / 9 for comparison
#
NAME = stunnel
-VERSION = 4.56
+VERSION = 5.17
GARTYPE = v2
DESCRIPTION = Universal SSL Wrapper
@@ -19,35 +19,39 @@
the daemon's code.
endef
-VENDOR_URL = http://www.stunnel.org
MASTER_SITES = ftp://ftp.stunnel.org/stunnel/
DISTFILES = $(NAME)-$(VERSION).tar.gz
DISTFILES += CSWstunnel.cswstunnel
+# Use patch until this is fixed:
+# https://github.com/dago/stunnel/compare/master...sysconfdir
+PATCHFILES += 0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
+
# Upstream moves versions to an obsolete/ subdir over time, consider it too
MAJOR_VER = $(firstword $(subst ., ,$(VERSION)))
MASTER_SITES += ftp://ftp.stunnel.org/stunnel/obsolete/$(MAJOR_VER).x/
+VENDOR_URL = http://www.stunnel.org
+
BUILD_DEP_PKGS += CSWlibssl-dev
+BUILD_DEP_PKGS += CSWlibwrap-dev
-PACKAGING_PLATFORMS = solaris10-sparc solaris10-i386
+PACKAGES += CSWstunnel
+SPKG_DESC_CSWstunnel = Universal SSL Wrapper
+# PKGFILES is catchall
+RUNTIME_DEP_PKGS_CSWstunnel += CSWlibssl1-0-0
+RUNTIME_DEP_PKGS_CSWstunnel += CSWlibwrap1
-RUNTIME_DEP_PKGS += CSWlibssl1-0-0
-RUNTIME_DEP_PKGS += CSWlibwrap1
-
# Make stunnel.conf-sample.in honor our $localstatedir. Issue description:
# cf. http://marc.info/?l=stunnel-users&m=128035848632004&w=2
# Not merged upstream as ./configure without arguments leads to expansions
# that the config file doesn't understand, e.g. sysconfdir='${prefix}/etc'
-PATCHFILES = 0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch
+#PATCHFILES = 0001-Make-stunnel.conf-sample.in-honor-sysconfdir-localst.patch
-sysconfdir=/etc/opt/csw
-localstatedir=/var/opt/csw
-
CONFIGURE_ARGS = $(DIRPATHS)
CONFIGURE_ARGS += --with-ssl=$(prefix)
CONFIGURE_ARGS += --enable-ipv6
-CONFIGURE_ARGS += --enable-dh
+##CONFIGURE_ARGS += --enable-dh
CONFIGURE_ARGS += --localstatedir=$(localstatedir)
# No test target available
Modified: csw/mgar/pkg/stunnel/trunk/checksums
===================================================================
--- csw/mgar/pkg/stunnel/trunk/checksums 2015-05-30 19:06:35 UTC (rev 25037)
+++ csw/mgar/pkg/stunnel/trunk/checksums 2015-05-31 20:36:13 UTC (rev 25038)
@@ -1 +1 @@
-ac4c4a30bd7a55b6687cbd62d864054c stunnel-4.56.tar.gz
+e70f001ee190105c5a10a74f4bd54901 stunnel-5.17.tar.gz
Added: csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch
===================================================================
--- csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch (rev 0)
+++ csw/mgar/pkg/stunnel/trunk/files/0001-Honour-sysconfdir-bindir-and-localstatedir-everywher.patch 2015-05-31 20:36:13 UTC (rev 25038)
@@ -0,0 +1,2992 @@
+From e7e2f2cd0788d84653ea7ed9e69c02078a9ecece Mon Sep 17 00:00:00 2001
+From: Dagobert Michelsen <dam at opencsw.org>
+Date: Sun, 31 May 2015 22:16:27 +0200
+Subject: [PATCH] Honour sysconfdir, bindir and localstatedir everywhere
+
+---
+ configure.ac | 2 +-
+ doc/Makefile.am | 8 +
+ doc/stunnel.pod | 1365 ------------------------------------------
+ doc/stunnel.pod.in | 1365 ++++++++++++++++++++++++++++++++++++++++++
+ src/Makefile.am | 7 +
+ src/stunnel3.in | 2 +-
+ tools/Makefile.am | 14 +
+ tools/stunnel.conf-sample.in | 20 +-
+ tools/stunnel.init.in | 16 +-
+ tools/stunnel.service.in | 2 +-
+ 10 files changed, 1415 insertions(+), 1386 deletions(-)
+ delete mode 100644 doc/stunnel.pod
+ create mode 100644 doc/stunnel.pod.in
+
+diff --git a/configure.ac b/configure.ac
+index 1ee8860..519ed2a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -441,7 +441,7 @@ CPPFLAGS="$valid_CPPFLAGS"
+ LIBS="$valid_LIBS"
+
+ AC_MSG_NOTICE([**************************************** write the results])
+-AC_CONFIG_FILES([Makefile src/Makefile src/stunnel3 doc/Makefile tools/Makefile tools/stunnel.conf-sample tools/stunnel.init tools/stunnel.service])
++AC_CONFIG_FILES([Makefile src/Makefile doc/Makefile tools/Makefile])
+ AC_OUTPUT
+
+ AC_MSG_NOTICE([**************************************** success])
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index cb64b68..8d0060f 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -19,3 +19,11 @@ SUFFIXES = .pod .8 .html
+ pod2html --noindex --title stunnel.8 --infile=$< --outfile=$@
+ rm -f pod2htmd.tmp pod2htmi.tmp
+
++edit = sed \
++ -e 's|@bindir[@]|$(bindir)|g' \
++ -e 's|@sysconfdir[@]|$(sysconfdir)|g'
++
++stunnel.pod: Makefile
++ $(edit) '$(srcdir)/$@.in' >$@
++
++stunnel.pod: $(srcdir)/stunnel.pod
+diff --git a/doc/stunnel.pod b/doc/stunnel.pod
+deleted file mode 100644
+index 3fc3d4e..0000000
+--- a/doc/stunnel.pod
++++ /dev/null
+@@ -1,1365 +0,0 @@
+-=head1 NAME
+-
+-=encoding utf8
+-
+-stunnel - TLS offloading and load-balancing proxy
+-
+-
+-=head1 SYNOPSIS
+-
+-=over 4
+-
+-=item B<Unix:>
+-
+-B<stunnel> [S<FILE>] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options>
+-
+-=item B<WIN32:>
+-
+-B<stunnel> [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> |
+- S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S<FILE>] ] |
+- S<-help> | S<-version> | S<-sockets> | S<-options>
+-
+-=back
+-
+-
+-=head1 DESCRIPTION
+-
+-The B<stunnel> program is designed to work as I<SSL> encryption wrapper
+-between remote clients and local (I<inetd>-startable) or remote
+-servers. The concept is that having non-SSL aware daemons running on
+-your system you can easily set them up to communicate with clients over
+-secure SSL channels.
+-
+-B<stunnel> can be used to add SSL functionality to commonly used I<Inetd>
+-daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
+-NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
+-changes to the source code.
+-
+-This product includes cryptographic software written by
+-Eric Young (eay at cryptsoft.com)
+-
+-
+-=head1 OPTIONS
+-
+-=over 4
+-
+-=item B<FILE>
+-
+-Use specified configuration file
+-
+-=item B<-fd N> (Unix only)
+-
+-Read the config file from specified file descriptor
+-
+-=item B<-help>
+-
+-Print B<stunnel> help menu
+-
+-=item B<-version>
+-
+-Print B<stunnel> version and compile time defaults
+-
+-=item B<-sockets>
+-
+-Print default socket options
+-
+-=item B<-options>
+-
+-Print supported SSL options
+-
+-=item B<-install> (Windows NT and later only)
+-
+-Install NT Service
+-
+-=item B<-uninstall> (Windows NT and later only)
+-
+-Uninstall NT Service
+-
+-=item B<-start> (Windows NT and later only)
+-
+-Start NT Service
+-
+-=item B<-stop> (Windows NT and later only)
+-
+-Stop NT Service
+-
+-=item B<-reload> (Windows NT and later only)
+-
+-Reload configuration file of the running NT Service
+-
+-=item B<-reopen> (Windows NT and later only)
+-
+-Reopen log file of the running NT Service
+-
+-=item B<-exit> (Win32 only)
+-
+-Exit an already started stunnel
+-
+-=item B<-quiet> (Win32 only)
+-
+-Don't display any message boxes
+-
+-=back
+-
+-
+-=head1 CONFIGURATION FILE
+-
+-Each line of the configuration file can be either:
+-
+-=over 4
+-
+-=item *
+-
+-An empty line (ignored).
+-
+-=item *
+-
+-A comment starting with ';' (ignored).
+-
+-=item *
+-
+-An 'option_name = option_value' pair.
+-
+-=item *
+-
+-'[service_name]' indicating a start of a service definition.
+-
+-=back
+-
+-An address parameter of an option may be either:
+-
+-=over 4
+-
+-=item *
+-
+-A port number.
+-
+-=item *
+-
+-A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.
+-
+-=item *
+-
+-A Unix socket path (Unix only).
+-
+-=back
+-
+-=head2 GLOBAL OPTIONS
+-
+-=over 4
+-
+-=item B<chroot> = DIRECTORY (Unix only)
+-
+-directory to chroot B<stunnel> process
+-
+-B<chroot> keeps B<stunnel> in chrooted jail. I<CApath>, I<CRLpath>, I<pid>
+-and I<exec> are located inside the jail and the patches have to be relative
+-to the directory specified with B<chroot>.
+-
+-Several functions of the operating system also need their files to be located within chroot jail, e.g.:
+-
+-=over 4
+-
+-=item *
+-
+-Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
+-
+-=item *
+-
+-Local time in log files needs /etc/timezone.
+-
+-=item *
+-
+-Some other functions may need devices, e.g. /dev/zero or /dev/null.
+-
+-=back
+-
+-=item B<compression> = deflate | zlib
+-
+-select data compression algorithm
+-
+-default: no compression
+-
+-deflate is the standard compression method as described in RFC 1951.
+-
+-zlib compression of B<OpenSSL 0.9.8> or above is not backward compatible with
+-B<OpenSSL 0.9.7>.
+-
+-=item B<debug> = [FACILITY.]LEVEL
+-
+-debugging level
+-
+-Level is a one of the syslog level names or numbers
+-emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
+-info (6), or debug (7). All logs for the specified level and
+-all levels numerically less than it will be shown. Use I<debug = debug> or
+-I<debug = 7> for greatest debugging output. The default is notice (5).
+-
+-The syslog facility 'daemon' will be used unless a facility name is supplied.
+-(Facilities are not supported on Win32.)
+-
+-Case is ignored for both facilities and levels.
+-
+-=item B<EGD> = EGD_PATH (Unix only)
+-
+-path to Entropy Gathering Daemon socket
+-
+-Entropy Gathering Daemon socket to use to feed B<OpenSSL> random number
+-generator. (Available only if compiled with B<OpenSSL 0.9.5a> or higher)
+-
+-=item B<engine> = auto | ENGINE_ID
+-
+-select hardware engine
+-
+-default: software-only cryptography
+-
+-Here is an example of advanced engine configuration to read private key from an
+-OpenSC engine
+-
+- engine=dynamic
+- engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
+- engineCtrl=ID:pkcs11
+- engineCtrl=LIST_ADD:1
+- engineCtrl=LOAD
+- engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
+- engineCtrl=INIT
+-
+- [service]
+- engineNum=1
+- key=id_45
+-
+-=item B<engineCtrl> = COMMAND[:PARAMETER]
+-
+-control hardware engine
+-
+-Special commands "LOAD" and "INIT" can be used to load and initialize the
+-engine cryptogaphic module.
+-
+-=item B<engineDefault> = TASK_LIST
+-
+-set OpenSSL tasks delegated to the current engine
+-
+-The parameter specifies a comma-separated list of task to be delegated to the
+-current engine.
+-
+-The following tasks may be available, if supported by the engine: ALL, RSA,
+-DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
+-
+-=item B<fips> = yes | no
+-
+-Enable or disable FIPS 140-2 mode.
+-
+-This option allows to disable entering FIPS mode if B<stunnel> was compiled
+-with FIPS 140-2 support.
+-
+-default: no (since version 5.00)
+-
+-=item B<foreground> = yes | no (Unix only)
+-
+-foreground mode
+-
+-Stay in foreground (don't fork) and log to stderr
+-instead of via syslog (unless I<output> is specified).
+-
+-default: background in daemon mode
+-
+-=item B<iconActive> = ICON_FILE (GUI only)
+-
+-GUI icon to be displayed when there are established connections
+-
+-On Windows platform the parameter should be an .ico file containing a 16x16
+-pixel image.
+-
+-=item B<iconError> = ICON_FILE (GUI only)
+-
+-GUI icon to be displayed when no valid configuration is loaded
+-
+-On Windows platform the parameter should be an .ico file containing a 16x16
+-pixel image.
+-
+-=item B<iconIdle> = ICON_FILE (GUI only)
+-
+-GUI icon to be displayed when there are no established connections
+-
+-On Windows platform the parameter should be an .ico file containing a 16x16
+-pixel image.
+-
+-=item B<log> = append | overwrite
+-
+-log file handling
+-
+-This option allows to choose whether the log file (specified with the I<output>
+-option) is appended or overwritten when opened or re-opened.
+-
+-default: append
+-
+-=item B<output> = FILE
+-
+-append log messages to a file
+-
+-/dev/stdout device can be used to send log messages to the standard
+-output (for example to log them with daemontools splogger).
+-
+-=item B<pid> = FILE (Unix only)
+-
+-pid file location
+-
+-If the argument is empty, then no pid file will be created.
+-
+-I<pid> path is relative to I<chroot> directory if specified.
+-
+-=item B<RNDbytes> = BYTES
+-
+-bytes to read from random seed files
+-
+-Number of bytes of data read from random seed files. With SSL versions less
+-than B<0.9.5a>, also determines how many bytes of data are considered
+-sufficient to seed the PRNG. More recent B<OpenSSL> versions have a builtin
+-function to determine when sufficient randomness is available.
+-
+-=item B<RNDfile> = FILE
+-
+-path to file with random seed data
+-
+-The SSL library will use data from this file first to seed the random
+-number generator.
+-
+-=item B<RNDoverwrite> = yes | no
+-
+-overwrite the random seed files with new random data
+-
+-default: yes
+-
+-=item B<service> = SERVICE (Unix only)
+-
+-stunnel service name
+-
+-The specified service name is used for syslog and as the I<inetd> mode service
+-name for TCP Wrappers. While this option can technically be specified in the
+-service sections, it is only useful in global options.
+-
+-default: stunnel
+-
+-=item B<setgid> = GROUP (Unix only)
+-
+-setgid() to the specified group in daemon mode and clear all other groups
+-
+-=item B<setuid> = USER (Unix only)
+-
+-setuid() to the specified user in daemon mode
+-
+-=item B<socket> = a|l|r:OPTION=VALUE[:VALUE]
+-
+-Set an option on accept/local/remote socket
+-
+-The values for linger option are l_onof:l_linger.
+-The values for time are tv_sec:tv_usec.
+-
+-Examples:
+-
+- socket = l:SO_LINGER=1:60
+- set one minute timeout for closing local socket
+- socket = r:SO_OOBINLINE=yes
+- place out-of-band data directly into the
+- receive data stream for remote sockets
+- socket = a:SO_REUSEADDR=no
+- disable address reuse (enabled by default)
+- socket = a:SO_BINDTODEVICE=lo
+- only accept connections on loopback interface
+-
+-=item B<syslog> = yes | no (Unix only)
+-
+-enable logging via syslog
+-
+-default: yes
+-
+-=item B<taskbar> = yes | no (WIN32 only)
+-
+-enable the taskbar icon
+-
+-default: yes
+-
+-=back
+-
+-
+-=head2 SERVICE-LEVEL OPTIONS
+-
+-Each configuration section begins with service name in square brackets.
+-The service name is used for libwrap (TCP Wrappers) access control and lets
+-you distinguish B<stunnel> services in your log files.
+-
+-Note that if you wish to run B<stunnel> in I<inetd> mode (where it
+-is provided a network socket by a server such as I<inetd>, I<xinetd>,
+-or I<tcpserver>) then you should read the section entitled I<INETD MODE>
+-below.
+-
+-
+-=over 4
+-
+-=item B<accept> = [HOST:]PORT
+-
+-accept connections on specified address
+-
+-If no host specified, defaults to all IPv4 addresses for the local host.
+-
+-To listen on all IPv6 addresses use:
+-
+- accept = :::PORT
+-
+-=item B<CApath> = DIRECTORY
+-
+-Certificate Authority directory
+-
+-This is the directory in which B<stunnel> will look for certificates when using
+-the I<verify>. Note that the certificates in this directory should be named
+-XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
+-cert.
+-
+-The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
+-c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
+-
+-I<CApath> path is relative to I<chroot> directory if specified.
+-
+-=item B<CAfile> = CERT_FILE
+-
+-Certificate Authority file
+-
+-This file contains multiple CA certificates, used with the I<verify>.
+-
+-=item B<cert> = PEM_FILE
+-
+-certificate chain PEM file name
+-
+-The certificates must be in PEM format, and must be from the
+-actual server/client certificate to the self-signed root CA certificate.
+-
+-A certificate is required in server mode, and optional in client mode.
+-
+-=item B<checkEmail> = EMAIL
+-
+-email address of the peer certificate subject
+-
+-Multiple I<checkEmail> options are allowed in a single service section.
+-Certificates are accepted if no I<checkEmail> option was specified, or the
+-email address of the peer certificate matches any of the email addresses
+-specified with I<checkEmail>.
+-
+-=item B<checkHost> = HOST
+-
+-host of the peer certificate subject
+-
+-Multiple I<checkHost> options are allowed in a single service section.
+-Certificates are accepted if no I<checkHost> option was specified, or the host
+-name of the peer certificate matches any of the hosts specified with
+-I<checkHost>.
+-
+-=item B<checkIP> = IP
+-
+-IP address of the peer certificate subject
+-
+-Multiple I<checkIP> options are allowed in a single service section.
+-Certificates are accepted if no I<checkIP> option was specified, or the IP
+-address of the peer certificate matches any of the IP addresses specified with
+-I<checkIP>.
+-
+-=item B<ciphers> = CIPHER_LIST
+-
+-Select permitted SSL ciphers
+-
+-A colon delimited list of the ciphers to allow in the SSL connection,
+-for example DES-CBC3-SHA:IDEA-CBC-MD5.
+-
+-=item B<client> = yes | no
+-
+-client mode (remote service uses SSL)
+-
+-default: no (server mode)
+-
+-=item B<connect> = [HOST:]PORT
+-
+-connect to a remote address
+-
+-If no host is specified, the host defaults to localhost.
+-
+-Multiple I<connect> options are allowed in a single service section.
+-
+-If host resolves to multiple addresses and/or if multiple I<connect>
+-options are specified, then the remote address is chosen using a
+-round-robin algorithm.
+-
+-=item B<CRLpath> = DIRECTORY
+-
+-Certificate Revocation Lists directory
+-
+-This is the directory in which B<stunnel> will look for CRLs when
+-using the I<verify>. Note that the CRLs in this directory should
+-be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
+-
+-The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
+-c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
+-
+-I<CRLpath> path is relative to I<chroot> directory if specified.
+-
+-=item B<CRLfile> = CERT_FILE
+-
+-Certificate Revocation Lists file
+-
+-This file contains multiple CRLs, used with the I<verify>.
+-
+-=item B<curve> = NID
+-
+-specify ECDH curve name
+-
+-To get a list of supported cuves use:
+-
+- openssl ecparam -list_curves
+-
+-default: prime256v1
+-
+-=item B<logId> = TYPE
+-
+-connection identifier type
+-
+-This identifier allows to distinguish log entries generated for each of the
+-connections.
+-
+-Currently supported types:
+-
+-=over 4
+-
+-=item I<sequential>
+-
+-The numeric sequential identifier is only unique within a single instance of
+-B<stunnel>, but very compact. It is most useful for manual log analysis.
+-
+-=item I<unique>
+-
+-This alphanumeric identifier is globally unique, but longer than the sequential
+-number. It is most useful for automated log analysis.
+-
+-=item I<thread>
+-
+-The operating system thread identifier is neither unique (even within a single
+-instance of B<stunnel>) nor short. It is most useful for debugging software
+-or configuration issues.
+-
+-=back
+-
+-default: sequential
+-
+-=item B<debug> = LEVEL
+-
+-debugging level
+-
+-Level is a one of the syslog level names or numbers
+-emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
+-info (6), or debug (7). All logs for the specified level and
+-all levels numerically less than it will be shown. Use I<debug = debug> or
+-I<debug = 7> for greatest debugging output. The default is notice (5).
+-
+-=item B<delay> = yes | no
+-
+-delay DNS lookup for I<connect> option
+-
+-This option is useful for dynamic DNS, or when DNS is not available during
+-B<stunnel> startup (road warrior VPN, dial-up configurations).
+-
+-Delayed resolver mode is automatically engaged when stunnel fails to resolve on
+-startup any of the I<connect> targets for a service.
+-
+-Delayed resolver inflicts I<failover = prio>.
+-
+-default: no
+-
+-=item B<engineId> = ENGINE_ID
+-
+-select engine ID for the service
+-
+-=item B<engineNum> = ENGINE_NUMBER
+-
+-select engine number for the service
+-
+-The engines are numbered starting from 1.
+-
+-=item B<exec> = EXECUTABLE_PATH
+-
+-execute local inetd-type program
+-
+-I<exec> path is relative to I<chroot> directory if specified.
+-
+-The following environmental variables are set on Unix platform:
+-REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
+-
+-=item B<execArgs> = $0 $1 $2 ...
+-
+-arguments for I<exec> including program name ($0)
+-
+-Quoting is currently not supported.
+-Arguments are separated with arbitrary number of whitespaces.
+-
+-=item B<failover> = rr | prio
+-
+-Failover strategy for multiple "connect" targets.
+-
+- rr (round robin) - fair load distribution
+- prio (priority) - use the order specified in config file
+-
+-default: rr
+-
+-=item B<ident> = USERNAME
+-
+-use IDENT (RFC 1413) username checking
+-
+-=item B<key> = KEY_FILE
+-
+-private key for certificate specified with I<cert> option
+-
+-Private key is needed to authenticate certificate owner.
+-Since this file should be kept secret it should only be readable
+-to its owner. On Unix systems you can use the following command:
+-
+- chmod 600 keyfile
+-
+-default: value of I<cert> option
+-
+-=item B<libwrap> = yes | no
+-
+-Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
+-
+-default: no (since version 5.00)
+-
+-=item B<local> = HOST
+-
+-IP of the outgoing interface is used as source for remote connections.
+-Use this option to bind a static local IP address, instead.
+-
+-=item B<sni> = SERVICE:SERVER_PATTERN (server mode)
+-
+-Use the service as a slave service (a name-based virtual server) for Server
+-Name Indication TLS extension (RFC 3546).
+-
+-I<service_name> specifies the master service that accepts client connections
+-with I<accept> option. I<server_name_pattern> specifies the host name to be
+-redirected. The pattern may start with '*' character, e.g. '*.example.com'.
+-Multiple slave services are normally specified for a single master service.
+-I<sni> option can also be specified more than once within a single slave
+-service.
+-
+-This service, as well as the master service, may not be configured in client
+-mode.
+-
+-I<connect> option of the slave service is ignored when I<protocol> option is
+-specified, as I<protocol> connects remote host before TLS handshake.
+-
+-Libwrap checks (Unix only) are performed twice: with master service name after
+-TCP connection is accepted, and with slave service name during TLS handshake.
+-
+-Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
+-
+-=item B<sni> = SERVER (client mode)
+-
+-Use the parameter as the value of TLS Server Name Indication (RFC 3546)
+-extension.
+-
+-Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
+-
+-=item B<OCSP> = URL
+-
+-select OCSP server for certificate verification
+-
+-=item B<OCSPaia> = yes | no
+-
+-validate certificates with their AIA OCSP responders
+-
+-This option enables I<stunnel> to validate certificates with the list of
+-OCSP responder URLs retrieved from their AIA (Authority Information Access)
+-extension.
+-
+-=item B<OCSPflag> = OCSP_FLAG
+-
+-specify OCSP server flag
+-
+-Several I<OCSPflag> can be used to specify multiple flags.
+-
+-currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
+-NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
+-
+-=item B<options> = SSL_OPTIONS
+-
+-B<OpenSSL> library options
+-
+-The parameter is the B<OpenSSL> option name as described in the
+-I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix.
+-I<stunnel -options> lists the options found to be allowed in the
+-current combination of I<stunnel> and the I<OpenSSL> library used
+-to build it.
+-
+-Several I<options> can be used to specify multiple options.
+-An option name can be prepended with a dash ("-") to disable the option.
+-
+-For example, for compatibility with the erroneous Eudora SSL
+-implementation, the following option can be used:
+-
+- options = DONT_INSERT_EMPTY_FRAGMENTS
+-
+-default:
+-
+- options = NO_SSLv2
+- options = NO_SSLv3
+-
+-=item B<protocol> = PROTO
+-
+-application protocol to negotiate SSL
+-
+-This option enables initial, protocol-specific negotiation of the SSL/TLS
+-encryption.
+-I<protocol> option should not be used with SSL encryption on a separate port.
+-
+-Currently supported protocols:
+-
+-=over 4
+-
+-=item I<cifs>
+-
+-Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
+-Support for this extension was dropped in Samba 3.0.0.
+-
+-=item I<connect>
+-
+-Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT>
+-
+-This protocol is only supported in client mode.
+-
+-=item I<imap>
+-
+-Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP>
+-
+-=item I<nntp>
+-
+-Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)>
+-
+-This protocol is only supported in client mode.
+-
+-=item I<pgsql>
+-
+-Based on
+-F<http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982>
+-
+-=item I<pop3>
+-
+-Based on RFC 2449 - I<POP3 Extension Mechanism>
+-
+-=item I<proxy>
+-
+-Haproxy client IP address
+-F<http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt>
+-
+-=item I<smtp>
+-
+-Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS>
+-
+-=item I<socks>
+-
+-SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself
+-is encapsulated within SSL/TLS encryption layer to protect the final
+-destination address.
+-
+-F<http://www.openssh.com/txt/socks4.protocol>
+-
+-F<http://www.openssh.com/txt/socks4a.protocol>
+-
+-The BIND command of the SOCKS protocol is not supported.
+-The USERID parameter is ignored.
+-
+-See Examples section for sample configuration files for VPN based on SOCKS
+-encryption.
+-
+-=back
+-
+-=item B<protocolAuthentication> = basic | ntlm
+-
+-authentication type for protocol negotiations
+-
+-Currently authentication type only applies to the 'connect' protocol.
+-
+-default: basic
+-
+-=item B<protocolHost> = HOST:PORT
+-
+-destination address for protocol negotiations
+-
+-I<protocolHost> specifies the final SSL server to be connected by the proxy,
+-and not the proxy server directly connected by B<stunnel>.
+-The proxy server should be specified with the 'connect' option.
+-
+-Currently protocol destination address only applies to 'connect' protocol.
+-
+-=item B<protocolPassword> = PASSWORD
+-
+-password for protocol negotiations
+-
+-=item B<protocolUsername> = USERNAME
+-
+-username for protocol negotiations
+-
+-=item B<PSKidentity> = IDENTITY
+-
+-PSK identity for the PSK client
+-
+-I<PSKidentity> can be used on B<stunnel> clients to select the PSK identity
+-used for authentication. This option is ignored in server sections.
+-
+-default: the first identity specified in the I<PSKsecrets> file.
+-
+-=item B<PSKsecrets> = FILE
+-
+-file with PSK identities and corresponding keys
+-
+-Each line of the file in the following format:
+-
+- IDENTITY:KEY
+-
+-The key is required to be at least 20 characters long.
+-The file should not be world-readable nor world-writable.
+-
+-=item B<pty> = yes | no (Unix only)
+-
+-allocate pseudoterminal for 'exec' option
+-
+-=item B<redirect> = [HOST:]PORT
+-
+-redirect SSL client connections on certificate-based authentication failures
+-
+-This option only works in server mode.
+-Some protocol negotiations are also incompatible with the I<redirect> option.
+-
+-=item B<renegotiation> = yes | no
+-
+-support SSL renegotiation
+-
+-Applications of the SSL renegotiation include some authentication scenarios,
+-or re-keying long lasting connections.
+-
+-On the other hand this feature can facilitate a trivial CPU-exhaustion
+-DoS attack:
+-
+-F<http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html>
+-
+-Please note that disabling SSL renegotiation does not fully mitigate
+-this issue.
+-
+-default: yes (if supported by B<OpenSSL>)
+-
+-=item B<reset> = yes | no
+-
+-attempt to use TCP RST flag to indicate an error
+-
+-This option is not supported on some platforms.
+-
+-default: yes
+-
+-=item B<retry> = yes | no
+-
+-reconnect a connect+exec section after it's disconnected
+-
+-default: no
+-
+-=item B<sessionCacheSize> = NUM_ENTRIES
+-
+-session cache size
+-
+-I<sessionCacheSize> specifies the maximum number of the internal session cache
+-entries.
+-
+-The value of 0 can be used for unlimited size. It is not recommended
+-for production use due to the risk of memory exhaustion DoS attack.
+-
+-=item B<sessionCacheTimeout> = TIMEOUT
+-
+-session cache timeout
+-
+-This is the number of seconds to keep cached SSL sessions.
+-
+-=item B<sessiond> = HOST:PORT
+-
+-address of sessiond SSL cache server
+-
+-=item B<sslVersion> = SSL_VERSION
+-
+-select the SSL protocol version
+-
+-Allowed values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
+-
+-=item B<stack> = BYTES (except for FORK model)
+-
+-thread stack size
+-
+-=item B<TIMEOUTbusy> = SECONDS
+-
+-time to wait for expected data
+-
+-=item B<TIMEOUTclose> = SECONDS
+-
+-time to wait for close_notify (set to 0 for buggy MSIE)
+-
+-=item B<TIMEOUTconnect> = SECONDS
+-
+-time to wait to connect a remote host
+-
+-=item B<TIMEOUTidle> = SECONDS
+-
+-time to keep an idle connection
+-
+-=item B<transparent> = none | source | destination | both (Unix only)
+-
+-enable transparent proxy support on selected platforms
+-
+-Supported values:
+-
+-=over 4
+-
+-=item I<none>
+-
+-Disable transparent proxy support. This is the default.
+-
+-=item I<source>
+-
+-Re-write address to appear as if wrapped daemon is connecting
+-from the SSL client machine instead of the machine running B<stunnel>.
+-
+-This option is currently available in:
+-
+-=over 4
+-
+-=item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
+-
+-This configuration requires B<stunnel> to be executed as root and without
+-I<setuid> option.
+-
+-This configuration requires the following setup for iptables and routing
+-(possibly in /etc/rc.local or equivalent file):
+-
+- iptables -t mangle -N DIVERT
+- iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
+- iptables -t mangle -A DIVERT -j MARK --set-mark 1
+- iptables -t mangle -A DIVERT -j ACCEPT
+- ip rule add fwmark 1 lookup 100
+- ip route add local 0.0.0.0/0 dev lo table 100
+- echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
+-
+-B<stunnel> must also to be executed as root and without I<setuid> option.
+-
+-=item Remote mode (I<connect> option) on I<Linux 2.2.x>
+-
+-This configuration requires kernel to be compiled with I<transparent proxy>
+-option.
+-Connected service must be installed on a separate host.
+-Routing towards the clients has to go through the B<stunnel> box.
+-
+-B<stunnel> must also to be executed as root and without I<setuid> option.
+-
+-=item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0>
+-
+-This configuration requires additional firewall and routing setup.
+-B<stunnel> must also to be executed as root and without I<setuid> option.
+-
+-=item Local mode (I<exec> option)
+-
+-This configuration works by pre-loading I<libstunnel.so> shared library.
+-_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
+-other platforms.
+-
+-=back
+-
+-=item I<destination>
+-
+-Original destination is used instead of I<connect> option.
+-
+-A service section for transparent destination may look like this:
+-
+- [transparent]
+- client=yes
+- accept=<stunnel_port>
+- transparent=destination
+-
+-This configuration requires iptables setup to work,
+-possibly in /etc/rc.local or equivalent file.
+-
+-For a connect target installed on the same host:
+-
+- /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
+- -m ! --uid-owner <stunnel_user_id> \
+- -j DNAT --to-destination <local_ip>:<stunnel_port>
+-
+-For a connect target installed on a remote host:
+-
+- /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
+- /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
+- -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
+-
+-Transparent destination option is currently only supported on Linux.
+-
+-=item I<both>
+-
+-Use both I<source> and I<destination> transparent proxy.
+-
+-=back
+-
+-Two legacy options are also supported for backward compatibility:
+-
+-=over 4
+-
+-=item I<yes>
+-
+-This options has been renamed to I<source>.
+-
+-=item I<no>
+-
+-This options has been renamed to I<none>.
+-
+-=back
+-
+-
+-=item B<verify> = LEVEL
+-
+-verify peer certificate
+-
+-=over 4
+-
+-=item level 0
+-
+-Request and ignore peer certificate.
+-
+-=item level 1
+-
+-Verify peer certificate if present.
+-
+-=item level 2
+-
+-Verify peer certificate.
+-
+-=item level 3
+-
+-Verify peer with locally installed certificate.
+-
+-=item level 4
+-
+-Ignore CA chain and only verify peer certificate.
+-
+-=item default
+-
+-No verify.
+-
+-=back
+-
+-It is important to understand, that this option was solely designed for access
+-control and not for authorization. Specifically for level 2 every non-revoked
+-certificate is accepted regardless of its Common Name. For this reason a
+-dedicated CA should be used with level 2, and not a generic CA commonly used
+-for webservers. Level 3 is preferred for point-to-point connections.
+-
+-=back
+-
+-
+-=head1 RETURN VALUE
+-
+-B<stunnel> returns zero on success, non-zero on error.
+-
+-
+-=head1 SIGNALS
+-
+-The following signals can be used to control B<stunnel> in Unix environment:
+-
+-=over 4
+-
+-=item SIGHUP
+-
+-Force a reload of the configuration file.
+-
+-Some global options will not be reloaded:
+-
+-=over 4
+-
+-=item *
+-
+-chroot
+-
+-=item *
+-
+-foreground
+-
+-=item *
+-
+-pid
+-
+-=item *
+-
+-setgid
+-
+-=item *
+-
+-setuid
+-
+-=back
+-
+-The use of 'setuid' option will also prevent B<stunnel> from binding privileged
+-(<1024) ports during configuration reloading.
+-
+-When 'chroot' option is used, B<stunnel> will look for all its files (including
+-configuration file, certificates, log file and pid file) within the chroot
+-jail.
+-
+-=item SIGUSR1
+-
+-Close and reopen B<stunnel> log file.
+-This function can be used for log rotation.
+-
+-=item SIGTERM, SIGQUIT, SIGINT
+-
+-Shut B<stunnel> down.
+-
+-=back
+-
+-The result of sending any other signals to the server is undefined.
+-
+-
+-=head1 EXAMPLES
+-
+-In order to provide SSL encapsulation to your local I<imapd> service, use:
+-
+- [imapd]
+- accept = 993
+- exec = /usr/sbin/imapd
+- execArgs = imapd
+-
+-or in remote mode:
+-
+- [imapd]
+- accept = 993
+- connect = 143
+-
+-In order to let your local e-mail client connect to an SSL-enabled I<imapd>
+-service on another server, configure the e-mail client to connect to localhost
+-on port 119 and use:
+-
+- [imap]
+- client = yes
+- accept = 143
+- connect = servername:993
+-
+-If you want to provide tunneling to your I<pppd> daemon on port 2020,
+-use something like:
+-
+- [vpn]
+- accept = 2020
+- exec = /usr/sbin/pppd
+- execArgs = pppd local
+- pty = yes
+-
+-If you want to use B<stunnel> in I<inetd> mode to launch your imapd
+-process, you'd use this I<stunnel.conf>.
+-Note there must be no I<[service_name]> section.
+-
+- exec = /usr/sbin/imapd
+- execArgs = imapd
+-
+-To setup SOCKS VPN configure the following client service:
+-
+- [socks_client]
+- client = yes
+- accept = 127.0.0.1:1080
+- connect = vpn_server:9080
+- verify = 4
+- CAfile = stunnel.pem
+-
+-The corresponding configuration on the vpn_server host:
+-
+- [socks_server]
+- protocol = socks
+- accept = 9080
+- cert = stunnel.pem
+- key = stunnel.key
+-
+-Now test your configuration on the client machine with:
+-
+- curl --socks4a localhost http://www.example.com/
+-
+-=head1 NOTES
+-
+-=head2 RESTRICTIONS
+-
+-B<stunnel> cannot be used for the FTP daemon because of the nature
+-of the FTP protocol which utilizes multiple ports for data transfers.
+-There are available SSL-enabled versions of FTP and telnet daemons, however.
+-
+-
+-=head2 INETD MODE
+-
+-The most common use of B<stunnel> is to listen on a network
+-port and establish communication with either a new port
+-via the connect option, or a new program via the I<exec> option.
+-However there is a special case when you wish to have
+-some other program accept incoming connections and
+-launch B<stunnel>, for example with I<inetd>, I<xinetd>,
+-or I<tcpserver>.
+-
+-For example, if you have the following line in I<inetd.conf>:
+-
+- imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
+-
+-In these cases, the I<inetd>-style program is responsible
+-for binding a network socket (I<imaps> above) and handing
+-it to B<stunnel> when a connection is received.
+-Thus you do not want B<stunnel> to have any I<accept> option.
+-All the I<Service Level Options> should be placed in the
+-global options section, and no I<[service_name]> section
+-will be present. See the I<EXAMPLES> section for example
+-configurations.
+-
+-=head2 CERTIFICATES
+-
+-Each SSL-enabled daemon needs to present a valid X.509 certificate
+-to the peer. It also needs a private key to decrypt the incoming
+-data. The easiest way to obtain a certificate and a key is to
+-generate them with the free B<OpenSSL> package. You can find more
+-information on certificates generation on pages listed below.
+-
+-The order of contents of the I<.pem> file is important. It should contain the
+-unencrypted private key first, then a signed certificate (not certificate
+-request). There should be also empty lines after certificate and private key.
+-Plaintext certificate information appended on the top of generated certificate
+-should be discarded. So the file should look like this:
+-
+- -----BEGIN RSA PRIVATE KEY-----
+- [encoded key]
+- -----END RSA PRIVATE KEY-----
+- [empty line]
+- -----BEGIN CERTIFICATE-----
+- [encoded certificate]
+- -----END CERTIFICATE-----
+- [empty line]
+-
+-=head2 RANDOMNESS
+-
+-B<stunnel> needs to seed the PRNG (pseudo random number generator) in
+-order for SSL to use good randomness. The following sources are loaded
+-in order until sufficient random data has been gathered:
+-
+-=over 4
+-
+-=item *
+-
+-The file specified with the I<RNDfile> flag.
+-
+-=item *
+-
+-The file specified by the RANDFILE environment variable, if set.
+-
+-=item *
+-
+-The file .rnd in your home directory, if RANDFILE not set.
+-
+-=item *
+-
+-The file specified with '--with-random' at compile time.
+-
+-=item *
+-
+-The contents of the screen if running on Windows.
+-
+-=item *
+-
+-The egd socket specified with the I<EGD> flag.
+-
+-=item *
+-
+-The egd socket specified with '--with-egd-sock' at compile time.
+-
+-=item *
+-
+-The /dev/urandom device.
+-
+-=back
+-
+-With recent (B<OpenSSL 0.9.5a> or later) version of SSL it will stop loading
+-random data automatically when sufficient entropy has been gathered. With
+-previous versions it will continue to gather from all the above sources since
+-no SSL function exists to tell when enough data is available.
+-
+-Note that on Windows machines that do not have console user interaction
+-(mouse movements, creating windows, etc.) the screen contents are not
+-variable enough to be sufficient, and you should provide a random file
+-for use with the I<RNDfile> flag.
+-
+-Note that the file specified with the I<RNDfile> flag should contain
+-random data -- that means it should contain different information
+-each time B<stunnel> is run. This is handled automatically
+-unless the I<RNDoverwrite> flag is used. If you wish to update this file
+-manually, the I<openssl rand> command in recent versions of B<OpenSSL>,
+-would be useful.
+-
+-Important note: If /dev/urandom is available, B<OpenSSL> often seeds the PRNG
+-with it while checking the random state. On systems with /dev/urandom
+-B<OpenSSL> is likely to use it even though it is listed at the very bottom of
+-the list above. This is the behaviour of B<OpenSSL> and not B<stunnel>.
+-
+-=head2 DH PARAMETERS
+-
+-Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
+-
+-It is also possible to specify DH parameters in the certificate file:
+-
+- openssl dhparam 2048 >> stunnel.pem
+-
+-DH parameter generation may take several minutes.
+-
+-
+-=head1 FILES
+-
+-=over 4
+-
+-=item F<stunnel.conf>
+-
+-B<stunnel> configuration file
+-
+-=back
+-
+-
+-=head1 BUGS
+-
+-Option I<execArgs> and Win32 command line does not support quoting.
+-
+-
+-=head1 SEE ALSO
+-
+-=over 4
+-
+-=item L<tcpd(8)>
+-
+-access control facility for internet services
+-
+-=item L<inetd(8)>
+-
+-internet 'super-server'
+-
+-=item F<http://www.stunnel.org/>
+-
+-B<stunnel> homepage
+-
+-=item F<http://www.openssl.org/>
+-
+-B<OpenSSL> project website
+-
+-=back
+-
+-
+-=head1 AUTHOR
+-
+-=over 4
+-
+-=item Michał Trojnara
+-
+-<F<Michal.Trojnara at mirt.net>>
+-
+-=back
+-
+diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in
+new file mode 100644
+index 0000000..fa166f2
+--- /dev/null
++++ b/doc/stunnel.pod.in
+@@ -0,0 +1,1365 @@
++=head1 NAME
++
++=encoding utf8
++
++stunnel - TLS offloading and load-balancing proxy
++
++
++=head1 SYNOPSIS
++
++=over 4
++
++=item B<Unix:>
++
++B<stunnel> [S<FILE>] | S<-fd N> | S<-help> | S<-version> | S<-sockets> | S<-options>
++
++=item B<WIN32:>
++
++B<stunnel> [ [ S<-install> | S<-uninstall> | S<-start> | S<-stop> |
++ S<-reload> | S<-reopen> | S<-exit> ] [S<-quiet>] [S<FILE>] ] |
++ S<-help> | S<-version> | S<-sockets> | S<-options>
++
++=back
++
++
++=head1 DESCRIPTION
++
++The B<stunnel> program is designed to work as I<SSL> encryption wrapper
++between remote clients and local (I<inetd>-startable) or remote
++servers. The concept is that having non-SSL aware daemons running on
++your system you can easily set them up to communicate with clients over
++secure SSL channels.
++
++B<stunnel> can be used to add SSL functionality to commonly used I<Inetd>
++daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
++NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
++changes to the source code.
++
++This product includes cryptographic software written by
++Eric Young (eay at cryptsoft.com)
++
++
++=head1 OPTIONS
++
++=over 4
++
++=item B<FILE>
++
++Use specified configuration file
++
++=item B<-fd N> (Unix only)
++
++Read the config file from specified file descriptor
++
++=item B<-help>
++
++Print B<stunnel> help menu
++
++=item B<-version>
++
++Print B<stunnel> version and compile time defaults
++
++=item B<-sockets>
++
++Print default socket options
++
++=item B<-options>
++
++Print supported SSL options
++
++=item B<-install> (Windows NT and later only)
++
++Install NT Service
++
++=item B<-uninstall> (Windows NT and later only)
++
++Uninstall NT Service
++
++=item B<-start> (Windows NT and later only)
++
++Start NT Service
++
++=item B<-stop> (Windows NT and later only)
++
++Stop NT Service
++
++=item B<-reload> (Windows NT and later only)
++
++Reload configuration file of the running NT Service
++
++=item B<-reopen> (Windows NT and later only)
++
++Reopen log file of the running NT Service
++
++=item B<-exit> (Win32 only)
++
++Exit an already started stunnel
++
++=item B<-quiet> (Win32 only)
++
++Don't display any message boxes
++
++=back
++
++
++=head1 CONFIGURATION FILE
++
++Each line of the configuration file can be either:
++
++=over 4
++
++=item *
++
++An empty line (ignored).
++
++=item *
++
++A comment starting with ';' (ignored).
++
++=item *
++
++An 'option_name = option_value' pair.
++
++=item *
++
++'[service_name]' indicating a start of a service definition.
++
++=back
++
++An address parameter of an option may be either:
++
++=over 4
++
++=item *
++
++A port number.
++
++=item *
++
++A colon-separated pair of IP address (either IPv4, IPv6, or domain name) and port number.
++
++=item *
++
++A Unix socket path (Unix only).
++
++=back
++
++=head2 GLOBAL OPTIONS
++
++=over 4
++
++=item B<chroot> = DIRECTORY (Unix only)
++
++directory to chroot B<stunnel> process
++
++B<chroot> keeps B<stunnel> in chrooted jail. I<CApath>, I<CRLpath>, I<pid>
++and I<exec> are located inside the jail and the patches have to be relative
++to the directory specified with B<chroot>.
++
++Several functions of the operating system also need their files to be located within chroot jail, e.g.:
++
++=over 4
++
++=item *
++
++Delayed resolver typically needs /etc/nsswitch.conf and /etc/resolv.conf.
++
++=item *
++
++Local time in log files needs /etc/timezone.
++
++=item *
++
++Some other functions may need devices, e.g. /dev/zero or /dev/null.
++
++=back
++
++=item B<compression> = deflate | zlib
++
++select data compression algorithm
++
++default: no compression
++
++deflate is the standard compression method as described in RFC 1951.
++
++zlib compression of B<OpenSSL 0.9.8> or above is not backward compatible with
++B<OpenSSL 0.9.7>.
++
++=item B<debug> = [FACILITY.]LEVEL
++
++debugging level
++
++Level is a one of the syslog level names or numbers
++emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
++info (6), or debug (7). All logs for the specified level and
++all levels numerically less than it will be shown. Use I<debug = debug> or
++I<debug = 7> for greatest debugging output. The default is notice (5).
++
++The syslog facility 'daemon' will be used unless a facility name is supplied.
++(Facilities are not supported on Win32.)
++
++Case is ignored for both facilities and levels.
++
++=item B<EGD> = EGD_PATH (Unix only)
++
++path to Entropy Gathering Daemon socket
++
++Entropy Gathering Daemon socket to use to feed B<OpenSSL> random number
++generator. (Available only if compiled with B<OpenSSL 0.9.5a> or higher)
++
++=item B<engine> = auto | ENGINE_ID
++
++select hardware engine
++
++default: software-only cryptography
++
++Here is an example of advanced engine configuration to read private key from an
++OpenSC engine
++
++ engine=dynamic
++ engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
++ engineCtrl=ID:pkcs11
++ engineCtrl=LIST_ADD:1
++ engineCtrl=LOAD
++ engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
++ engineCtrl=INIT
++
++ [service]
++ engineNum=1
++ key=id_45
++
++=item B<engineCtrl> = COMMAND[:PARAMETER]
++
++control hardware engine
++
++Special commands "LOAD" and "INIT" can be used to load and initialize the
++engine cryptogaphic module.
++
++=item B<engineDefault> = TASK_LIST
++
++set OpenSSL tasks delegated to the current engine
++
++The parameter specifies a comma-separated list of task to be delegated to the
++current engine.
++
++The following tasks may be available, if supported by the engine: ALL, RSA,
++DSA, ECDH, ECDSA, DH, RAND, CIPHERS, DIGESTS, PKEY, PKEY_CRYPTO, PKEY_ASN1.
++
++=item B<fips> = yes | no
++
++Enable or disable FIPS 140-2 mode.
++
++This option allows to disable entering FIPS mode if B<stunnel> was compiled
++with FIPS 140-2 support.
++
++default: no (since version 5.00)
++
++=item B<foreground> = yes | no (Unix only)
++
++foreground mode
++
++Stay in foreground (don't fork) and log to stderr
++instead of via syslog (unless I<output> is specified).
++
++default: background in daemon mode
++
++=item B<iconActive> = ICON_FILE (GUI only)
++
++GUI icon to be displayed when there are established connections
++
++On Windows platform the parameter should be an .ico file containing a 16x16
++pixel image.
++
++=item B<iconError> = ICON_FILE (GUI only)
++
++GUI icon to be displayed when no valid configuration is loaded
++
++On Windows platform the parameter should be an .ico file containing a 16x16
++pixel image.
++
++=item B<iconIdle> = ICON_FILE (GUI only)
++
++GUI icon to be displayed when there are no established connections
++
++On Windows platform the parameter should be an .ico file containing a 16x16
++pixel image.
++
++=item B<log> = append | overwrite
++
++log file handling
++
++This option allows to choose whether the log file (specified with the I<output>
++option) is appended or overwritten when opened or re-opened.
++
++default: append
++
++=item B<output> = FILE
++
++append log messages to a file
++
++/dev/stdout device can be used to send log messages to the standard
++output (for example to log them with daemontools splogger).
++
++=item B<pid> = FILE (Unix only)
++
++pid file location
++
++If the argument is empty, then no pid file will be created.
++
++I<pid> path is relative to I<chroot> directory if specified.
++
++=item B<RNDbytes> = BYTES
++
++bytes to read from random seed files
++
++Number of bytes of data read from random seed files. With SSL versions less
++than B<0.9.5a>, also determines how many bytes of data are considered
++sufficient to seed the PRNG. More recent B<OpenSSL> versions have a builtin
++function to determine when sufficient randomness is available.
++
++=item B<RNDfile> = FILE
++
++path to file with random seed data
++
++The SSL library will use data from this file first to seed the random
++number generator.
++
++=item B<RNDoverwrite> = yes | no
++
++overwrite the random seed files with new random data
++
++default: yes
++
++=item B<service> = SERVICE (Unix only)
++
++stunnel service name
++
++The specified service name is used for syslog and as the I<inetd> mode service
++name for TCP Wrappers. While this option can technically be specified in the
++service sections, it is only useful in global options.
++
++default: stunnel
++
++=item B<setgid> = GROUP (Unix only)
++
++setgid() to the specified group in daemon mode and clear all other groups
++
++=item B<setuid> = USER (Unix only)
++
++setuid() to the specified user in daemon mode
++
++=item B<socket> = a|l|r:OPTION=VALUE[:VALUE]
++
++Set an option on accept/local/remote socket
++
++The values for linger option are l_onof:l_linger.
++The values for time are tv_sec:tv_usec.
++
++Examples:
++
++ socket = l:SO_LINGER=1:60
++ set one minute timeout for closing local socket
++ socket = r:SO_OOBINLINE=yes
++ place out-of-band data directly into the
++ receive data stream for remote sockets
++ socket = a:SO_REUSEADDR=no
++ disable address reuse (enabled by default)
++ socket = a:SO_BINDTODEVICE=lo
++ only accept connections on loopback interface
++
++=item B<syslog> = yes | no (Unix only)
++
++enable logging via syslog
++
++default: yes
++
++=item B<taskbar> = yes | no (WIN32 only)
++
++enable the taskbar icon
++
++default: yes
++
++=back
++
++
++=head2 SERVICE-LEVEL OPTIONS
++
++Each configuration section begins with service name in square brackets.
++The service name is used for libwrap (TCP Wrappers) access control and lets
++you distinguish B<stunnel> services in your log files.
++
++Note that if you wish to run B<stunnel> in I<inetd> mode (where it
++is provided a network socket by a server such as I<inetd>, I<xinetd>,
++or I<tcpserver>) then you should read the section entitled I<INETD MODE>
++below.
++
++
++=over 4
++
++=item B<accept> = [HOST:]PORT
++
++accept connections on specified address
++
++If no host specified, defaults to all IPv4 addresses for the local host.
++
++To listen on all IPv6 addresses use:
++
++ accept = :::PORT
++
++=item B<CApath> = DIRECTORY
++
++Certificate Authority directory
++
++This is the directory in which B<stunnel> will look for certificates when using
++the I<verify>. Note that the certificates in this directory should be named
++XXXXXXXX.0 where XXXXXXXX is the hash value of the DER encoded subject of the
++cert.
++
++The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
++c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
++
++I<CApath> path is relative to I<chroot> directory if specified.
++
++=item B<CAfile> = CERT_FILE
++
++Certificate Authority file
++
++This file contains multiple CA certificates, used with the I<verify>.
++
++=item B<cert> = PEM_FILE
++
++certificate chain PEM file name
++
++The certificates must be in PEM format, and must be from the
++actual server/client certificate to the self-signed root CA certificate.
++
++A certificate is required in server mode, and optional in client mode.
++
++=item B<checkEmail> = EMAIL
++
++email address of the peer certificate subject
++
++Multiple I<checkEmail> options are allowed in a single service section.
++Certificates are accepted if no I<checkEmail> option was specified, or the
++email address of the peer certificate matches any of the email addresses
++specified with I<checkEmail>.
++
++=item B<checkHost> = HOST
++
++host of the peer certificate subject
++
++Multiple I<checkHost> options are allowed in a single service section.
++Certificates are accepted if no I<checkHost> option was specified, or the host
++name of the peer certificate matches any of the hosts specified with
++I<checkHost>.
++
++=item B<checkIP> = IP
++
++IP address of the peer certificate subject
++
++Multiple I<checkIP> options are allowed in a single service section.
++Certificates are accepted if no I<checkIP> option was specified, or the IP
++address of the peer certificate matches any of the IP addresses specified with
++I<checkIP>.
++
++=item B<ciphers> = CIPHER_LIST
++
++Select permitted SSL ciphers
++
++A colon delimited list of the ciphers to allow in the SSL connection,
++for example DES-CBC3-SHA:IDEA-CBC-MD5.
++
++=item B<client> = yes | no
++
++client mode (remote service uses SSL)
++
++default: no (server mode)
++
++=item B<connect> = [HOST:]PORT
++
++connect to a remote address
++
++If no host is specified, the host defaults to localhost.
++
++Multiple I<connect> options are allowed in a single service section.
++
++If host resolves to multiple addresses and/or if multiple I<connect>
++options are specified, then the remote address is chosen using a
++round-robin algorithm.
++
++=item B<CRLpath> = DIRECTORY
++
++Certificate Revocation Lists directory
++
++This is the directory in which B<stunnel> will look for CRLs when
++using the I<verify>. Note that the CRLs in this directory should
++be named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
++
++The hash algorithm has been changed in B<OpenSSL 1.0.0>. It is required to
++c_rehash the directory on upgrade from B<OpenSSL 0.x.x> to B<OpenSSL 1.x.x>.
++
++I<CRLpath> path is relative to I<chroot> directory if specified.
++
++=item B<CRLfile> = CERT_FILE
++
++Certificate Revocation Lists file
++
++This file contains multiple CRLs, used with the I<verify>.
++
++=item B<curve> = NID
++
++specify ECDH curve name
++
++To get a list of supported cuves use:
++
++ openssl ecparam -list_curves
++
++default: prime256v1
++
++=item B<logId> = TYPE
++
++connection identifier type
++
++This identifier allows to distinguish log entries generated for each of the
++connections.
++
++Currently supported types:
++
++=over 4
++
++=item I<sequential>
++
++The numeric sequential identifier is only unique within a single instance of
++B<stunnel>, but very compact. It is most useful for manual log analysis.
++
++=item I<unique>
++
++This alphanumeric identifier is globally unique, but longer than the sequential
++number. It is most useful for automated log analysis.
++
++=item I<thread>
++
++The operating system thread identifier is neither unique (even within a single
++instance of B<stunnel>) nor short. It is most useful for debugging software
++or configuration issues.
++
++=back
++
++default: sequential
++
++=item B<debug> = LEVEL
++
++debugging level
++
++Level is a one of the syslog level names or numbers
++emerg (0), alert (1), crit (2), err (3), warning (4), notice (5),
++info (6), or debug (7). All logs for the specified level and
++all levels numerically less than it will be shown. Use I<debug = debug> or
++I<debug = 7> for greatest debugging output. The default is notice (5).
++
++=item B<delay> = yes | no
++
++delay DNS lookup for I<connect> option
++
++This option is useful for dynamic DNS, or when DNS is not available during
++B<stunnel> startup (road warrior VPN, dial-up configurations).
++
++Delayed resolver mode is automatically engaged when stunnel fails to resolve on
++startup any of the I<connect> targets for a service.
++
++Delayed resolver inflicts I<failover = prio>.
++
++default: no
++
++=item B<engineId> = ENGINE_ID
++
++select engine ID for the service
++
++=item B<engineNum> = ENGINE_NUMBER
++
++select engine number for the service
++
++The engines are numbered starting from 1.
++
++=item B<exec> = EXECUTABLE_PATH
++
++execute local inetd-type program
++
++I<exec> path is relative to I<chroot> directory if specified.
++
++The following environmental variables are set on Unix platform:
++REMOTE_HOST, REMOTE_PORT, SSL_CLIENT_DN, SSL_CLIENT_I_DN.
++
++=item B<execArgs> = $0 $1 $2 ...
++
++arguments for I<exec> including program name ($0)
++
++Quoting is currently not supported.
++Arguments are separated with arbitrary number of whitespaces.
++
++=item B<failover> = rr | prio
++
++Failover strategy for multiple "connect" targets.
++
++ rr (round robin) - fair load distribution
++ prio (priority) - use the order specified in config file
++
++default: rr
++
++=item B<ident> = USERNAME
++
++use IDENT (RFC 1413) username checking
++
++=item B<key> = KEY_FILE
++
++private key for certificate specified with I<cert> option
++
++Private key is needed to authenticate certificate owner.
++Since this file should be kept secret it should only be readable
++to its owner. On Unix systems you can use the following command:
++
++ chmod 600 keyfile
++
++default: value of I<cert> option
++
++=item B<libwrap> = yes | no
++
++Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
++
++default: no (since version 5.00)
++
++=item B<local> = HOST
++
++IP of the outgoing interface is used as source for remote connections.
++Use this option to bind a static local IP address, instead.
++
++=item B<sni> = SERVICE:SERVER_PATTERN (server mode)
++
++Use the service as a slave service (a name-based virtual server) for Server
++Name Indication TLS extension (RFC 3546).
++
++I<service_name> specifies the master service that accepts client connections
++with I<accept> option. I<server_name_pattern> specifies the host name to be
++redirected. The pattern may start with '*' character, e.g. '*.example.com'.
++Multiple slave services are normally specified for a single master service.
++I<sni> option can also be specified more than once within a single slave
++service.
++
++This service, as well as the master service, may not be configured in client
++mode.
++
++I<connect> option of the slave service is ignored when I<protocol> option is
++specified, as I<protocol> connects remote host before TLS handshake.
++
++Libwrap checks (Unix only) are performed twice: with master service name after
++TCP connection is accepted, and with slave service name during TLS handshake.
++
++Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
++
++=item B<sni> = SERVER (client mode)
++
++Use the parameter as the value of TLS Server Name Indication (RFC 3546)
++extension.
++
++Option I<sni> is only available when compiled with B<OpenSSL 1.0.0> and later.
++
++=item B<OCSP> = URL
++
++select OCSP server for certificate verification
++
++=item B<OCSPaia> = yes | no
++
++validate certificates with their AIA OCSP responders
++
++This option enables I<stunnel> to validate certificates with the list of
++OCSP responder URLs retrieved from their AIA (Authority Information Access)
++extension.
++
++=item B<OCSPflag> = OCSP_FLAG
++
++specify OCSP server flag
++
++Several I<OCSPflag> can be used to specify multiple flags.
++
++currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN, NOVERIFY,
++NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER, RESPID_KEY, NOTIME
++
++=item B<options> = SSL_OPTIONS
++
++B<OpenSSL> library options
++
++The parameter is the B<OpenSSL> option name as described in the
++I<SSL_CTX_set_options(3ssl)> manual, but without I<SSL_OP_> prefix.
++I<stunnel -options> lists the options found to be allowed in the
++current combination of I<stunnel> and the I<OpenSSL> library used
++to build it.
++
++Several I<options> can be used to specify multiple options.
++An option name can be prepended with a dash ("-") to disable the option.
++
++For example, for compatibility with the erroneous Eudora SSL
++implementation, the following option can be used:
++
++ options = DONT_INSERT_EMPTY_FRAGMENTS
++
++default:
++
++ options = NO_SSLv2
++ options = NO_SSLv3
++
++=item B<protocol> = PROTO
++
++application protocol to negotiate SSL
++
++This option enables initial, protocol-specific negotiation of the SSL/TLS
++encryption.
++I<protocol> option should not be used with SSL encryption on a separate port.
++
++Currently supported protocols:
++
++=over 4
++
++=item I<cifs>
++
++Proprietary (undocummented) extension of CIFS protocol implemented in Samba.
++Support for this extension was dropped in Samba 3.0.0.
++
++=item I<connect>
++
++Based on RFC 2817 - I<Upgrading to TLS Within HTTP/1.1>, section 5.2 - I<Requesting a Tunnel with CONNECT>
++
++This protocol is only supported in client mode.
++
++=item I<imap>
++
++Based on RFC 2595 - I<Using TLS with IMAP, POP3 and ACAP>
++
++=item I<nntp>
++
++Based on RFC 4642 - I<Using Transport Layer Security (TLS) with Network News Transfer Protocol (NNTP)>
++
++This protocol is only supported in client mode.
++
++=item I<pgsql>
++
++Based on
++F<http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982>
++
++=item I<pop3>
++
++Based on RFC 2449 - I<POP3 Extension Mechanism>
++
++=item I<proxy>
++
++Haproxy client IP address
++F<http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt>
++
++=item I<smtp>
++
++Based on RFC 2487 - I<SMTP Service Extension for Secure SMTP over TLS>
++
++=item I<socks>
++
++SOCKS versions 4, 4a, and 5 are supported. The SOCKS protocol itself
++is encapsulated within SSL/TLS encryption layer to protect the final
++destination address.
++
++F<http://www.openssh.com/txt/socks4.protocol>
++
++F<http://www.openssh.com/txt/socks4a.protocol>
++
++The BIND command of the SOCKS protocol is not supported.
++The USERID parameter is ignored.
++
++See Examples section for sample configuration files for VPN based on SOCKS
++encryption.
++
++=back
++
++=item B<protocolAuthentication> = basic | ntlm
++
++authentication type for protocol negotiations
++
++Currently authentication type only applies to the 'connect' protocol.
++
++default: basic
++
++=item B<protocolHost> = HOST:PORT
++
++destination address for protocol negotiations
++
++I<protocolHost> specifies the final SSL server to be connected by the proxy,
++and not the proxy server directly connected by B<stunnel>.
++The proxy server should be specified with the 'connect' option.
++
++Currently protocol destination address only applies to 'connect' protocol.
++
++=item B<protocolPassword> = PASSWORD
++
++password for protocol negotiations
++
++=item B<protocolUsername> = USERNAME
++
++username for protocol negotiations
++
++=item B<PSKidentity> = IDENTITY
++
++PSK identity for the PSK client
++
++I<PSKidentity> can be used on B<stunnel> clients to select the PSK identity
++used for authentication. This option is ignored in server sections.
++
++default: the first identity specified in the I<PSKsecrets> file.
++
++=item B<PSKsecrets> = FILE
++
++file with PSK identities and corresponding keys
++
++Each line of the file in the following format:
++
++ IDENTITY:KEY
++
++The key is required to be at least 20 characters long.
++The file should not be world-readable nor world-writable.
++
++=item B<pty> = yes | no (Unix only)
++
++allocate pseudoterminal for 'exec' option
++
++=item B<redirect> = [HOST:]PORT
++
++redirect SSL client connections on certificate-based authentication failures
++
++This option only works in server mode.
++Some protocol negotiations are also incompatible with the I<redirect> option.
++
++=item B<renegotiation> = yes | no
++
++support SSL renegotiation
++
++Applications of the SSL renegotiation include some authentication scenarios,
++or re-keying long lasting connections.
++
++On the other hand this feature can facilitate a trivial CPU-exhaustion
++DoS attack:
++
++F<http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html>
++
++Please note that disabling SSL renegotiation does not fully mitigate
++this issue.
++
++default: yes (if supported by B<OpenSSL>)
++
++=item B<reset> = yes | no
++
++attempt to use TCP RST flag to indicate an error
++
++This option is not supported on some platforms.
++
++default: yes
++
++=item B<retry> = yes | no
++
++reconnect a connect+exec section after it's disconnected
++
++default: no
++
++=item B<sessionCacheSize> = NUM_ENTRIES
++
++session cache size
++
++I<sessionCacheSize> specifies the maximum number of the internal session cache
++entries.
++
++The value of 0 can be used for unlimited size. It is not recommended
++for production use due to the risk of memory exhaustion DoS attack.
++
++=item B<sessionCacheTimeout> = TIMEOUT
++
++session cache timeout
++
++This is the number of seconds to keep cached SSL sessions.
++
++=item B<sessiond> = HOST:PORT
++
++address of sessiond SSL cache server
++
++=item B<sslVersion> = SSL_VERSION
++
++select the SSL protocol version
++
++Allowed values: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
++
++=item B<stack> = BYTES (except for FORK model)
++
++thread stack size
++
++=item B<TIMEOUTbusy> = SECONDS
++
++time to wait for expected data
++
++=item B<TIMEOUTclose> = SECONDS
++
++time to wait for close_notify (set to 0 for buggy MSIE)
++
++=item B<TIMEOUTconnect> = SECONDS
++
++time to wait to connect a remote host
++
++=item B<TIMEOUTidle> = SECONDS
++
++time to keep an idle connection
++
++=item B<transparent> = none | source | destination | both (Unix only)
++
++enable transparent proxy support on selected platforms
++
++Supported values:
++
++=over 4
++
++=item I<none>
++
++Disable transparent proxy support. This is the default.
++
++=item I<source>
++
++Re-write address to appear as if wrapped daemon is connecting
++from the SSL client machine instead of the machine running B<stunnel>.
++
++This option is currently available in:
++
++=over 4
++
++=item Remote mode (I<connect> option) on I<Linux E<gt>=2.6.28>
++
++This configuration requires B<stunnel> to be executed as root and without
++I<setuid> option.
++
++This configuration requires the following setup for iptables and routing
++(possibly in /etc/rc.local or equivalent file):
++
++ iptables -t mangle -N DIVERT
++ iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
++ iptables -t mangle -A DIVERT -j MARK --set-mark 1
++ iptables -t mangle -A DIVERT -j ACCEPT
++ ip rule add fwmark 1 lookup 100
++ ip route add local 0.0.0.0/0 dev lo table 100
++ echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
++
++B<stunnel> must also to be executed as root and without I<setuid> option.
++
++=item Remote mode (I<connect> option) on I<Linux 2.2.x>
++
++This configuration requires kernel to be compiled with I<transparent proxy>
++option.
++Connected service must be installed on a separate host.
++Routing towards the clients has to go through the B<stunnel> box.
++
++B<stunnel> must also to be executed as root and without I<setuid> option.
++
++=item Remote mode (I<connect> option) on I<FreeBSD E<gt>=8.0>
++
++This configuration requires additional firewall and routing setup.
++B<stunnel> must also to be executed as root and without I<setuid> option.
++
++=item Local mode (I<exec> option)
++
++This configuration works by pre-loading I<libstunnel.so> shared library.
++_RLD_LIST environment variable is used on Tru64, and LD_PRELOAD variable on
++other platforms.
++
++=back
++
++=item I<destination>
++
++Original destination is used instead of I<connect> option.
++
++A service section for transparent destination may look like this:
++
++ [transparent]
++ client=yes
++ accept=<stunnel_port>
++ transparent=destination
++
++This configuration requires iptables setup to work,
++possibly in /etc/rc.local or equivalent file.
++
++For a connect target installed on the same host:
++
++ /sbin/iptables -t nat -I OUTPUT -p tcp --dport <redirected_port> \
++ -m ! --uid-owner <stunnel_user_id> \
++ -j DNAT --to-destination <local_ip>:<stunnel_port>
++
++For a connect target installed on a remote host:
++
++ /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
++ /sbin/iptables -t nat -I PREROUTING -p tcp --dport <redirected_port> \
++ -i eth0 -j DNAT --to-destination <local_ip>:<stunnel_port>
++
++Transparent destination option is currently only supported on Linux.
++
++=item I<both>
++
++Use both I<source> and I<destination> transparent proxy.
++
++=back
++
++Two legacy options are also supported for backward compatibility:
++
++=over 4
++
++=item I<yes>
++
++This options has been renamed to I<source>.
++
++=item I<no>
++
++This options has been renamed to I<none>.
++
++=back
++
++
++=item B<verify> = LEVEL
++
++verify peer certificate
++
++=over 4
++
++=item level 0
++
++Request and ignore peer certificate.
++
++=item level 1
++
++Verify peer certificate if present.
++
++=item level 2
++
++Verify peer certificate.
++
++=item level 3
++
++Verify peer with locally installed certificate.
++
++=item level 4
++
++Ignore CA chain and only verify peer certificate.
++
++=item default
++
++No verify.
++
++=back
++
++It is important to understand, that this option was solely designed for access
++control and not for authorization. Specifically for level 2 every non-revoked
++certificate is accepted regardless of its Common Name. For this reason a
++dedicated CA should be used with level 2, and not a generic CA commonly used
++for webservers. Level 3 is preferred for point-to-point connections.
++
++=back
++
++
++=head1 RETURN VALUE
++
++B<stunnel> returns zero on success, non-zero on error.
++
++
++=head1 SIGNALS
++
++The following signals can be used to control B<stunnel> in Unix environment:
++
++=over 4
++
++=item SIGHUP
++
++Force a reload of the configuration file.
++
++Some global options will not be reloaded:
++
++=over 4
++
++=item *
++
++chroot
++
++=item *
++
++foreground
++
++=item *
++
++pid
++
++=item *
++
++setgid
++
++=item *
++
++setuid
++
++=back
++
++The use of 'setuid' option will also prevent B<stunnel> from binding privileged
++(<1024) ports during configuration reloading.
++
++When 'chroot' option is used, B<stunnel> will look for all its files (including
++configuration file, certificates, log file and pid file) within the chroot
++jail.
++
++=item SIGUSR1
++
++Close and reopen B<stunnel> log file.
++This function can be used for log rotation.
++
++=item SIGTERM, SIGQUIT, SIGINT
++
++Shut B<stunnel> down.
++
++=back
++
++The result of sending any other signals to the server is undefined.
++
++
++=head1 EXAMPLES
++
++In order to provide SSL encapsulation to your local I<imapd> service, use:
++
++ [imapd]
++ accept = 993
++ exec = /usr/sbin/imapd
++ execArgs = imapd
++
++or in remote mode:
++
++ [imapd]
++ accept = 993
++ connect = 143
++
++In order to let your local e-mail client connect to an SSL-enabled I<imapd>
++service on another server, configure the e-mail client to connect to localhost
++on port 119 and use:
++
++ [imap]
++ client = yes
++ accept = 143
++ connect = servername:993
++
++If you want to provide tunneling to your I<pppd> daemon on port 2020,
++use something like:
++
++ [vpn]
++ accept = 2020
++ exec = /usr/sbin/pppd
++ execArgs = pppd local
++ pty = yes
++
++If you want to use B<stunnel> in I<inetd> mode to launch your imapd
++process, you'd use this I<stunnel.conf>.
++Note there must be no I<[service_name]> section.
++
++ exec = /usr/sbin/imapd
++ execArgs = imapd
++
++To setup SOCKS VPN configure the following client service:
++
++ [socks_client]
++ client = yes
++ accept = 127.0.0.1:1080
++ connect = vpn_server:9080
++ verify = 4
++ CAfile = stunnel.pem
++
++The corresponding configuration on the vpn_server host:
++
++ [socks_server]
++ protocol = socks
++ accept = 9080
++ cert = stunnel.pem
++ key = stunnel.key
++
++Now test your configuration on the client machine with:
++
++ curl --socks4a localhost http://www.example.com/
++
++=head1 NOTES
++
++=head2 RESTRICTIONS
++
++B<stunnel> cannot be used for the FTP daemon because of the nature
++of the FTP protocol which utilizes multiple ports for data transfers.
++There are available SSL-enabled versions of FTP and telnet daemons, however.
++
++
++=head2 INETD MODE
++
++The most common use of B<stunnel> is to listen on a network
++port and establish communication with either a new port
++via the connect option, or a new program via the I<exec> option.
++However there is a special case when you wish to have
++some other program accept incoming connections and
++launch B<stunnel>, for example with I<inetd>, I<xinetd>,
++or I<tcpserver>.
++
++For example, if you have the following line in I<inetd.conf>:
++
++ imaps stream tcp nowait root @bindir@/stunnel stunnel @sysconfdir@/stunnel/imaps.conf
++
++In these cases, the I<inetd>-style program is responsible
++for binding a network socket (I<imaps> above) and handing
++it to B<stunnel> when a connection is received.
++Thus you do not want B<stunnel> to have any I<accept> option.
++All the I<Service Level Options> should be placed in the
++global options section, and no I<[service_name]> section
++will be present. See the I<EXAMPLES> section for example
++configurations.
++
++=head2 CERTIFICATES
++
++Each SSL-enabled daemon needs to present a valid X.509 certificate
++to the peer. It also needs a private key to decrypt the incoming
++data. The easiest way to obtain a certificate and a key is to
++generate them with the free B<OpenSSL> package. You can find more
++information on certificates generation on pages listed below.
++
++The order of contents of the I<.pem> file is important. It should contain the
++unencrypted private key first, then a signed certificate (not certificate
++request). There should be also empty lines after certificate and private key.
++Plaintext certificate information appended on the top of generated certificate
++should be discarded. So the file should look like this:
++
++ -----BEGIN RSA PRIVATE KEY-----
++ [encoded key]
++ -----END RSA PRIVATE KEY-----
++ [empty line]
++ -----BEGIN CERTIFICATE-----
++ [encoded certificate]
++ -----END CERTIFICATE-----
++ [empty line]
++
++=head2 RANDOMNESS
++
++B<stunnel> needs to seed the PRNG (pseudo random number generator) in
++order for SSL to use good randomness. The following sources are loaded
++in order until sufficient random data has been gathered:
++
++=over 4
++
++=item *
++
++The file specified with the I<RNDfile> flag.
++
++=item *
++
++The file specified by the RANDFILE environment variable, if set.
++
++=item *
++
++The file .rnd in your home directory, if RANDFILE not set.
++
++=item *
++
++The file specified with '--with-random' at compile time.
++
++=item *
++
++The contents of the screen if running on Windows.
++
++=item *
++
++The egd socket specified with the I<EGD> flag.
++
++=item *
++
++The egd socket specified with '--with-egd-sock' at compile time.
++
++=item *
++
++The /dev/urandom device.
++
++=back
++
++With recent (B<OpenSSL 0.9.5a> or later) version of SSL it will stop loading
++random data automatically when sufficient entropy has been gathered. With
++previous versions it will continue to gather from all the above sources since
++no SSL function exists to tell when enough data is available.
++
++Note that on Windows machines that do not have console user interaction
++(mouse movements, creating windows, etc.) the screen contents are not
++variable enough to be sufficient, and you should provide a random file
++for use with the I<RNDfile> flag.
++
++Note that the file specified with the I<RNDfile> flag should contain
++random data -- that means it should contain different information
++each time B<stunnel> is run. This is handled automatically
++unless the I<RNDoverwrite> flag is used. If you wish to update this file
++manually, the I<openssl rand> command in recent versions of B<OpenSSL>,
++would be useful.
++
++Important note: If /dev/urandom is available, B<OpenSSL> often seeds the PRNG
++with it while checking the random state. On systems with /dev/urandom
++B<OpenSSL> is likely to use it even though it is listed at the very bottom of
++the list above. This is the behaviour of B<OpenSSL> and not B<stunnel>.
++
++=head2 DH PARAMETERS
++
++Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
++
++It is also possible to specify DH parameters in the certificate file:
++
++ openssl dhparam 2048 >> stunnel.pem
++
++DH parameter generation may take several minutes.
++
++
++=head1 FILES
++
++=over 4
++
++=item F<@sysconfdir@/stunnel/stunnel.conf>
++
++B<stunnel> configuration file
++
++=back
++
++
++=head1 BUGS
++
++Option I<execArgs> and Win32 command line does not support quoting.
++
++
++=head1 SEE ALSO
++
++=over 4
++
++=item L<tcpd(8)>
++
++access control facility for internet services
++
++=item L<inetd(8)>
++
++internet 'super-server'
++
++=item F<http://www.stunnel.org/>
++
++B<stunnel> homepage
++
++=item F<http://www.openssl.org/>
++
++B<OpenSSL> project website
++
++=back
++
++
++=head1 AUTHOR
++
++=over 4
++
++=item Michał Trojnara
++
++<F<Michal.Trojnara at mirt.net>>
++
++=back
++
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 8fc3fe6..3bcbdfd 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -90,3 +90,10 @@ resources.obj: resources.rc resources.h version.h
+ mostlyclean-local:
+ -rm -f *.obj
+
++edit = sed \
++ -e 's|@bindir[@]|$(bindir)|g'
++
++stunnel3: Makefile
++ $(edit) '$(srcdir)/$@.in' >$@
++
++stunnel3: $(srcdir)/stunnel3.in
+diff --git a/src/stunnel3.in b/src/stunnel3.in
+index db2bce0..eebbdcd 100755
+--- a/src/stunnel3.in
++++ b/src/stunnel3.in
+@@ -22,7 +22,7 @@ use POSIX;
+ use Getopt::Std;
+
+ # Configuration - path to stunnel (version >=4.05)
+-$stunnel_bin='@prefix@/bin/stunnel';
++$stunnel_bin='@bindir@/stunnel';
+
+ # stunnel3 script body begins here
+ ($read_fd, $write_fd)=POSIX::pipe();
+diff --git a/tools/Makefile.am b/tools/Makefile.am
+index 79ef010..375cf91 100644
+--- a/tools/Makefile.am
++++ b/tools/Makefile.am
+@@ -37,3 +37,17 @@ cert:
+ rm -f stunnel.rnd; \
+ fi
+
++edit = sed \
++ -e 's|@prefix[@]|$(prefix)|g' \
++ -e 's|@bindir[@]|$(bindir)|g' \
++ -e 's|@localstatedir[@]|$(localstatedir)|g' \
++ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \
++ -e 's|@DEFAULT_GROUP[@]|$(DEFAULT_GROUP)|g'
++
++stunnel.conf-sample stunnel.init stunnel.service: Makefile
++ $(edit) '$(srcdir)/$@.in' >$@
++
++stunnel.conf-sample: $(srcdir)/stunnel.conf-sample.in
++stunnel.init: $(srcdir)/stunnel.init.in
++stunnel.service: $(srcdir)/stunnel.service.in
++
+diff --git a/tools/stunnel.conf-sample.in b/tools/stunnel.conf-sample.in
+index c8f65dc..716c229 100644
+--- a/tools/stunnel.conf-sample.in
++++ b/tools/stunnel.conf-sample.in
+@@ -12,7 +12,7 @@
+ ;setgid = @DEFAULT_GROUP@
+
+ ; PID file is created inside the chroot jail (if enabled)
+-;pid = @prefix@/var/run/stunnel.pid
++;pid = @localstatedir@/run/stunnel.pid
+
+ ; Debugging stuff (may be useful for troubleshooting)
+ ;foreground = yes
+@@ -44,7 +44,7 @@ client = yes
+ accept = 127.0.0.1:110
+ connect = pop.gmail.com:995
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir@/ssl/certs
+ checkHost = pop.gmail.com
+
+ [gmail-imap]
+@@ -52,7 +52,7 @@ client = yes
+ accept = 127.0.0.1:143
+ connect = imap.gmail.com:993
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir@/ssl/certs
+ checkHost = imap.gmail.com
+
+ [gmail-smtp]
+@@ -60,7 +60,7 @@ client = yes
+ accept = 127.0.0.1:25
+ connect = smtp.gmail.com:465
+ verify = 2
+-CApath = /etc/ssl/certs
++CApath = @sysconfdir@/ssl/certs
+ checkHost = smtp.gmail.com
+
+ ; ***************************************** Example TLS server mode services
+@@ -68,34 +68,34 @@ checkHost = smtp.gmail.com
+ ;[pop3s]
+ ;accept = 995
+ ;connect = 110
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+
+ ;[imaps]
+ ;accept = 993
+ ;connect = 143
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+
+ ;[ssmtp]
+ ;accept = 465
+ ;connect = 25
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+
+ ; TLS front-end to a web server
+ ;[https]
+ ;accept = 443
+ ;connect = 80
+-;cert = @prefix@/etc/stunnel/stunnel.pem
++;cert = @sysconfdir@/stunnel/stunnel.pem
+ ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
+ ; Microsoft implementations do not use TLS close-notify alert and thus they
+ ; are vulnerable to truncation attacks
+ ;TIMEOUTclose = 0
+
+ ; Remote shell protected with PSK-authenticated TLS
+-; Create "@prefix@/etc/stunnel/secrets.txt" containing IDENTITY:KEY pairs
++; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
+ ;[shell]
+ ;accept = 1337
+ ;exec = /bin/sh
+ ;execArgs = sh -i
+-;PSKsecrets = @prefix@/etc/stunnel/secrets.txt
++;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
+
+ ; vim:ft=dosini
+diff --git a/tools/stunnel.init.in b/tools/stunnel.init.in
+index 32a3e64..aa46e9f 100644
+--- a/tools/stunnel.init.in
++++ b/tools/stunnel.init.in
+@@ -15,7 +15,7 @@
+ ### END INIT INFO
+
+ DEFAULTPIDFILE="/var/run/stunnel.pid"
+-DAEMON=@prefix@/bin/stunnel
++DAEMON=@bindir@/stunnel
+ NAME=stunnel
+ DESC="SSL tunnels"
+ OPTIONS=""
+@@ -100,9 +100,9 @@ if [ "x$OPTIONS" != "x" ]; then
+ OPTIONS="-- $OPTIONS"
+ fi
+
+-[ -f /etc/default/stunnel ] && . /etc/default/stunnel
++[ -f @sysconfdir@/default/stunnel ] && . /etc/default/stunnel
+ if [ "$ENABLED" = "0" ] ; then
+- echo "$DESC disabled, see /etc/default/stunnel"
++ echo "$DESC disabled, see @sysconfdir@/default/stunnel"
+ exit 0
+ fi
+
+@@ -110,15 +110,15 @@ fi
+ # is in $2. Otherwise, respect /etc/default/stunnel4 setting. If no
+ # setting there, use /etc/stunnel/*.conf
+ if [ -n "${2:-}" ]; then
+- if [ -e "/etc/stunnel/$2.conf" ]; then
+- FILES="/etc/stunnel/$2.conf"
++ if [ -e "@sysconfdir@/stunnel/$2.conf" ]; then
++ FILES="@sysconfdir@/stunnel/$2.conf"
+ else
+- echo >&2 "/etc/stunnel/$2.conf does not exist."
++ echo >&2 "@sysconfdir@/stunnel/$2.conf does not exist."
+ exit 1
+ fi
+ else
+ if [ -z "$FILES" ]; then
+- FILES="/etc/stunnel/*.conf"
++ FILES="@sysconfdir@/stunnel/*.conf"
+ fi
+ fi
+
+@@ -158,7 +158,7 @@ case "$1" in
+ querydaemons
+ ;;
+ *)
+- N=/etc/init.d/$NAME
++ N=@sysconfdir@/init.d/$NAME
+ echo "Usage: $N {start|stop|status|reload|reopen-logs|restart} [<stunnel instance>]" >&2
+ exit 1
+ ;;
+diff --git a/tools/stunnel.service.in b/tools/stunnel.service.in
+index 0f7adfa..7776364 100644
+--- a/tools/stunnel.service.in
++++ b/tools/stunnel.service.in
+@@ -3,7 +3,7 @@ Description=SSL tunnel for network daemons
+ After=syslog.target
+
+ [Service]
+-ExecStart=@prefix@/bin/stunnel
++ExecStart=@bindir@/stunnel
+ Type=forking
+
+ [Install]
+--
+2.3.3
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
More information about the devel
mailing list