; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2015
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may useful for troubleshooting)
;debug = 7
;output = stunnel.log

; Enable FIPS 140-2 mode if needed it for compliance
;fips = yes

; Initialize Microsoft CryptoAPI interface
engine = capi
; Also needs "engineID = capi" in each section using the CAPI engine

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
cert = stunnel.pem
;key = stunnel.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

; Enable support for the insecure SSLv2 protocol
;options = -NO_SSLv2
; Enable support for the insecure SSLv3 protocol
;options = -NO_SSLv3
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

; ***************************************** Example SSL server mode services

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

; Example SSL front-end to a web server
;[https]
;accept  = 443
;connect = 80
; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
; Microsoft implementations do not use SSL close-notify alert and thus
; they are vulnerable to truncation attacks
;TIMEOUTclose = 0

; ***************************************** Example SSL client mode services

[gmail-pop3]
client = yes
accept = 127.0.0.1:110
connect = pop.gmail.com:995

[gmail-imap]
client = yes
accept = 127.0.0.1:143
connect = imap.gmail.com:993

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465

; Proxy authenticated with client certificate from Windows certificate store
;[example-proxy]
;client = yes
;engineID = capi
;accept = 127.0.0.1:8080
;connect = example.com:8443

; Service based on a command-line tool
;[netstat]
;accept = 8015
;exec = c:\windows\system32\netstat.exe
;execargs = netstat -a

; Remote cmd.exe protected with SSL
; Certificate-based authentication needs to be configured for this service!
;[cmd]
;accept = 1337
;exec = c:\windows\system32\cmd.exe

; vim:ft=dosini