Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
dfanfdsanfdsa
/
ood-ports-lbsd-fork1
forknuté z jimmy/ood-ports-lbsd
Pridať medzi pozorované 1
Hviezda 0
Fork 0
Súbory
Strom: f08698bfd3
Branche Tagy
ood-ports-lb...
/
security
/
stunnel
/
patches
/
patch-tools_stunnel_conf-sample_in

patch-tools_stunnel_conf-sample_in 4.0 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149 
  1. $OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.15 2016/11/09 23:14:31 gsoares Exp $
    2. 

  2. --- tools/stunnel.conf-sample.in.orig	Tue Jul  5 18:27:57 2016
    3. 

  3. +++ tools/stunnel.conf-sample.in	Thu Nov  3 23:16:09 2016
    4. 

  4. @@ -7,17 +7,18 @@
    5. 

  5.  ; * Global options                                                         *
    6. 

  6.  ; **************************************************************************
    7. 

  7.  
    8. 

  8. +chroot = /var/stunnel/
    9. 

  9.  ; It is recommended to drop root privileges if stunnel is started by root
    10. 

  10. -;setuid = nobody
    11. 

  11. -;setgid = @DEFAULT_GROUP@
    12. 

  12. +setuid = _stunnel
    13. 

  13. +setgid = _stunnel
    14. 

  14.  
    15. 

  15.  ; PID file is created inside the chroot jail (if enabled)
    16. 

  16. -;pid = @localstatedir@/run/stunnel.pid
    17. 

  17. +pid = /stunnel.pid
    18. 

  18.  
    19. 

  19.  ; Debugging stuff (may be useful for troubleshooting)
    20. 

  20.  ;foreground = yes
    21. 

  21.  ;debug = info
    22. 

  22. -;output = @localstatedir@/log/stunnel.log
    23. 

  23. +;output = stunnel.log
    24. 

  24.  
    25. 

  25.  ; Enable FIPS 140-2 mode if needed for compliance
    26. 

  26.  ;fips = yes
    27. 

  27. @@ -37,7 +38,7 @@
    28. 

  28.  ; * Include all configuration file fragments from the specified folder     *
    29. 

  29.  ; **************************************************************************
    30. 

  30.  
    31. 

  31. -;include = @sysconfdir@/stunnel/conf.d
    32. 

  32. +;include = ${SYSCONFDIR}/stunnel/conf.d
    33. 

  33.  
    34. 

  34.  ; **************************************************************************
    35. 

  35.  ; * Service definitions (remove all services for inetd mode)               *
    36. 

  36. @@ -50,72 +51,72 @@
    37. 

  37.  ; a hardcoded path of the stunnel package, as it is not related to the
    38. 

  38.  ; stunnel configuration in @sysconfdir@/stunnel/.
    39. 

  39.  
    40. 

  40. -[gmail-pop3]
    41. 

  41. -client = yes
    42. 

  42. -accept = 127.0.0.1:110
    43. 

  43. -connect = pop.gmail.com:995
    44. 

  44. -verifyChain = yes
    45. 

  45. -CApath = /etc/ssl/certs
    46. 

  46. -checkHost = pop.gmail.com
    47. 

  47. -OCSPaia = yes
    48. 

  48. +;[gmail-pop3]
    49. 

  49. +;client = yes
    50. 

  50. +;accept = 127.0.0.1:110
    51. 

  51. +;connect = pop.gmail.com:995
    52. 

  52. +;verifyChain = yes
    53. 

  53. +;CApath = ${SYSCONFDIR}/ssl/certs
    54. 

  54. +;checkHost = pop.gmail.com
    55. 

  55. +;OCSPaia = yes
    56. 

  56.  
    57. 

  57. -[gmail-imap]
    58. 

  58. -client = yes
    59. 

  59. -accept = 127.0.0.1:143
    60. 

  60. -connect = imap.gmail.com:993
    61. 

  61. -verifyChain = yes
    62. 

  62. -CApath = /etc/ssl/certs
    63. 

  63. -checkHost = imap.gmail.com
    64. 

  64. -OCSPaia = yes
    65. 

  65. +;[gmail-imap]
    66. 

  66. +;client = yes
    67. 

  67. +;accept = 127.0.0.1:143
    68. 

  68. +;connect = imap.gmail.com:993
    69. 

  69. +;verifyChain = yes
    70. 

  70. +;CApath = ${SYSCONFDIR}/ssl/certs
    71. 

  71. +;checkHost = imap.gmail.com
    72. 

  72. +;OCSPaia = yes
    73. 

  73.  
    74. 

  74. -[gmail-smtp]
    75. 

  75. -client = yes
    76. 

  76. -accept = 127.0.0.1:25
    77. 

  77. -connect = smtp.gmail.com:465
    78. 

  78. -verifyChain = yes
    79. 

  79. -CApath = /etc/ssl/certs
    80. 

  80. -checkHost = smtp.gmail.com
    81. 

  81. -OCSPaia = yes
    82. 

  82. +;[gmail-smtp]
    83. 

  83. +;client = yes
    84. 

  84. +;accept = 127.0.0.1:25
    85. 

  85. +;connect = smtp.gmail.com:465
    86. 

  86. +;verifyChain = yes
    87. 

  87. +;CApath = ${SYSCONFDIR}/ssl/certs
    88. 

  88. +;checkHost = smtp.gmail.com
    89. 

  89. +;OCSPaia = yes
    90. 

  90.  
    91. 

  91.  ; ***************************************** Example TLS server mode services
    92. 

  92.  
    93. 

  93. -;[pop3s]
    94. 

  94. -;accept  = 995
    95. 

  95. -;connect = 110
    96. 

  96. -;cert = @sysconfdir@/stunnel/stunnel.pem
    97. 

  97. +[pop3s]
    98. 

  98. +accept  = 995
    99. 

  99. +connect = 110
    100. 

  100. +cert = ${SYSCONFDIR}/stunnel/stunnel.pem
    101. 

  101.  
    102. 

  102. -;[imaps]
    103. 

  103. -;accept  = 993
    104. 

  104. -;connect = 143
    105. 

  105. -;cert = @sysconfdir@/stunnel/stunnel.pem
    106. 

  106. +[imaps]
    107. 

  107. +accept  = 993
    108. 

  108. +connect = 143
    109. 

  109. +cert = ${SYSCONFDIR}/stunnel/stunnel.pem
    110. 

  110.  
    111. 

  111. -;[ssmtp]
    112. 

  112. -;accept  = 465
    113. 

  113. -;connect = 25
    114. 

  114. -;cert = @sysconfdir@/stunnel/stunnel.pem
    115. 

  115. +[ssmtp]
    116. 

  116. +accept  = 465
    117. 

  117. +connect = 25
    118. 

  118. +cert = ${SYSCONFDIR}/stunnel/stunnel.pem
    119. 

  119.  
    120. 

  120.  ; TLS front-end to a web server
    121. 

  121.  ;[https]
    122. 

  122.  ;accept  = 443
    123. 

  123.  ;connect = 80
    124. 

  124. -;cert = @sysconfdir@/stunnel/stunnel.pem
    125. 

  125. +;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
    126. 

  126.  ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel
    127. 

  127.  ; Microsoft implementations do not use TLS close-notify alert and thus they
    128. 

  128.  ; are vulnerable to truncation attacks
    129. 

  129.  ;TIMEOUTclose = 0
    130. 

  130.  
    131. 

  131.  ; Remote shell protected with PSK-authenticated TLS
    132. 

  132. -; Create "@sysconfdir@/stunnel/secrets.txt" containing IDENTITY:KEY pairs
    133. 

  133. +; Create "${SYSCONFDIR}/stunnel/secrets.txt" containing IDENTITY:KEY pairs
    134. 

  134.  ;[shell]
    135. 

  135.  ;accept = 1337
    136. 

  136.  ;exec = /bin/sh
    137. 

  137.  ;execArgs = sh -i
    138. 

  138.  ;ciphers = PSK
    139. 

  139. -;PSKsecrets = @sysconfdir@/stunnel/secrets.txt
    140. 

  140. +;PSKsecrets = ${SYSCONFDIR}/stunnel/secrets.txt
    141. 

  141.  
    142. 

  142.  ; Non-standard MySQL-over-TLS encapsulation connecting the Unix socket
    143. 

  143.  ;[mysql]
    144. 

  144. -;cert = @sysconfdir@/stunnel/stunnel.pem
    145. 

  145. +;cert = ${SYSCONFDIR}/stunnel/stunnel.pem
    146. 

  146.  ;accept = 3307
    147. 

  147.  ;connect = /run/mysqld/mysqld.sock
    148. 

  148.  
    149. 

  149.