From 56815b35f898cbb10358dc5259f32baab6c56a0a Mon Sep 17 00:00:00 2001 From: admin Date: Mon, 12 May 2025 17:33:13 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20readme.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- readme.md | 167 ------------------------------------------------------ 1 file changed, 167 deletions(-) diff --git a/readme.md b/readme.md index fb344f3..11ea619 100644 --- a/readme.md +++ b/readme.md @@ -1,171 +1,4 @@ 东方 の 武士刀 -; Sample stunnel configuration file for Win64 by Michal Trojnara 2002-2023 -; Some options used here may be inadequate for your particular configuration -; This sample file does *not* represent stunnel.conf defaults -; Please consult the manual for detailed description of available options -; ************************************************************************** -; * Global options * -; ************************************************************************** - -; Debugging stuff (may be useful for troubleshooting); -;debug = info -;output = stunnel.log - -; Enable FIPS 140-2 mode if needed for compliance -;fips = yes - -; Microsoft CryptoAPI engine allows for authentication with private keys -; stored in the Windows certificate store -; Each section using this feature also needs the "engineId = capi" option -;engine = capi -; You also need to disable TLS 1.2 or later, because the CryptoAPI engine -; currently does not support PSS -;sslVersionMax = TLSv1.1 -; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later -;securityLevel = 0 - -sslVersionMax = TLSv1.3 -sslVersionMin = TLSv1.2 -options = NO_SSLv2 -options = NO_SSLv3 -ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE - -; The pkcs11 engine allows for authentication with cryptographic -; keys isolated in a hardware or software token -; MODULE_PATH specifies the path to the pkcs11 module shared library, -; such as softhsm2-x64.dll or opensc-pkcs11.dll -; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules -; Each section using this feature also needs the "engineId = pkcs11" option -;engine = pkcs11 -;engineCtrl = MODULE_PATH:softhsm2-x64.dll -;engineCtrl = PIN:1234 - -; ************************************************************************** -; * Service defaults may also be specified in individual service sections * -; ************************************************************************** - -; Enable support for the insecure SSLv3 protocol -;options = -NO_SSLv3 - -; These options provide additional security at some performance degradation -;options = SINGLE_ECDH_USE -;options = SINGLE_DH_USE - -; ************************************************************************** -; * Include all configuration file fragments from the specified folder * -; ************************************************************************** - -;include = conf.d - -; ************************************************************************** -; * Service definitions (at least one service has to be defined) * -; ************************************************************************** - -; ***************************************** Example TLS client mode services - -[gmail-pop3] -client = yes -accept = 127.0.0.1:110 -connect = pop.gmail.com:995 -verifyChain = yes -CAfile = ca-certs.pem -checkHost = pop.gmail.com -OCSPaia = yes - -[gmail-imap] -client = yes -accept = 127.0.0.1:143 -connect = imap.gmail.com:993 -verifyChain = yes -CAfile = ca-certs.pem -checkHost = imap.gmail.com -OCSPaia = yes - -[gmail-smtp] -client = yes -accept = 127.0.0.1:25 -connect = smtp.gmail.com:465 -verifyChain = yes -CAfile = ca-certs.pem -checkHost = smtp.gmail.com -OCSPaia = yes - -; Encrypted HTTP proxy authenticated with a client certificate -; located in the Windows certificate store -;[example-proxy] -;client = yes -;accept = 127.0.0.1:8080 -;connect = example.com:8443 -;engineId = capi - -; Encrypted HTTP proxy authenticated with a client certificate -; located in a cryptographic token -;[example-pkcs11] -;client = yes -;accept = 127.0.0.1:8080 -;connect = example.com:8443 -;engineId = pkcs11 -;cert = pkcs11:token=MyToken;object=MyCert -;key = pkcs11:token=MyToken;object=MyKey - -; ***************************************** Example TLS server mode services - -;[pop3s] -;accept = 995 -;connect = 110 -;cert = stunnel.pem - -;[imaps] -;accept = 993 -;connect = 143 -;cert = stunnel.pem - -; Either only expose this service to trusted networks, or require -; authentication when relaying emails originated from loopback. -; Otherwise the following configuration creates an open relay. -;[ssmtp] -;accept = 465 -;connect = 25 -;cert = stunnel.pem - -; TLS front-end to a web server -;[https] -;accept = 443 -;connect = 80 -;cert = stunnel.pem -; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel -; Microsoft implementations do not use TLS close-notify alert and thus they -; are vulnerable to truncation attacks -;TIMEOUTclose = 0 - -; Remote cmd.exe protected with PSK-authenticated TLS -; Create "secrets.txt" containing IDENTITY:KEY pairs -;[cmd] -;accept = 1337 -;exec = c:\windows\system32\cmd.exe -;execArgs = cmd.exe -;PSKsecrets = secrets.txt - -; vim:ft=dosini -[socksproxy_us] -client = yes -accept = 10088 -connect =142.171.128.108:8443 -cert = stunnel.pem -key = stunnel.pem - -verifyPeer = yes -CAfile = stunnel.pem - -[socksproxy_jp] -client = yes -accept = 10023 -connect = 212.50.234.32:8443 -cert = stunnel.pem -key = stunnel.pem - -verifyPeer = yes -CAfile = stunnel.pem