From 9045af2d6c422c82d745f7e28d9340e69db23035 Mon Sep 17 00:00:00 2001 From: admin Date: Mon, 12 May 2025 17:31:08 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20readme.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- readme.md | 172 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 171 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 251f5da..fb344f3 100644 --- a/readme.md +++ b/readme.md @@ -1 +1,171 @@ -东方 の 武士刀 \ No newline at end of file +东方 の 武士刀 + +; Sample stunnel configuration file for Win64 by Michal Trojnara 2002-2023 +; Some options used here may be inadequate for your particular configuration +; This sample file does *not* represent stunnel.conf defaults +; Please consult the manual for detailed description of available options + +; ************************************************************************** +; * Global options * +; ************************************************************************** + +; Debugging stuff (may be useful for troubleshooting); +;debug = info +;output = stunnel.log + +; Enable FIPS 140-2 mode if needed for compliance +;fips = yes + +; Microsoft CryptoAPI engine allows for authentication with private keys +; stored in the Windows certificate store +; Each section using this feature also needs the "engineId = capi" option +;engine = capi +; You also need to disable TLS 1.2 or later, because the CryptoAPI engine +; currently does not support PSS +;sslVersionMax = TLSv1.1 +; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later +;securityLevel = 0 + +sslVersionMax = TLSv1.3 +sslVersionMin = TLSv1.2 +options = NO_SSLv2 +options = NO_SSLv3 +ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE + +; The pkcs11 engine allows for authentication with cryptographic +; keys isolated in a hardware or software token +; MODULE_PATH specifies the path to the pkcs11 module shared library, +; such as softhsm2-x64.dll or opensc-pkcs11.dll +; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules +; Each section using this feature also needs the "engineId = pkcs11" option +;engine = pkcs11 +;engineCtrl = MODULE_PATH:softhsm2-x64.dll +;engineCtrl = PIN:1234 + +; ************************************************************************** +; * Service defaults may also be specified in individual service sections * +; ************************************************************************** + +; Enable support for the insecure SSLv3 protocol +;options = -NO_SSLv3 + +; These options provide additional security at some performance degradation +;options = SINGLE_ECDH_USE +;options = SINGLE_DH_USE + +; ************************************************************************** +; * Include all configuration file fragments from the specified folder * +; ************************************************************************** + +;include = conf.d + +; ************************************************************************** +; * Service definitions (at least one service has to be defined) * +; ************************************************************************** + +; ***************************************** Example TLS client mode services + +[gmail-pop3] +client = yes +accept = 127.0.0.1:110 +connect = pop.gmail.com:995 +verifyChain = yes +CAfile = ca-certs.pem +checkHost = pop.gmail.com +OCSPaia = yes + +[gmail-imap] +client = yes +accept = 127.0.0.1:143 +connect = imap.gmail.com:993 +verifyChain = yes +CAfile = ca-certs.pem +checkHost = imap.gmail.com +OCSPaia = yes + +[gmail-smtp] +client = yes +accept = 127.0.0.1:25 +connect = smtp.gmail.com:465 +verifyChain = yes +CAfile = ca-certs.pem +checkHost = smtp.gmail.com +OCSPaia = yes + +; Encrypted HTTP proxy authenticated with a client certificate +; located in the Windows certificate store +;[example-proxy] +;client = yes +;accept = 127.0.0.1:8080 +;connect = example.com:8443 +;engineId = capi + +; Encrypted HTTP proxy authenticated with a client certificate +; located in a cryptographic token +;[example-pkcs11] +;client = yes +;accept = 127.0.0.1:8080 +;connect = example.com:8443 +;engineId = pkcs11 +;cert = pkcs11:token=MyToken;object=MyCert +;key = pkcs11:token=MyToken;object=MyKey + +; ***************************************** Example TLS server mode services + +;[pop3s] +;accept = 995 +;connect = 110 +;cert = stunnel.pem + +;[imaps] +;accept = 993 +;connect = 143 +;cert = stunnel.pem + +; Either only expose this service to trusted networks, or require +; authentication when relaying emails originated from loopback. +; Otherwise the following configuration creates an open relay. +;[ssmtp] +;accept = 465 +;connect = 25 +;cert = stunnel.pem + +; TLS front-end to a web server +;[https] +;accept = 443 +;connect = 80 +;cert = stunnel.pem +; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel +; Microsoft implementations do not use TLS close-notify alert and thus they +; are vulnerable to truncation attacks +;TIMEOUTclose = 0 + +; Remote cmd.exe protected with PSK-authenticated TLS +; Create "secrets.txt" containing IDENTITY:KEY pairs +;[cmd] +;accept = 1337 +;exec = c:\windows\system32\cmd.exe +;execArgs = cmd.exe +;PSKsecrets = secrets.txt + +; vim:ft=dosini +[socksproxy_us] +client = yes +accept = 10088 +connect =142.171.128.108:8443 +cert = stunnel.pem +key = stunnel.pem + +verifyPeer = yes +CAfile = stunnel.pem + +[socksproxy_jp] +client = yes +accept = 10023 +connect = 212.50.234.32:8443 +cert = stunnel.pem +key = stunnel.pem + +verifyPeer = yes +CAfile = stunnel.pem +