D3/readme.md
2025-05-12 17:31:08 +08:00

4.9 KiB

东方 の 武士刀

; Sample stunnel configuration file for Win64 by Michal Trojnara 2002-2023 ; Some options used here may be inadequate for your particular configuration ; This sample file does not represent stunnel.conf defaults ; Please consult the manual for detailed description of available options

; ************************************************************************** ; * Global options * ; **************************************************************************

; Debugging stuff (may be useful for troubleshooting); ;debug = info ;output = stunnel.log

; Enable FIPS 140-2 mode if needed for compliance ;fips = yes

; Microsoft CryptoAPI engine allows for authentication with private keys ; stored in the Windows certificate store ; Each section using this feature also needs the "engineId = capi" option ;engine = capi ; You also need to disable TLS 1.2 or later, because the CryptoAPI engine ; currently does not support PSS ;sslVersionMax = TLSv1.1 ; TLSv1.1 requires security level 0 when compiled OpenSSL 3.0 and later ;securityLevel = 0

sslVersionMax = TLSv1.3 sslVersionMin = TLSv1.2 options = NO_SSLv2 options = NO_SSLv3 ciphers = ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE

; The pkcs11 engine allows for authentication with cryptographic ; keys isolated in a hardware or software token ; MODULE_PATH specifies the path to the pkcs11 module shared library, ; such as softhsm2-x64.dll or opensc-pkcs11.dll ; IMPORTANT: A 64-bit stunnel requires 64-bit PKCS#11 modules ; Each section using this feature also needs the "engineId = pkcs11" option ;engine = pkcs11 ;engineCtrl = MODULE_PATH:softhsm2-x64.dll ;engineCtrl = PIN:1234

; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************

; Enable support for the insecure SSLv3 protocol ;options = -NO_SSLv3

; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE

; ************************************************************************** ; * Include all configuration file fragments from the specified folder * ; **************************************************************************

;include = conf.d

; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; **************************************************************************

; ***************************************** Example TLS client mode services

[gmail-pop3] client = yes accept = 127.0.0.1:110 connect = pop.gmail.com:995 verifyChain = yes CAfile = ca-certs.pem checkHost = pop.gmail.com OCSPaia = yes

[gmail-imap] client = yes accept = 127.0.0.1:143 connect = imap.gmail.com:993 verifyChain = yes CAfile = ca-certs.pem checkHost = imap.gmail.com OCSPaia = yes

[gmail-smtp] client = yes accept = 127.0.0.1:25 connect = smtp.gmail.com:465 verifyChain = yes CAfile = ca-certs.pem checkHost = smtp.gmail.com OCSPaia = yes

; Encrypted HTTP proxy authenticated with a client certificate ; located in the Windows certificate store ;[example-proxy] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = capi

; Encrypted HTTP proxy authenticated with a client certificate ; located in a cryptographic token ;[example-pkcs11] ;client = yes ;accept = 127.0.0.1:8080 ;connect = example.com:8443 ;engineId = pkcs11 ;cert = pkcs11:token=MyToken;object=MyCert ;key = pkcs11:token=MyToken;object=MyKey

; ***************************************** Example TLS server mode services

;[pop3s] ;accept = 995 ;connect = 110 ;cert = stunnel.pem

;[imaps] ;accept = 993 ;connect = 143 ;cert = stunnel.pem

; Either only expose this service to trusted networks, or require ; authentication when relaying emails originated from loopback. ; Otherwise the following configuration creates an open relay. ;[ssmtp] ;accept = 465 ;connect = 25 ;cert = stunnel.pem

; TLS front-end to a web server ;[https] ;accept = 443 ;connect = 80 ;cert = stunnel.pem ; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SChannel ; Microsoft implementations do not use TLS close-notify alert and thus they ; are vulnerable to truncation attacks ;TIMEOUTclose = 0

; Remote cmd.exe protected with PSK-authenticated TLS ; Create "secrets.txt" containing IDENTITY:KEY pairs ;[cmd] ;accept = 1337 ;exec = c:\windows\system32\cmd.exe ;execArgs = cmd.exe ;PSKsecrets = secrets.txt

; vim:ft=dosini [socksproxy_us] client = yes accept = 10088 connect =142.171.128.108:8443 cert = stunnel.pem key = stunnel.pem

verifyPeer = yes CAfile = stunnel.pem

[socksproxy_jp] client = yes accept = 10023 connect = 212.50.234.32:8443 cert = stunnel.pem key = stunnel.pem

verifyPeer = yes CAfile = stunnel.pem