Technical data
4. Packages
can only be reached through a dynamic DNS name and the address behind the name
changes frequently, or if an active dialin when starting “stunnel” should be prevented.
Default setting: STUNNEL_x_DELAY_DNS='no'
Example: STUNNEL_1_DELAY_DNS='yes'
STUNNEL_x_CERT_FILE This variable contains the file name of the certificate for the
tunnel to be used. For server mode tunnels (STUNNEL_x_CLIENT='no') this is the server
certificate that the client validates against a “Certificate Authority” (CA) if necessary.
For client mode tunnels (STUNNEL_x_CLIENT='yes') this is a (usually optional) client
certificate that is validated by the server against a CA if necessary.
The certificate must be provided in the so-called PEM format and must be saved below
<config-directory>/etc/stunnel/. Only the file name must be stored in this variable,
not the path.
For a server mode tunnel the certificate is mandatory!
Example: STUNNEL_1_CERT_FILE='myserver.crt'
STUNNEL_x_CERT_CA_FILE This variable contains the file name of the CA certificate to
be used for the validation of the certificate of the remote station. Typically clients validate
the server’s certificate, vice versa however, is also possible. For details on the validation
please refer to the description of the variable STUNNEL_x_CERT_VERIFY (Page 202).
The certificate must be provided in the so-called PEM format and must be saved below
<config-directory>/etc/stunnel/. Only the file name must be stored in this variable,
not the path.
Example: STUNNEL_1_CERT_CA_FILE='myca.crt'
STUNNEL_x_CERT_VERIFY This variable controls the validation of the certificate of the
remote station. There are five options possible:
• none: The certificate of the remote station is not validated at all. In this case the
variable STUNNEL_x_CERT_CA_FILE is empty.
• optional: If the remote station provides a certificate it is checked against the CA
certificate configured using the variable STUNNEL_x_CERT_CA_FILE. If the remote sta-
tion does not provide a certificate this is not an error and the connection is still
accepted. This setting is only useful for server mode tunnel because the client tunnel
always obtain a certificate from the server.
• onlyca: The certificate of the remote station is validated against the CA certificate
configured in the variable STUNNEL_x_CERT_CA_FILE. If the remote station does not
provide a certificate or it does not match the configured CA, the connection is
rejected. This is useful when a private CA is used, as then all potential peers are
know.
• onlycert: The certificate of the remote station is compared with the certificate
configured in the variable STUNNEL_x_CERT_CA_FILE. It is not checked against a CA
certificate, but it will be ensured that the remote station sends exactly the match-
ing (server or client) certificate. The file referenced with the help of the variable
STUNNEL_x_CERT_CA_FILE in this case does not contain a CA certificate, but a host
202