#
# Ansible managed.
#
#GLOBAL#######################################################

sslVersion      =       TLSv1.3
TIMEOUTidle     =       600
TIMEOUTconnect  =       5
renegotiation   =       no
        FIPS    =       no
        options =       NO_SSLv2
        options =       NO_SSLv3
        options =       SINGLE_DH_USE
        options =       SINGLE_ECDH_USE
        options =       CIPHER_SERVER_PREFERENCE
        syslog  =       yes
        debug   =       5
        setuid  =       nobody
        setgid  =       nobody
        chroot  =       /var/stunnel/chroot

        service =       stunnel-nfs-nsb
        ; cd /var/empty; mkdir -p stunnel/etc; cd stunnel/etc;
        ; echo '3d-nfsd: ALL EXCEPT 127.0.0.1' >> hosts.deny;
        ; chcon -t stunnel_etc_t hosts.deny

        curve   =       secp521r1
        ; https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

#CREDENTIALS##################################################

        verify  =       2
        CAfile  =       /etc/pki/tls/certs/mon-ca.crt
        CRLfile =       /etc/pki/tls/certs/crt-crl.pem
        cert    =       /etc/pki/tls/certs/matthieu.3.crt
        key     =       /etc/pki/tls/private/matthieu.3.key

#ROLE#########################################################

        client  =       yes
        connect =       nfs2-freeway.casperlefantom.net:443