1STUNNEL(8) stunnel STUNNEL(8)
2
6 stunnel - universal SSL tunnel
7
9 Unix:
10 stunnel [<filename>] | -fd n | -help | -version | -sockets
11 WIN32:
13 stunnel [ [-install | -uninstall | -start | -stop] | -exit]
14 [-quiet] [<filename>] ] | -help | -version | -sockets
15
17 The stunnel program is designed to work as SSL encryption wrapper
18 between remote clients and local (inetd-startable) or remote servers.
19 The concept is that having non-SSL aware daemons running on your system
20 you can easily set them up to communicate with clients over secure SSL
21 channels.
22 stunnel can be used to add SSL functionality to commonly used Inetd
24 daemons like POP-2, POP-3, and IMAP servers, to standalone daemons like
25 NNTP, SMTP and HTTP, and in tunneling PPP over network sockets without
26 changes to the source code.
27 This product includes cryptographic software written by Eric Young
29 (eay@cryptsoft.com)
30
32 <filename>
33 Use specified configuration file
34 -fd n (Unix only)
36 Read the config file from specified file descriptor
37 -help
39 Print stunnel help menu
40 -version
42 Print stunnel version and compile time defaults
43 -sockets
45 Print default socket options
46 -install (NT/2000/XP only)
48 Install NT Service
49 -uninstall (NT/2000/XP only)
51 Uninstall NT Service
52 -start (NT/2000/XP only)
54 Start NT Service
55 -stop (NT/2000/XP only)
57 Stop NT Service
58 -exit (Win32 only)
60 Exit an already started stunnel
61 -quiet (NT/2000/XP only)
63 Don't display any message boxes
64
66 Each line of the configuration file can be either:
67 · An empty line (ignored).
69 · A comment starting with ';' (ignored).
71 · An 'option_name = option_value' pair.
73 · '[service_name]' indicating a start of a service definition.
75 An address parameter of an option may be either:
77 · A port number.
79 · A colon-separated pair of IP address (either IPv4, IPv6, or domain
81 name) and port number.
82 · A Unix socket path (Unix only).
84 GLOBAL OPTIONS
86 chroot = directory (Unix only)
87 directory to chroot stunnel process
88 chroot keeps stunnel in chrooted jail. CApath, CRLpath, pid and
90 exec are located inside the jail and the patches have to be
91 relative to the directory specified with chroot.
92 Several functions of the operating system also need their files to
94 be located within chroot jail, e.g.:
95 · Delayed resolver typically needs /etc/nsswitch.conf and
97 /etc/resolv.conf.
98 · Local time in log files needs /etc/timezone.
100 · Some other functions may need devices, e.g. /dev/zero or
102 /dev/null.
103 compression = deflate | zlib | rle
105 select data compression algorithm
106 default: no compression
108 deflate is the standard compression method as described in RFC
110 1951.
111 zlib compression of OpenSSL 0.9.8 or above is not backward
113 compatible with OpenSSL 0.9.7.
114 rle compression is currently not implemented by the OpenSSL
116 library.
117 debug = [facility.]level
119 debugging level
120 Level is a one of the syslog level names or numbers emerg (0),
122 alert (1), crit (2), err (3), warning (4), notice (5), info (6), or
123 debug (7). All logs for the specified level and all levels
124 numerically less than it will be shown. Use debug = debug or debug
125 = 7 for greatest debugging output. The default is notice (5).
126 The syslog facility 'authpriv' will be used unless a facility name
128 is supplied. (Facilities are not supported on Win32.)
129 Case is ignored for both facilities and levels.
131 EGD = egd path (Unix only)
133 path to Entropy Gathering Daemon socket
134 Entropy Gathering Daemon socket to use to feed OpenSSL random
136 number generator. (Available only if compiled with OpenSSL 0.9.5a
137 or higher)
138 engine = auto | <engine id>
140 select hardware engine
141 default: software-only cryptography
143 Here is an example of advanced engine configuration to read private
145 key from an OpenSC engine
146 engine=dynamic
148 engineCtrl=SO_PATH:/usr/lib/opensc/engine_pkcs11.so
149 engineCtrl=ID:pkcs11
150 engineCtrl=LIST_ADD:1
151 engineCtrl=LOAD
152 engineCtrl=MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
153 engineCtrl=INIT
154 [service]
156 engineNum=1
157 key=id_45
158 engineCtrl = command[:parameter]
160 control hardware engine
161 Special commands "LOAD" and "INIT" can be used to load and
163 initialize the engine cryptogaphic module.
164 fips = yes | no
166 Enable or disable FIPS 140-2 mode.
167 This option allows to disable entering FIPS mode if stunnel was
169 compiled with FIPS 140-2 support.
170 default: yes
172 foreground = yes | no (Unix only)
174 foreground mode
175 Stay in foreground (don't fork) and log to stderr instead of via
177 syslog (unless output is specified).
178 default: background in daemon mode
180 output = file
182 append log messages to a file
183 /dev/stdout device can be used to send log messages to the standard
185 output (for example to log them with daemontools splogger).
186 pid = file (Unix only)
188 pid file location
189 If the argument is empty, then no pid file will be created.
191 pid path is relative to chroot directory if specified.
193 RNDbytes = bytes
195 bytes to read from random seed files
196 Number of bytes of data read from random seed files. With SSL
198 versions less than 0.9.5a, also determines how many bytes of data
199 are considered sufficient to seed the PRNG. More recent OpenSSL
200 versions have a builtin function to determine when sufficient
201 randomness is available.
202 RNDfile = file
204 path to file with random seed data
205 The SSL library will use data from this file first to seed the
207 random number generator.
208 RNDoverwrite = yes | no
210 overwrite the random seed files with new random data
211 default: yes
213 service = servicename (Unix only)
215 use specified string as inetd mode service name for TCP Wrapper
216 library
217 default: stunnel
219 setgid = groupname (Unix only)
221 setgid() to groupname in daemon mode and clears all other groups
222 setuid = username (Unix only)
224 setuid() to username in daemon mode
225 socket = a|l|r:option=value[:value]
227 Set an option on accept/local/remote socket
228 The values for linger option are l_onof:l_linger. The values for
230 time are tv_sec:tv_usec.
231 Examples:
233 socket = l:SO_LINGER=1:60
235 set one minute timeout for closing local socket
236 socket = r:SO_OOBINLINE=yes
237 place out-of-band data directly into the
238 receive data stream for remote sockets
239 socket = a:SO_REUSEADDR=no
240 disable address reuse (enabled by default)
241 socket = a:SO_BINDTODEVICE=lo
242 only accept connections on loopback interface
243 syslog = yes | no (Unix only)
245 enable logging via syslog
246 default: yes
248 taskbar = yes | no (WIN32 only)
250 enable the taskbar icon
251 default: yes
253 SERVICE-LEVEL OPTIONS
255 Each configuration section begins with service name in square brackets.
256 The service name is used for libwrap (TCP Wrappers) access control and
257 lets you distinguish stunnel services in your log files.
258 Note that if you wish to run stunnel in inetd mode (where it is
260 provided a network socket by a server such as inetd, xinetd, or
261 tcpserver) then you should read the section entitled INETD MODE below.
262 accept = address
264 accept connections on specified address
265 If no host specified, defaults to all IPv4 addresses for the local
267 host.
268 To listen on all IPv6 addresses use:
270 accept = :::port
272 CApath = directory
274 Certificate Authority directory
275 This is the directory in which stunnel will look for certificates
277 when using the verify. Note that the certificates in this
278 directory should be named XXXXXXXX.0 where XXXXXXXX is the hash
279 value of the DER encoded subject of the cert.
280 The hash algorithm has been changed in OpenSSL 1.0.0. It is
282 required to c_rehash the directory on upgrade from OpenSSL 0.x.x to
283 OpenSSL 1.x.x.
284 CApath path is relative to chroot directory if specified.
286 CAfile = certfile
288 Certificate Authority file
289 This file contains multiple CA certificates, used with the verify.
291 cert = pemfile
293 certificate chain PEM file name
294 A PEM is always needed in server mode. Specifying this flag in
296 client mode will use this certificate chain as a client side
297 certificate chain. Using client side certs is optional. The
298 certificates must be in PEM format and must be sorted starting with
299 the certificate to the highest level (root CA).
300 ciphers = cipherlist
302 Select permitted SSL ciphers
303 A colon delimited list of the ciphers to allow in the SSL
305 connection. For example DES-CBC3-SHA:IDEA-CBC-MD5
306 client = yes | no
308 client mode (remote service uses SSL)
309 default: no (server mode)
311 connect = address
313 connect to a remote address
314 If no host is specified, the host defaults to localhost.
316 Multiple connect options are allowed in a single service section.
318 If host resolves to multiple addresses and/or if multiple connect
320 options are specified, then the remote address is chosen using a
321 round-robin algorithm.
322 CRLpath = directory
324 Certificate Revocation Lists directory
325 This is the directory in which stunnel will look for CRLs when
327 using the verify. Note that the CRLs in this directory should be
328 named XXXXXXXX.r0 where XXXXXXXX is the hash value of the CRL.
329 The hash algorithm has been changed in OpenSSL 1.0.0. It is
331 required to c_rehash the directory on upgrade from OpenSSL 0.x.x to
332 OpenSSL 1.x.x.
333 CRLpath path is relative to chroot directory if specified.
335 CRLfile = certfile
337 Certificate Revocation Lists file
338 This file contains multiple CRLs, used with the verify.
340 curve = nid
342 specify ECDH curve name for server
343 To get a list of supported curves use:
345 openssl ecparam -list_curves
347 default: prime256v1
349 delay = yes | no
351 delay DNS lookup for 'connect' option
352 This option is useful for dynamic DNS, or when DNS is not available
354 during stunnel startup (road warrior VPN, dial-up configurations).
355 engineNum = engine number
357 select engine number to read private key
358 The engines are numbered starting from 1.
360 exec = executable_path
362 execute local inetd-type program
363 exec path is relative to chroot directory if specified.
365 execargs = $0 $1 $2 ...
367 arguments for exec including program name ($0)
368 Quoting is currently not supported. Arguments are separated with
370 arbitrary number of whitespaces.
371 failover = rr | prio
373 Failover strategy for multiple "connect" targets.
374 rr (round robin) - fair load distribution
376 prio (priority) - use the order specified in config file
377 default: rr
379 ident = username
381 use IDENT (RFC 1413) username checking
382 key = keyfile
384 private key for certificate specified with cert option
385 Private key is needed to authenticate certificate owner. Since
387 this file should be kept secret it should only be readable to its
388 owner. On Unix systems you can use the following command:
389 chmod 600 keyfile
391 default: value of cert option
393 libwrap = yes | no
395 Enable or disable the use of /etc/hosts.allow and /etc/hosts.deny.
396 default: yes
398 local = host
400 IP of the outgoing interface is used as source for remote
401 connections. Use this option to bind a static local IP address,
402 instead.
403 sni = service_name:server_name_pattern (server mode)
405 Use the service as a slave service (a name-based virtual server)
406 for Server Name Indication TLS extension (RFC 3546).
407 service_name specifies the master service that accepts client
409 connections with accept option. server_name_pattern specifies the
410 host name to be redirected. The pattern may start with '*'
411 character, e.g. '*.example.com'. Multiple slave services are
412 normally specified for a single master service. sni option can
413 also be specified more than once within a single slave service.
414 This service, as well as the master service, may not be configured
416 in client mode.
417 connect option of the slave service is ignored when protocol option
419 is specified, as protocol connects remote host before TLS
420 handshake.
421 Libwrap checks (Unix only) are performed twice: with master service
423 name after TCP connection is accepted, and with slave service name
424 during TLS handshake.
425 Option sni is only available when compiled with OpenSSL 1.0.0 and
427 later.
428 sni = server_name (client mode)
430 Use the parameter as the value of TLS Server Name Indication (RFC
431 3546) extension.
432 Option sni is only available when compiled with OpenSSL 1.0.0 and
434 later.
435 OCSP = url
437 select OCSP server for certificate verification
438 OCSPflag = flag
440 specify OCSP server flag
441 Several OCSPflag can be used to specify multiple flags.
443 currently supported flags: NOCERTS, NOINTERN NOSIGS, NOCHAIN,
445 NOVERIFY, NOEXPLICIT, NOCASIGN, NODELEGATED, NOCHECKS, TRUSTOTHER,
446 RESPID_KEY, NOTIME
447 options = SSL_options
449 OpenSSL library options
450 The parameter is the OpenSSL option name as described in the
452 SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix.
453 Several options can be used to specify multiple options.
454 For example for compatibility with erroneous Eudora SSL
456 implementation the following option can be used:
457 options = DONT_INSERT_EMPTY_FRAGMENTS
459 protocol = proto
461 application protocol to negotiate SSL
462 This option enables initial, protocol-specific negotiation of the
464 SSL/TLS encryption. protocol option should not be used with SSL
465 encryption on a separate port.
466 Currently supported protocols:
468 cifs
470 Proprietary (undocummented) extension of CIFS protocol
471 implemented in Samba. Support for this extension was dropped
472 in Samba 3.0.0.
473 connect
475 Based on RFC 2817 - Upgrading to TLS Within HTTP/1.1, section
476 5.2 - Requesting a Tunnel with CONNECT
477 This protocol is only supported in client mode.
479 imap
481 Based on RFC 2595 - Using TLS with IMAP, POP3 and ACAP
482 nntp
484 Based on RFC 4642 - Using Transport Layer Security (TLS) with
485 Network News Transfer Protocol (NNTP)
486 This protocol is only supported in client mode.
488 pgsql
490 Based on
491 http://www.postgresql.org/docs/8.3/static/protocol-flow.html#AEN73982
492 pop3
494 Based on RFC 2449 - POP3 Extension Mechanism
495 proxy
497 Haproxy client IP address
498 http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
499 smtp
501 Based on RFC 2487 - SMTP Service Extension for Secure SMTP over
502 TLS
503 protocolAuthentication = auth_type
505 authentication type for protocol negotiations
506 currently supported: basic, NTLM
508 Currently authentication type only applies to the 'connect'
510 protocol.
511 default: basic
513 protocolHost = host:port
515 destination address for protocol negotiations
516 protocolHost specifies the final SSL server to be connected by the
518 proxy, and not the proxy server directly connected by stunnel. The
519 proxy server should be specified with the 'connect' option.
520 Currently protocol destination address only applies to 'connect'
522 protocol.
523 protocolPassword = password
525 password for protocol negotiations
526 protocolUsername = username
528 username for protocol negotiations
529 pty = yes | no (Unix only)
531 allocate pseudo terminal for 'exec' option
532 renegotiation = yes | no
534 support SSL renegotiation
535 Applications of the SSL renegotiation include some authentication
537 scenarios, or re-keying long lasting connections.
538 On the other hand this feature can facilitate a trivial CPU-
540 exhaustion DoS attack:
541 http://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
543 Please note that disabling SSL renegotiation does not fully
545 mitigate this issue.
546 default: yes (if supported by OpenSSL)
548 reset = yes | no
550 attempt to use TCP RST flag to indicate an error
551 This option is not supported on some platforms.
553 default: yes
555 retry = yes | no
557 reconnect a connect+exec section after it's disconnected
558 default: no
560 sessionCacheSize = size
562 session cache size
563 sessionCacheSize specifies the maximum number of the internal
565 session cache entries.
566 The value of 0 can be used for unlimited size. It is not
568 recommended for production use due to the risk of memory exhaustion
569 DoS attack.
570 sessionCacheTimeout = timeout
572 session cache timeout
573 This is the number of seconds to keep cached SSL sessions.
575 sessiond = host:port
577 address of sessiond SSL cache server
578 sslVersion = version
580 select version of SSL protocol
581 Allowed options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
583 stack = bytes (except for FORK model)
585 thread stack size
586 TIMEOUTbusy = seconds
588 time to wait for expected data
589 TIMEOUTclose = seconds
591 time to wait for close_notify (set to 0 for buggy MSIE)
592 TIMEOUTconnect = seconds
594 time to wait to connect a remote host
595 TIMEOUTidle = seconds
597 time to keep an idle connection
598 transparent = none | source | destination | both (Unix only)
600 enable transparent proxy support on selected platforms
601 Supported values:
603 none
605 Disable transparent proxy support. This is the default.
606 source
608 Re-write address to appear as if wrapped daemon is connecting
609 from the SSL client machine instead of the machine running
610 stunnel.
611 This option is currently available in:
613 Remote mode (connect option) on Linux >=2.6.28
615 This configuration requires stunnel to be executed as root
616 and without setuid option.
617 This configuration requires the following setup for
619 iptables and routing (possibly in /etc/rc.local or
620 equivalent file):
621 iptables -t mangle -N DIVERT
623 iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
624 iptables -t mangle -A DIVERT -j MARK --set-mark 1
625 iptables -t mangle -A DIVERT -j ACCEPT
626 ip rule add fwmark 1 lookup 100
627 ip route add local 0.0.0.0/0 dev lo table 100
628 echo 0 >/proc/sys/net/ipv4/conf/lo/rp_filter
629 stunnel must also to be executed as root and without setuid
631 option.
632 Remote mode (connect option) on Linux 2.2.x
634 This configuration requires kernel to be compiled with
635 transparent proxy option. Connected service must be
636 installed on a separate host. Routing towards the clients
637 has to go through the stunnel box.
638 stunnel must also to be executed as root and without setuid
640 option.
641 Remote mode (connect option) on FreeBSD >=8.0
643 This configuration requires additional firewall and routing
644 setup. stunnel must also to be executed as root and
645 without setuid option.
646 Local mode (exec option)
648 This configuration works by pre-loading libstunnel.so
649 shared library. _RLD_LIST environment variable is used on
650 Tru64, and LD_PRELOAD variable on other platforms.
651 destination
653 Original destination is used instead of connect option.
654 A service section for transparent destination may look like
656 this:
657 [transparent]
659 client=yes
660 accept=<stunnel_port>
661 transparent=destination
662 This configuration requires the following setup for iptables
664 (possibly in /etc/rc.local or equivalent file):
665 /sbin/iptables -I INPUT -i eth0 -p tcp --dport <stunnel_port> -j ACCEPT
667 /sbin/iptables -t nat -I PREROUTING -i eth0 -p tcp --dport <redirected_port> -j DNAT --to-destination <local_ip>:<stunnel_port>
668 Transparent destination option is currently only supported on
670 Linux.
671 both
673 Use both source and destination transparent proxy.
674 Two legacy options are also supported for backward compatibility:
676 yes This options has been renamed to source.
678 no This options has been renamed to none.
680 verify = level
682 verify peer certificate
683 level 0
685 Request and ignore peer certificate.
686 level 1
688 Verify peer certificate if present.
689 level 2
691 Verify peer certificate.
692 level 3
694 Verify peer with locally installed certificate.
695 level 4
697 Ignore CA chain and only verify peer certificate.
698 default
700 No verify.
701 It is important to understand, that this option was solely designed
703 for access control and not for authorization. Specifically for
704 level 2 every non-revoked certificate is accepted regardless of its
705 Common Name. For this reason a dedicated CA should be used with
706 level 2, and not a generic CA commonly used for webservers. Level
707 3 is preferred for point-to-point connections.
708
710 stunnel returns zero on success, non-zero on error.
711
713 The following signals can be used to control stunnel in Unix
714 environment:
715 SIGHUP
717 Force a reload of the configuration file.
718 Some global options will not be reloaded:
720 · chroot
722 · foreground
724 · pid
726 · setgid
728 · setuid
730 The use of 'setuid' option will also prevent stunnel from binding
732 privileged (<1024) ports during configuration reloading.
733 When 'chroot' option is used, stunnel will look for all its files
735 (including configuration file, certificates, log file and pid file)
736 within the chroot jail.
737 SIGUSR1
739 Close and reopen stunnel log file. This function can be used for
740 log rotation.
741 SIGTERM, SIGQUIT, SIGINT
743 Shut stunnel down.
744 The result of sending any other signals to the server is undefined.
746
748 In order to provide SSL encapsulation to your local imapd service, use
749 [imapd]
751 accept = 993
752 exec = /usr/sbin/imapd
753 execargs = imapd
754 If you want to provide tunneling to your pppd daemon on port 2020, use
756 something like
757 [vpn]
759 accept = 2020
760 exec = /usr/sbin/pppd
761 execargs = pppd local
762 pty = yes
763 If you want to use stunnel in inetd mode to launch your imapd process,
765 you'd use this stunnel.conf. Note there must be no [service_name]
766 section.
767 exec = /usr/sbin/imapd
769 execargs = imapd
770
772 RESTRICTIONS
773 stunnel cannot be used for the FTP daemon because of the nature of the
774 FTP protocol which utilizes multiple ports for data transfers. There
775 are available SSL enabled versions of FTP and telnet daemons, however.
776 INETD MODE
778 The most common use of stunnel is to listen on a network port and
779 establish communication with either a new port via the connect option,
780 or a new program via the exec option. However there is a special case
781 when you wish to have some other program accept incoming connections
782 and launch stunnel, for example with inetd, xinetd, or tcpserver.
783 For example, if you have the following line in inetd.conf:
785 imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf
787 In these cases, the inetd-style program is responsible for binding a
789 network socket (imaps above) and handing it to stunnel when a
790 connection is received. Thus you do not want stunnel to have any
791 accept option. All the Service Level Options should be placed in the
792 global options section, and no [service_name] section will be present.
793 See the EXAMPLES section for example configurations.
794 CERTIFICATES
796 Each SSL enabled daemon needs to present a valid X.509 certificate to
797 the peer. It also needs a private key to decrypt the incoming data. The
798 easiest way to obtain a certificate and a key is to generate them with
799 the free OpenSSL package. You can find more information on certificates
800 generation on pages listed below.
801 The order of contents of the .pem file is important. It should contain
803 the unencrypted private key first, then a signed certificate (not
804 certificate request). There should be also empty lines after
805 certificate and private key. Plaintext certificate information
806 appended on the top of generated certificate should be discarded. So
807 the file should look like this:
808 -----BEGIN RSA PRIVATE KEY-----
810 [encoded key]
811 -----END RSA PRIVATE KEY-----
812 [empty line]
813 -----BEGIN CERTIFICATE-----
814 [encoded certificate]
815 -----END CERTIFICATE-----
816 [empty line]
817 RANDOMNESS
819 stunnel needs to seed the PRNG (pseudo random number generator) in
820 order for SSL to use good randomness. The following sources are loaded
821 in order until sufficient random data has been gathered:
822 · The file specified with the RNDfile flag.
824 · The file specified by the RANDFILE environment variable, if set.
826 · The file .rnd in your home directory, if RANDFILE not set.
828 · The file specified with '--with-random' at compile time.
830 · The contents of the screen if running on Windows.
832 · The egd socket specified with the EGD flag.
834 · The egd socket specified with '--with-egd-sock' at compile time.
836 · The /dev/urandom device.
838 With recent (OpenSSL 0.9.5a or later) version of SSL it will stop
840 loading random data automatically when sufficient entropy has been
841 gathered. With previous versions it will continue to gather from all
842 the above sources since no SSL function exists to tell when enough data
843 is available.
844 Note that on Windows machines that do not have console user interaction
846 (mouse movements, creating windows, etc.) the screen contents are not
847 variable enough to be sufficient, and you should provide a random file
848 for use with the RNDfile flag.
849 Note that the file specified with the RNDfile flag should contain
851 random data -- that means it should contain different information each
852 time stunnel is run. This is handled automatically unless the
853 RNDoverwrite flag is used. If you wish to update this file manually,
854 the openssl rand command in recent versions of OpenSSL, would be
855 useful.
856 Important note: If /dev/urandom is available, OpenSSL often seeds the
858 PRNG with it while checking the random state. On systems with
859 /dev/urandom OpenSSL is likely to use it even though it is listed at
860 the very bottom of the list above. This is the behaviour of OpenSSL
861 and not stunnel.
862 DH PARAMETERS
864 Stunnel 4.40 and later contains hardcoded 2048-bit DH parameters.
865 It is also possible to specify DH parameters in the certificate file:
867 openssl dhparam 2048 >> stunnel.pem
869 DH parameter generation may take several minutes.
871
873 stunnel.conf
874 stunnel configuration file
875
877 Option execargs and Win32 command line does not support quoting.
878
880 tcpd(8)
881 access control facility for internet services
882 inetd(8)
884 internet 'super-server'
885 http://www.stunnel.org/
887 stunnel homepage
888 http://www.openssl.org/
890 OpenSSL project website
891
893 Michał Trojnara
894 <Michal.Trojnara@mirt.net>
8954.56 2013.03.20 STUNNEL(8)