diff options
| author | Peter Pentchev <roam@debian.org> | 2021-04-24 20:03:32 +0300 |
|---|---|---|
| committer | Peter Pentchev <roam@debian.org> | 2021-04-24 20:03:32 +0300 |
| commit | 35b3a5bf9245db84f5b8bbffee27b12707928ae8 (patch) | |
| tree | 4dd32f5453af0aab3dc27c013d54e260fb305689 /doc/stunnel.pod.in | |
| parent | f1e7284866ae48e1c3acadea70fd9cb5b4161f28 (diff) | |
New upstream version 5.57+dfsg
Diffstat (limited to 'doc/stunnel.pod.in')
| -rw-r--r-- | doc/stunnel.pod.in | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/doc/stunnel.pod.in b/doc/stunnel.pod.in index 5edb680..e9abd4f 100644 --- a/doc/stunnel.pod.in +++ b/doc/stunnel.pod.in @@ -461,6 +461,8 @@ I<SSL_CONF_cmd(3ssl)> manual page. Several I<config> lines can be used to specify multiple configuration commands. +Use I<curves> option instead of enabling I<config = Curves:list_curves> to support elliptic curves. + This option requires OpenSSL 1.0.2 or later. =item B<connect> = [HOST:]PORT @@ -499,7 +501,7 @@ I<verifyPeer> options. ECDH curves separated with ':' -Only a single curve name is allowed for OpenSSL older than 1.1.0. +Only a single curve name is allowed for OpenSSL older than 1.1.1. To get a list of supported curves use: @@ -892,6 +894,44 @@ reconnect a connect+exec section after it was disconnected default: no +=item B<securityLevel> = LEVEL + +set the security level + +The meaning of each level is described below: + +=over 4 + +=item level 0 + +Everything is permitted. + +=item level 1 + +The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited. + +=item level 2 + +Security level set to 112 bits of security. As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited. In addition to the level 1 exclusions any cipher suite using RC4 is also prohibited. SSL version 3 is also not allowed. Compression is disabled. + +=item level 3 + +Security level set to 128 bits of security. As a result RSA, DSA and DH keys shorter than 3072 bits and ECC keys shorter than 256 bits are prohibited. In addition to the level 2 exclusions cipher suites not offering forward secrecy are prohibited. TLS versions below 1.1 are not permitted. Session tickets are disabled. + +=item level 4 + +Security level set to 192 bits of security. As a result RSA, DSA and DH keys shorter than 7680 bits and ECC keys shorter than 384 bits are prohibited. Cipher suites using SHA1 for the MAC are prohibited. TLS versions below 1.2 are not permitted. + +=item level 5 + +Security level set to 256 bits of security. As a result RSA, DSA and DH keys shorter than 15360 bits and ECC keys shorter than 512 bits are prohibited. + +=item default: 2 + +=back + +The I<securityLevel> option is only available when compiled with B<OpenSSL 1.1.0> and later. + =item B<requireCert> = yes | no require a client certificate for I<verifyChain> or I<verifyPeer> |