; **************************************************************************
; * Global options                                                         *
; **************************************************************************

pid =
foreground = yes

; Only log messages at severity warning (4) and higher
debug = 4

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

client = yes

; Some performance tunings
socket = r:TCP_NODELAY=1

; Prevent MITM attacks
verifyPeer = yes

; Disable support for insecure protocols
sslVersionMin = TLSv1.2
options = NO_COMPRESSION

; Select permitted SSL ciphers
ciphers = EECDH+AESGCM:EECDH+CHACHA20!MEDIUM!LOW!EXP!aNULL!eNULL

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

[ldaps]
; dummy address (socket-activated)
accept  = 127.0.0.1:0
connect = {{ ipsec[ hostvars[groups.LDAP_provider[0]].inventory_hostname_short ] }}:636
checkHost = ldap.fripost.org
CAfile = /etc/stunnel/certs/ldap.pem

; vim:ft=dosini