HP-UX Trusted Computing Services A.02.00 Administrator's Guide
Stunnel Configuration on myClient for Mail Clients
On the mail client (myClient), the Stunnel configuration file is similar to the file listed in “Stunnel
Configuration File on myClient for telnet” (page 46), with the following service option
entries:
[smtp-client]
# Use in client mode
client = yes
accept = localhost:25
connect = myServer.hp.com:25
engineNum = 1
[pop3-client]
# Use in client mode
client = yes
accept = localhost:110
connect = myServer.hp.com:110
engineNum = 1
The complete Stunnel configuration file on myClient is as follows. Changes made for TPM and
certificates are shown in bold.
# /opt/iexpress/stunnel/etc/stunnel.conf
# stunnel configuration for a TPM-protected client
# Need random data for session keys, etc
RNDfile = /dev/urandom
# Chroot if need to reduce stunnel's access into the local filesystems.
# chroot = /var/chroot/stunnel/
# PID is created inside the chroot location.
pid = /tmp/stunnel.pid
# Authentication - '3' means a signed certificate from the session peer must be
# presented and verified by the CA.
verify = 3
# Location where peer certificates and the CA certificate can be found.
CApath = /opt/openssl/certs
CAfile = /opt/openssl/certs/cacert.pem
# This client's certificate and private key.
cert = /opt/iexpress/stunnel/etc/myClient.cert
key = /opt/iexpress/stunnel/etc/myClientKeyblob
# Debug parameters
debug = 7
output = /opt/iexpress/stunnel/etc/stunnel.log
# Run in the foreground
foreground = no
# Load the built-in engine 'dynamic'
# and give it the path to the 0.9.7 TPM engine
engine=dynamic
engineCtrl=SO_PATH:/opt/tcs/lib/hpux32/engines/libtpm.so.0
# Identify the engine as 'tpm' and load and initialize it
engineCtrl=ID:tpm
engineCtrl=LOAD
engineCtrl=INIT
# Service-level configuration
[smtp-client]
# Use in client mode
client = yes
accept = localhost:25
connect = myServer.hp.com:25
engineNum = 1
Stunnel Examples 49