| Index |
| The Index gives (should give) an unique ID for the STunnel. Range: 0 to 65535 |
| AdminStatus |
| The AdminStatus of one entry declares whether this peer should be established (up) or not (down). In case of setting the AdminStatus to 'delete' the entry will be deleted. Enumerations: |
| Description |
| The description of the Stunnel. Is only for giving each tunnel a name but has no further meaning e.g. function. Length: 0 to 32 |
| ExternalIp |
| This field holds the IP to or from which the SSL connection will be established. If it is set (not 0) in ExternalMode_server the remote IP (incoming connection) is checked against ExternalIp. The default value is 0.0.0.0 . |
| ExternalPort |
| The port of the external connection. In ExternalMode client it defines the port it is connected to and in ExternalMode server it defines the port it is listened on for incoming connections. Range: 0 to 65535 |
| ExternalMode |
| The ExternalMode declares whether the system is server or client to the outside e.g. SSL connection. Enumerations: |
| InternalIp |
| The InternalIp default value is 127.0.0.1 (localhost). That means that the internal stunnel endpoint is the system itself and connects to an internal service (telnet,snmp,syslog). In special cases it is possible to to tunnel a service from a host on the local subnet. Therefore it is necessary to define the IP of the local subnet host here. If the InternalMode is server and InternalIp is set (not 0) it is checked whether InternalIp matches the remote IP (incoming connection). |
| InternalPort |
| The port on which will be connected internally in InternalMode client or on which will be listened on for an incoming connection. Range: 0 to 65535 |
| InternalMode |
| The InternalMode declares whether the system is server or client to the inside connection (NON-SSL connection). Enumerations: |
| PrivateToken |
| The PrivateToken is sent with the first packet as soon as the connection is established. It is used if the remote side wants to receive several connections on the same port and therefore needs a token to associate the connection. Length: 0 to 16 |
| VerifyPeer |
| If VerifyPeer is set to 'none'(1) no SSL verification is done. Setting VerifyPeer to 'normal'(2) a normal SSL verification is done (certificates are checked). If it is set to 'high'(3) also the subjectname of the remote side's certificate will be checked and SSL connection will be cancelled if it doesn't match to RemoteCertSubject. In case of VerifyPeer is set to 'very_high' beside the RemoteCertSubject also the SerialNumber of the certificate is checked to be equal or greater than RemoteCertSerialNo and the DNS attribute (withing the subject alternative names) is checked to be equal against RemoteCertDns (if it is configured else no check against this variable is done). If VerifyPeer is set to 'accept-self-signed'(5) a 'normal' verification is done but self signed certificates will be accepted, too. Enumerations: - none (1)
- normal (2)
- high (3)
- very-high (4)
- accept-self-signed (5)
|
| CertificateIdx |
| The (row) index of the CertTable holding the wanted peer certificate for the connection. Range: 0 to 65535 |
| CACertificateIdx |
| The (row) index of the CertTable holding the wanted/needed CA certificate for the connection. Range: 0 to 65535 |
| RemoteCertSubject |
| when VerifyPeer set to 'high' the string in this field is compared with the subjectname of the remote peer certificate. Length: 0 to 64 |
| RemoteCertSerialNo |
| when VerifyPeer set to 'very_high' the string in this field is compared with the serial number of the remote peer certificate. Length: 0 to 32 |
| RemoteCertDns |
| when VerifyPeer set to 'very_high' the string in this field is compared with the DNS attribute within the subject alternative names of the remote peer certificate. But if this variable is left blank no comparison is done and it is continued (accepted) without! Length: 0 to 255 |
| CertificateStatus |
| The certificatestatus displays if and which error occured during the certificate validation. If no error occured it is ok(2). The four possible errors are the cert is untrusted(3), the cert has expired(4), the cert has a wrong id or type or the cert has been revoked(5). If no cert is available the status is no_cert_available(7). In any other (certificate) error situation the status is set to undefined_ssl_error(8). Enumerations: - initial (1)
- cert-ok (2)
- invalid-cert-untrusted (3)
- invalid-cert-expired (4)
- invalid-cert-wrong-id-or-type (5)
- invalid-cert-revoked (6)
- no-cert-available (7)
- undefined-ssl-error (8)
|
| Retries |
| The number of retries which were already done during the actual e.g. last connection. Range: 0 to 50 |
| RetryTime |
| The time in seconds which the system waits for a reconnection try if the last try failed. Range: 0 to 3600 |
| MaxRetries |
| The maximum number of retries till the system declares the connection to failed. In case of '-1' infinite retries will take place. Range: -1 to 50 |
| ReopenDelay |
| The time till the connection will be reopened. Range: -1 to 31536000 |
| ShortHold |
| The ShortHold is the number of seconds after which an inactive connection is closed. Is the ShortHold set to -1 it is never closed for the reason of inactivity. Range: -1 to 3600 |
| Debug |
| enables(2) or disables(1) debug messages for this peer. Enumerations: |
| LastStatusChange |
| This value shows the time since the last sTunnelStatus change. |
| RxBytes |
| The amount of received (data) bytes from the external connection. Only the real data bytes (without any header or encryption/hash are counted). |
| TxBytes |
| The amount of transmitted bytes towards the external connection. Only the real data bytes (without any header or encryption/hash are counted). |
| TCPConnections |
| Counts the SSL-TCP-Connections of this tunnel. Range: 0 to 65535 |
| Status |
| The (operational) status of the connection. 'up'(1) means the connection is fully established. 'down'(2) means the connection is (finally) down. 'wait-for-retry'(3) means the system waits RetryTime seconds before the next connection try will be performed. 'wait-for-connection'(4) means that the peer waits for a connect (if it is in server mode) or for accepting its own connection try (if it is in client mode). Only if both internal and external connection are established the status changes to 'up'. 'failed'(5) means that the connection finally failed, so no more retries will take place (in this case the peer's AdminStatus hast to be reset to retry to establish the connection). 'wait-for_reopen'(6) is indicating that the timer for a reopen is running and on expire a reopen is performed. 'external_up'(7) means the external connection is established the internal not yet. 'finished'(8) means the last TCP connection got quit and tunnel is temporalily down. Enumerations: - up (1)
- down (2)
- wait-for-retry (3)
- wait-for-connection (4)
- failed (5)
- wait-for-reopen (6)
- external-up (7)
- finished (8)
|