sslVersion	=	TLSv1.2
	FIPS	=	no
;	options =	NO_SSLv2
;	options =	NO_SSLv3
	options	=	SINGLE_DH_USE
	options	=	SINGLE_ECDH_USE
	options =	CIPHER_SERVER_PREFERENCE
	syslog	=	yes
	debug	=	7
	chroot	=	/var/empty
	setuid	=	nobody
	setgid	=	nobody
	curve	=	secp521r1 # use secp384r1 for www services

; Under inetd mode, there are no accept rules or service definitions, just a connect.

; Server:
;	cert	=	/etc/pki/tls/certs/stunnel.pem
;	connect =	127.0.0.1:rsync
;	exec	=	/usr/bin/rsync ; this only works if you disable chroot/nobody/privsep
;execargs	=	/usr/bin/rsync --daemon --config=/etc/rsync.conf


; Client:
	client	=	yes
	connect =	your.server.com:rsync-ssl

; best-practice ciphers https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

;# grep ^rsync /etc/services
;rsync     873/tcp # rsync
;rsync     873/udp # rsync
;rsync-ssl 874/tcp # rsync over ssl (I made this one up)

;# cat /etc/xinetd.d/rsync-ssl 
;service rsync-ssl
;{
;	disable	= no
;	socket_type	= stream
;	wait		= no
;	user		= root
;	only_from	= 1.2.3.4 5.6.7.8
;	server		= /usr/sbin/stunnel
;	server_args	= /etc/stunnel/rsync-ssl.conf
;}

;# cat /etc/rsync.conf
;#motd = /etc/rsync.motd
;use chroot = yes
;uid = 0
;gid = 0
;
;[module-share]
; path = /your/module/path
; comment = foobar
; hosts allow = 127.0.0.1
; read only = true

;# cd /treetop; rsync -v --archive --perms --owner --group --numeric-ids --force --delete --recursive 127.0.0.1::module-share .
;receiving incremental file list
;foo/bar.log
;
;sent 257534 bytes  received 3012412 bytes  225513.52 bytes/sec
;total size is 3466069924  speedup is 1059.98