sslVersion = TLSv1.2 TIMEOUTidle = 60 options = NO_SSLv2 options = NO_SSLv3 options = SINGLE_DH_USE options = SINGLE_ECDH_USE options = CIPHER_SERVER_PREFERENCE curve = secp521r1 ; --curve unsupported for www; use: secp384r1 cert = /path/to/your/private_key.pem FIPS = no debug = 7 syslog = yes chroot = /home/tarjail setuid = nobody setgid = nobody CAfile = /path/to/client/cert.pem verify = 3 ;best ciphers https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ciphers=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ;*Server receiver: exec = /sbin/tar execargs = /sbin/tar x -p -f - -C /files ; Client send: ; tar cf - files... | openssl s_client -connect host.com:5000 -quiet ;*Server sender: ; exec = /sbin/tar ;execargs = /sbin/tar c -f - -C /files . ; Client receive: ; openssl s_client -connect host.com:5001 -quiet | tar tvf - ;*SELINUX allow tar execution: ;chcon -v --type=inetd_child_exec_t tar ;*DO NOT USE tar COMPRESSION OPTIONS*