;   This file contains an example stunnel TLS client configuration which
;   enables secure transport for Kea RESTful API. An access to
;   the service is protected by client's and server's certificate
;   verification mechanism (as known as mutual authentication).
;
;   Note that the setup below (and reused nginx or httpd2 setups)
;   are provided as an example for testing purposes only. Always
;   consider best known security measures to protect your production
;   environment.
;
;   Transport marked with ==> (vs -->) is secured against passive
;   (i.e. eavesdropping) and active (i.e. man-in-the-middle) attacks
;
;   kea-shell -- 127.0.0.1 port 8888 -->
;       stunnel == 127.0.0.1 port 443 ==>
;           nginx -- 127.0.0.1 port 8000 -->
;               kea-agent
;
;   stunnel configuration starts here.

; in the case you would like to follow what happens
;; foreground = yes
;; debug = 7

; kea service
[kea]
    ; client (vs server) mode
    client = yes

    ; accept requests from the kea-shell tool
    accept = 127.0.0.1:8888

    ; forward requests to the https peer
    connect = 127.0.0.1:443

    ; client certificate
    cert = kea-client.crt

    ; client private key
    key = kea-client.key

    ; check server certificate
    verifyPeer = yes

    ; server certificate
    CAfile = kea-proxy.crt