I am trying to configure stunnel to use static DH parameters. The man page says: Alternatively, it is possible to specify static DH parameters in the certificate file, which disables generating temporary DH parameters: openssl dhparam 2048 >> stunnel.pem But, I'm not 100% clear on what certificate file it is talking about. My configuration looks like this. [switch2-frontend] accept = 0.0.0.0:8402 CAfile = /etc/ipa/ca.crt cert = /etc/pki/tls/certs/stunnel/switch2.crt key = /tmp/keys/switch2.key connect = 127.255.255.254:8082 [switch2-backend] client = yes accept = 127.255.255.254:8082 connect = 172.31.4.2:443 verifyChain = yes checkHost = switch2.penurio.us CAfile = /etc/pki/tls/certs/stunnel/switch-ca.crt sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA options = ALLOW_UNSAFE_LEGACY_RENEGOTIATION securityLevel = 0 OCSPrequire = no OCSPaia = no Would I add the DH parameters to /etc/pki/tls/certs/stunnel/switch2.crt? Thanks! -- ======================================================================== If your user interface is intuitive in retrospect ... it isn't intuitive ========================================================================