Hi Ian, The man page refers to the file specified by the "cert" option, not "CAfile". In your case, that would be: cert = /etc/pki/tls/certs/stunnel/switch2.crt If that file is in PEM format, you can append the DH parameters to it, or create a new combined PEM file and point cert to that. The DH parameters are only used on the server side ([switch2-frontend] in your config), not in the "client = yes" section. One additional note: using finite-field DHE in 2026 is generally considered legacy. ECDHE is way faster, better supported, and preferred in modern TLS deployments. If possible, switching to ECDHE-based ciphers would be a better long-term solution than tuning DH parameters. Best regards, Mike On Sat, 2026-02-28 at 11:29 -0600, Ian Pilcher via stunnel-users wrote:
I am trying to configure stunnel to use static DH parameters. The man page says:
Alternatively, it is possible to specify static DH parameters in the certificate file, which disables generating temporary DH parameters:
openssl dhparam 2048 >> stunnel.pem
But, I'm not 100% clear on what certificate file it is talking about.
My configuration looks like this.
[switch2-frontend] accept = 0.0.0.0:8402 CAfile = /etc/ipa/ca.crt cert = /etc/pki/tls/certs/stunnel/switch2.crt key = /tmp/keys/switch2.key connect = 127.255.255.254:8082
[switch2-backend] client = yes accept = 127.255.255.254:8082 connect = 172.31.4.2:443 verifyChain = yes checkHost = switch2.penurio.us CAfile = /etc/pki/tls/certs/stunnel/switch-ca.crt sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA options = ALLOW_UNSAFE_LEGACY_RENEGOTIATION securityLevel = 0 OCSPrequire = no OCSPaia = no
Would I add the DH parameters to /etc/pki/tls/certs/stunnel/switch2.crt?
Thanks!