I had to fight a good bit with my stunnel configuration to use the letsencrypt certificate and get reasonable security. I’ll share here some of the things I did, but I’m also interested in any other suggestions. It would be great if the client would automatically do some or all of this automatically like it does for Apache.
/etc/stunnel.conf:
cert=/etc/letsencrypt/live/example.com/fullchain.pem
key=/etc/letsencrypt/live/example.com/privkey.pem
[my_service]
...
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA
options = CIPHER_SERVER_PREFERENCE
renegotiation=no
On startup, stunnel complains that the keys are globally readable, so I did a ‘chmod 600’ on them. I also added that to the startup script for stunnel to prevent issues in the future.
I hope that helps. This is for a home server, and I’m wrapping several services through port 443 using stunnel to and sslh to direct the connections to the appropriate server (this means the logs have to be reconstructed to identify the real source, but it works well for my needs).