$OpenBSD: patch-tools_stunnel_conf-sample_in,v 1.12 2014/10/27 13:16:48 gonzalo Exp $

--- tools/stunnel.conf-sample.in.orig	Wed Oct 15 09:04:20 2014
+++ tools/stunnel.conf-sample.in	Thu Oct 23 10:32:30 2014
@@ -9,13 +9,13 @@
 
 ; A copy of some devices and system files is needed within the chroot jail
 ; Chroot conflicts with configuration file reload and many other features
-;chroot = @prefix@/var/lib/stunnel/
+chroot = /var/stunnel/
 ; Chroot jail can be escaped if setuid option is not used
-setuid = nobody
-setgid = @DEFAULT_GROUP@
+setuid = _stunnel
+setgid = _stunnel
 
 ; PID file is created inside the chroot jail (if enabled)
-;pid = @prefix@/var/run/stunnel.pid
+pid = /stunnel.pid
 
 ; Debugging stuff (may be useful for troubleshooting)
 ;debug = 7
@@ -26,8 +26,8 @@ setgid = @DEFAULT_GROUP@
 ; **************************************************************************
 
 ; Certificate/key is needed in server mode and optional in client mode
-cert = @prefix@/etc/stunnel/mail.pem
-;key = @prefix@/etc/stunnel/mail.pem
+cert = @sysconfdir@/ssl/stunnel.pem
+;key = @sysconfdir@/ssl/private/stunnel.key
 
 ; Authentication stuff needs to be configured to prevent MITM attacks
 ; It is not enabled by default!
@@ -36,12 +36,12 @@ cert = @prefix@/etc/stunnel/mail.pem
 ; CApath is located inside chroot jail
 ;CApath = /certs
 ; It's often easier to use CAfile
-;CAfile = @prefix@/etc/stunnel/certs.pem
+;CAfile = @sysconfdir@/ssl/cert.pem
 ; Don't forget to c_rehash CRLpath
 ; CRLpath is located inside chroot jail
 ;CRLpath = /crls
 ; Alternatively CRLfile can be used
-;CRLfile = @prefix@/etc/stunnel/crls.pem
+;CRLfile = @sysconfdir@/ssl/crls.pem
 
 ; Enable support for the insecure SSLv2 protocol
 ;options = -NO_SSLv2
