diff --git a/ocaml/xapi/xapi.ml b/ocaml/xapi/xapi.ml
index 0c49848231b..475f1a56e1a 100644
--- a/ocaml/xapi/xapi.ml
+++ b/ocaml/xapi/xapi.ml
@@ -680,6 +680,14 @@ let listen_unix_socket () =
 	let domain_sock = Xapi_http.bind (Unix.ADDR_UNIX(Xapi_globs.unix_domain_socket)) in
 	ignore(Http_svr.start Xapi_http.server domain_sock)
 
+let set_stunnel_timeout () =
+  try
+    let timeout = int_of_string (Xapi_inventory.lookup Xapi_inventory._stunnel_idle_timeout) in
+    debug "Setting stunnel timeout to %d" timeout;
+    Stunnel.timeoutidle := Some timeout
+  with _ ->
+    debug "Using default stunnel timeout (usually 43200)"
+
 let server_init() =
   let print_server_starting_message() = debug "on_system_boot=%b pool_role=%s" !Xapi_globs.on_system_boot (Pool_role.string_of (Pool_role.get_role ())) in
 
@@ -783,6 +791,7 @@ let server_init() =
     Startup.run ~__context [
     "XAPI SERVER STARTING", [], print_server_starting_message;
     "Parsing inventory file", [], Xapi_inventory.read_inventory;
+    "Setting stunnel timeout", [], set_stunnel_timeout;
     "Initialising local database", [], init_local_database;
 	"Loading DHCP leases", [], Xapi_udhcpd.init;
     "Reading pool secret", [], Helpers.get_pool_secret;
diff --git a/scripts/init.d-xapissl b/scripts/init.d-xapissl
index 5921c33e5b4..c50c68c9b97 100755
--- a/scripts/init.d-xapissl
+++ b/scripts/init.d-xapissl
@@ -52,7 +52,12 @@ mgmt_ip() {
 writeconffile () {
     # Initial boilerplate which is valid whether the management
     # interface is enabled or disabled.
-    cat > $SSLCONFFILE <<EOF
+    . /etc/xensource-inventory
+
+    if [ -n "${STUNNEL_IDLE_TIMEOUT}" ]; then
+	TIMEOUTSTR="TIMEOUTidle = ${STUNNEL_IDLE_TIMEOUT}"
+    fi
+cat > $SSLCONFFILE <<EOF
 ; Autogenerated by init.d/xapissl
 pid = ${SSLPIDFILE}
 socket = r:TCP_NODELAY=1
@@ -61,6 +66,7 @@ socket = l:TCP_NODELAY=1
 socket = r:SO_KEEPALIVE=1
 socket = a:SO_KEEPALIVE=1
 compression = zlib
+${TIMEOUTSTR}
 
 [xapi]
 accept = ${ACCEPT}