Hi all:
Base on this link https://www.stunnel.org/sdf_ChangeLog.html, to make TLS 1.2 work, I need to put stunnel in FIPS enable mode.
In stunnel config file, I have following to enable FIPS mode and select TLS 1.2.
sslVersion=TLSv1.2
FIPS = yes
But when my TLS 1.2 client send “client hello” with version TLS 1.2 to stunnel, stunnel still send “server hello” with TLS 1.0 back. Could somebody help on why stunnel does not support TLS 1.2 ?
My stunnel is verstion 5.02, compiled with latest OpenSSL version 1.0.1h FIPS mode library.
Following is the log file:
###################
2014.06.19 11:09:13 LOG7[15491]: Clients allowed=500
2014.06.19 11:09:13 LOG5[15491]: stunnel 5.02 on i686-pc-linux-gnu platform
2014.06.19 11:09:13 LOG5[15491]: Compiled with OpenSSL 1.1.0-fips-dev xx XXX xxxx
2014.06.19 11:09:13 LOG5[15491]: Running with OpenSSL 1.0.1h-fips 5 Jun 2014
2014.06.19 11:09:13 LOG5[15491]: Update OpenSSL shared libraries or rebuild stunnel
2014.06.19 11:09:13 LOG5[15491]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
2014.06.19 11:09:13 LOG7[15491]: errno: (*__errno_location ())
2014.06.19 11:09:13 LOG5[15491]: Reading configuration from file stunnel.K.tacacs+.conf
2014.06.19 11:09:13 LOG5[15491]: FIPS mode enabled ##################FIPS mode enabled############
2014.06.19 11:09:13 LOG7[15491]: Compression disabled
2014.06.19 11:09:13 LOG7[15491]: Snagged 64 random bytes from /root/.rnd
2014.06.19 11:09:13 LOG7[15491]: Wrote 1024 new random bytes to /root/.rnd
2014.06.19 11:09:13 LOG7[15491]: PRNG seeded successfully
2014.06.19 11:09:13 LOG6[15491]: Initializing service [encrypted_tacplus]
2014.06.19 11:09:13 LOG6[15491]: Loading cert from file: /tftpboot/cacert-hyu.pem
2014.06.19 11:09:13 LOG6[15491]: Loading key from file: /tftpboot/privkey-hyu.pem
2014.06.19 11:09:13 LOG4[15491]: Insecure file permissions on /tftpboot/privkey-hyu.pem
2014.06.19 11:09:13 LOG7[15491]: Private key check succeeded
2014.06.19 11:09:13 LOG7[15491]: DH initialization
2014.06.19 11:09:13 LOG7[15491]: Could not load DH parameters from /tftpboot/cacert-hyu.pem
2014.06.19 11:09:13 LOG7[15491]: Using hardcoded DH parameters
2014.06.19 11:09:13 LOG7[15491]: DH initialized with 2048-bit key
2014.06.19 11:09:13 LOG7[15491]: ECDH initialization
2014.06.19 11:09:13 LOG7[15491]: ECDH initialized with curve prime256v1
2014.06.19 11:09:13 LOG7[15491]: SSL options set: 0x00000004
2014.06.19 11:09:13 LOG5[15491]: Configuration successful
2014.06.19 11:09:13 LOG7[15491]: Service [encrypted_tacplus] (FD=7) bound to 0.0.0.0:2249
2014.06.19 11:09:14 LOG7[15491]: No pid file being created
2014.06.19 11:17:52 LOG7[15506]: Service [encrypted_tacplus] accepted (FD=3) from 10.25.105.82:636
2014.06.19 11:17:52 LOG7[15509]: Service [encrypted_tacplus] started
2014.06.19 11:17:52 LOG5[15509]: Service [encrypted_tacplus] accepted connection from 10.25.105.82:636
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): before/accept initialization
2014.06.19 11:17:52 LOG7[15509]: SNI: no virtual services defined
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 read client hello B ##########wireshark shows “client hello” version is TLS1.2, stunnel log shows it is TLS1.0.
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server hello A
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write certificate A
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write key exchange A
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server done A
2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 flush data
2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read client key exchange A
2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read finished A
2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write change cipher spec A
2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write finished A
2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 flush data
2014.06.19 11:17:55 LOG7[15509]: 1 items in the session cache
2014.06.19 11:17:55 LOG7[15509]: 0 client connects (SSL_connect())
2014.06.19 11:17:55 LOG7[15509]: 0 client connects that finished
2014.06.19 11:17:55 LOG7[15509]: 0 client renegotiations requested
2014.06.19 11:17:55 LOG7[15509]: 1 server connects (SSL_accept())
2014.06.19 11:17:55 LOG7[15509]: 1 server connects that finished
2014.06.19 11:17:55 LOG7[15509]: 0 server renegotiations requested
2014.06.19 11:17:55 LOG7[15509]: 0 session cache hits
2014.06.19 11:17:55 LOG7[15509]: 0 external session cache hits
2014.06.19 11:17:55 LOG7[15509]: 1 session cache misses
2014.06.19 11:17:55 LOG7[15509]: 0 session cache timeouts
2014.06.19 11:17:55 LOG6[15509]: No peer certificate received
2014.06.19 11:17:55 LOG6[15509]: SSL accepted: new session negotiated
2014.06.19 11:17:55 LOG6[15509]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES128-SHA (128-bit encryption) ##############negotiated as TLS1.0
2014.06.19 11:17:55 LOG6[15509]: Compression: null, expansion: null
2014.06.19 11:17:55 LOG6[15509]: s_connect: connecting 127.0.0.1:2250
2014.06.19 11:17:55 LOG7[15509]: s_connect: s_poll_wait 127.0.0.1:2250: waiting 10 seconds
2014.06.19 11:17:55 LOG5[15509]: s_connect: connected 127.0.0.1:2250
2014.06.19 11:17:55 LOG5[15509]: Service [encrypted_tacplus] connected remote server from 127.0.0.1:47369
2014.06.19 11:17:55 LOG7[15509]: Remote socket (FD=8) initialized