So I've configured my stunnel to only use TLS1.2 and usually works ok. However when client gets some bad L7 response it send a TCP RST, after which all subsequent stunnel TLS Client Hellos are some hybrid of TLS1.0/TLS1.2, as can be seen in tshark output below. Once I restart the whole stunnel process subsequent TLS handshakes work fine using TLS1.2, until the next client RST is received. $ stunnel -version stunnel 4.56 on x86_64-redhat-linux-gnu platform $ cat /etc/centos-release CentOS Linux release 7.8.2003 (Core) $cat /etc/stunnel/dsr2rtcg-stunnel.conf output = /var/log/stunnel pid = /etc/stunnel/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [poc] cert = /etc/pki/tls/certs/stunnel/aaa.crt key = /etc/pki/tls/private/stunnel/aaa.key CAfile = /etc/pki/tls/certs/stunnel/bbb.crt client = yes sslVersion = TLSv1.2 options = NO_TLSv1 accept = 172.18.180.78:45154 connect = 10.74.0.196:45154 ciphers = TLSv1.2+HIGH:!aNULL $ tshark -nn -V -d tcp.port==45154,ssl -r 20200729_09:42:44-port45154.pcap -2R "ssl.handshake" -c 1 | grep -i tls -B3 Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) -- Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1610 Version: TLS 1.2 (0x0303)
Howdy, I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong? Thanks in advanced, sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1
Check out sslVersionMin = TLSv1.2 in the Stunnel manual. On 7/29/2020 5:20 PM, Jorge Bastos wrote:
Howdy,
I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong?
Thanks in advanced,
sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
P.S. There's also an sslVersionMax if you feel you need it. On 7/29/2020 5:20 PM, Jorge Bastos wrote:
Howdy,
I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong?
Thanks in advanced,
sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
Howdy, ; Use sslVersionMax or sslVersionMin option instead of disabling specific TLS protocol versions when compiled ; with OpenSSL 1.1.0 or later. sslVersionMin = TLSv1.2 Produced no efect, openssl is 1.1.1g any idea? On 2020-07-30 0:54, Thomas Eifert wrote:
P.S.
There's also an sslVersionMax if you feel you need it.
On 7/29/2020 5:20 PM, Jorge Bastos wrote:
Howdy,
I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong?
Thanks in advanced,
sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello all, I currently use the following parameters to achieve exactly the same objective: sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.3 In fact, here is my full tls.conf file: ; TLS Configuration file sslVersionMin = TLSv1.2 sslVersionMax = TLSv1.3 ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384 ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 curves = X25519:P-256:X448:P-521:P-384 options = NO_COMPRESSION options = NO_TICKET Nothing fancy, and it works as expected. Maybe you are overriding your parameters somewhere else ? Best regards, Florian Stosse Information security engineer Safran Electronics & Defense | Safran Data Systems | Space & Communication Phone: +33 1 69 82 79 43 • Mobile : +33 6 48 11 16 12 Safran Data Systems 5, avenue des Andes - CS 90101 91978 Courtaboeuf Cedex, France www.safran-electronics-defense.com De : stunnel-users [mailto:[email protected]] De la part de Jorge Bastos Envoyé : jeudi 30 juillet 2020 10:17 À : Thomas Eifert Cc : [email protected] Objet : Re: [stunnel-users] Allowing only TLS 1.2 and 1.3 Howdy, ; Use sslVersionMax or sslVersionMin option instead of disabling specific TLS protocol versions when compiled ; with OpenSSL 1.1.0 or later. sslVersionMin = TLSv1.2 Produced no efect, openssl is 1.1.1g any idea? On 2020-07-30 0:54, Thomas Eifert wrote: P.S. There's also an sslVersionMax if you feel you need it. On 7/29/2020 5:20 PM, Jorge Bastos wrote: Howdy, I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong? Thanks in advanced, sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately. _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
Hi, Thank you, In fact it works. the diagnostic tool i was using has an error, confirmed instead with nmap, Thanks! On 2020-07-30 10:32, STOSSE Florian (SAFRAN AEROSYSTEMS) wrote:
Hello all,
I currently use the following parameters to achieve exactly the same objective:
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.3
In fact, here is my full tls.conf file:
; TLS Configuration file
sslVersionMin = TLSv1.2
sslVersionMax = TLSv1.3
ciphersuites = TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
ciphers = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
curves = X25519:P-256:X448:P-521:P-384
options = NO_COMPRESSION
options = NO_TICKET
Nothing fancy, and it works as expected. Maybe you are overriding your parameters somewhere else ?
Best regards,
Florian Stosse
Information security engineer
Safran Electronics & Defense | Safran Data Systems | Space & Communication
Phone: +33 1 69 82 79 43 * Mobile : +33 6 48 11 16 12
Safran Data Systems
5, avenue des Andes - CS 90101
91978 Courtaboeuf Cedex, France
www.safran-electronics-defense.com
De : stunnel-users [mailto:[email protected]] De la part de Jorge Bastos Envoyé : jeudi 30 juillet 2020 10:17 À : Thomas Eifert Cc : [email protected] Objet : Re: [stunnel-users] Allowing only TLS 1.2 and 1.3
Howdy,
; Use sslVersionMax or sslVersionMin option instead of disabling specific TLS protocol versions when compiled ; with OpenSSL 1.1.0 or later.
sslVersionMin = TLSv1.2
Produced no efect, openssl is 1.1.1g
any idea?
On 2020-07-30 0:54, Thomas Eifert wrote:
P.S.
There's also an sslVersionMax if you feel you need it.
On 7/29/2020 5:20 PM, Jorge Bastos wrote:
Howdy,
I've been trying to configure stunnel to provide only TLS 1.2 and 1.3, but no sucess. I have the configuration bellow, what could i be doing wrong?
Thanks in advanced,
sslVersion = all options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
--
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
# " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
Howdy, I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something? Thanks in advanced,
Hi, Use sslVersion = TLSv1.3 in config file. Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi, Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3 On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi, Then you could use sslVersionMin = TLSv1.1 sslVersionMax = TLSv1.3 Am 02.08.20 um 14:43 schrieb Jorge Bastos:
Hi,
Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3
On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] <mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
_______________________________________________ stunnel-users mailing list [email protected] <mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
Tried that, but it's not present, On 2020-08-02 16:45, Olaf Brandt wrote:
Hi,
Then you could use
sslVersionMin = TLSv1.1 sslVersionMax = TLSv1.3 Am 02.08.20 um 14:43 schrieb Jorge Bastos:
Hi,
Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3
On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Can you explain your usecase? What is in the logs? Am 02.08.20 um 18:03 schrieb Jorge Bastos:
Tried that, but it's not present,
On 2020-08-02 16:45, Olaf Brandt wrote:
Hi,
Then you could use
sslVersionMin = TLSv1.1 sslVersionMax = TLSv1.3
Am 02.08.20 um 14:43 schrieb Jorge Bastos:
Hi,
Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3
On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] <mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
_______________________________________________ stunnel-users mailing list [email protected] <mailto:[email protected]> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>
Jorge, Perhaps you are trying to connect to a server that does not support TLS v1.3... You need to provide more context information for us to help. Regards, Jose
On Aug 2, 2020, at 11:03 AM, Jorge Bastos <[email protected]> wrote:
Tried that, but it's not present,
On 2020-08-02 16:45, Olaf Brandt wrote:
Hi,
Then you could use
sslVersionMin = TLSv1.1 sslVersionMax = TLSv1.3
Am 02.08.20 um 14:43 schrieb Jorge Bastos: Hi,
Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3
On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos: Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Jose, I have the latest libssl/openssl installed, aswell stunnel last ver. any idea? On 2020-08-02 19:49, Josealf.rm wrote:
Jorge, Perhaps you are trying to connect to a server that does not support TLS v1.3... You need to provide more context information for us to help.
Regards, Jose On Aug 2, 2020, at 11:03 AM, Jorge Bastos <[email protected]> wrote:
Tried that, but it's not present,
On 2020-08-02 16:45, Olaf Brandt wrote:
Hi,
Then you could use
sslVersionMin = TLSv1.1 sslVersionMax = TLSv1.3 Am 02.08.20 um 14:43 schrieb Jorge Bastos:
Hi,
Thanks, but wont that make it only 1.3? I'd like to have from 1.1 to 1.3
On 2020-08-02 13:18, Olaf Brandt wrote:
Hi,
Use
sslVersion = TLSv1.3
in config file.
Am 02.08.20 um 12:38 schrieb Jorge Bastos:
Howdy,
I have Stunnel 5.6, and openssl 1.1.1g, and it's not providing TLS 1.3. Is there any parameter that is needed for stunnel to activate it, or am i missing something?
Thanks in advanced,
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
participants (6)
-
Jorge Bastos -
Josealf.rm -
Olaf Brandt -
STOSSE Florian (SAFRAN AEROSYSTEMS) -
Thomas Eifert -
Wojciech Machula