I have searched online, but was unable to fine any definitive answer on the minimum version of stunnel required for TLS 1.2.
I have a client using stunnel 5.01 with our solution and they want to activate TLS 1.2. Their setup looks like this: 2014.05.15 13:38:22 LOG5[10132]: stunnel 5.01 on x86-pc-msvc-1500 platform 2014.05.15 13:38:22 LOG5[10132]: Compiled/running with OpenSSL 1.0.1g-fips 7 Apr 2014 2014.05.15 13:38:22 LOG5[10132]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.05.15 13:38:22 LOG5[10132]: Reading configuration from file stunnel.conf 2014.05.15 13:38:22 LOG5[10132]: FIPS mode disabled 2014.05.15 13:38:22 LOG5[10132]: Configuration successful
Everything works fine without requiring TLS 1.2, but when that is required, we get the following error: 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): before/connect initialization 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): SSLv3 write client hello A 2025.05.14 07:04:45 LOG7[3796]: SSL alert (read): fatal: protocol version 2025.05.14 07:04:45 LOG3[3796]: SSL_connect: 1409442E: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2025.05.14 07:04:45 LOG5[3796]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2025.05.14 07:04:45 LOG7[3796]: Remote socket (FD=840) closed 2025.05.14 07:04:45 LOG7[3796]: Local socket (FD=832) closed
- Do we need to change anything in stunnel.conf? - Do we need to upgrade stunnel?
Many Thanks, John
Of course, you need to upgrade. You’re trying to use a 10 year old version of stunnel. You’re putting yourself in risky by using such old piece of software.
Regards, Jose
On 28/05/2025, at 1:57 PM, joverton--- via stunnel-users [email protected] wrote:
I have searched online, but was unable to fine any definitive answer on the minimum version of stunnel required for TLS 1.2.
I have a client using stunnel 5.01 with our solution and they want to activate TLS 1.2. Their setup looks like this: 2014.05.15 13:38:22 LOG5[10132]: stunnel 5.01 on x86-pc-msvc-1500 platform 2014.05.15 13:38:22 LOG5[10132]: Compiled/running with OpenSSL 1.0.1g-fips 7 Apr 2014 2014.05.15 13:38:22 LOG5[10132]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.05.15 13:38:22 LOG5[10132]: Reading configuration from file stunnel.conf 2014.05.15 13:38:22 LOG5[10132]: FIPS mode disabled 2014.05.15 13:38:22 LOG5[10132]: Configuration successful
Everything works fine without requiring TLS 1.2, but when that is required, we get the following error: 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): before/connect initialization 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): SSLv3 write client hello A 2025.05.14 07:04:45 LOG7[3796]: SSL alert (read): fatal: protocol version 2025.05.14 07:04:45 LOG3[3796]: SSL_connect: 1409442E: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2025.05.14 07:04:45 LOG5[3796]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2025.05.14 07:04:45 LOG7[3796]: Remote socket (FD=840) closed 2025.05.14 07:04:45 LOG7[3796]: Local socket (FD=832) closed
- Do we need to change anything in stunnel.conf?
- Do we need to upgrade stunnel?
Many Thanks, John _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
Hi,
Sorry for my english.
I have a stunnel 5.00 with TLSv1.2
+-+-+-+ stunnel 5.00 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1f 6 Jan 2014 Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP errno: (*__errno_location ()) +-+-+-+
nmap --script +ssl-enum-ciphers -Pn -p PORT IP_HOST | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | compressors: | NULL | cipher preference: indeterminate | cipher preference error: Too few ciphers supported |_ least strength: A
Can you post .conf file server?
The client side app support TLSv1.2?
Regards.
El 28/5/25 a las 20:14, joverton--- via stunnel-users escribió:
I have searched online, but was unable to fine any definitive answer on the minimum version of stunnel required for TLS 1.2.
I have a client using stunnel 5.01 with our solution and they want to activate TLS 1.2. Their setup looks like this: 2014.05.15 13:38:22 LOG5[10132]: stunnel 5.01 on x86-pc-msvc-1500 platform 2014.05.15 13:38:22 LOG5[10132]: Compiled/running with OpenSSL 1.0.1g-fips 7 Apr 2014 2014.05.15 13:38:22 LOG5[10132]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.05.15 13:38:22 LOG5[10132]: Reading configuration from file stunnel.conf 2014.05.15 13:38:22 LOG5[10132]: FIPS mode disabled 2014.05.15 13:38:22 LOG5[10132]: Configuration successful
Everything works fine without requiring TLS 1.2, but when that is required, we get the following error: 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): before/connect initialization 2025.05.14 07:04:45 LOG7[3796]: SSL state (connect): SSLv3 write client hello A 2025.05.14 07:04:45 LOG7[3796]: SSL alert (read): fatal: protocol version 2025.05.14 07:04:45 LOG3[3796]: SSL_connect: 1409442E: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version 2025.05.14 07:04:45 LOG5[3796]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2025.05.14 07:04:45 LOG7[3796]: Remote socket (FD=840) closed 2025.05.14 07:04:45 LOG7[3796]: Local socket (FD=832) closed
- Do we need to change anything in stunnel.conf?
- Do we need to upgrade stunnel?
Many Thanks, John _______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
On Thu, May 29, 2025 at 05:55:43PM +0200, Lista_-_Stunnel via stunnel-users wrote:
Hi,
Sorry for my english.
I have a stunnel 5.00 with TLSv1.2
+-+-+-+ stunnel 5.00 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1f 6 Jan 2014 Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP errno: (*__errno_location ()) +-+-+-+
This is a Linux installation; it is entirely possible that it uses the system's OpenSSL library, which may have been updated sometime in the last ten years. The original poster uses a Windows one:
2014.05.15 13:38:22 LOG5[10132]: stunnel 5.01 on x86-pc-msvc-1500 platform
AFAIK (and many apologies to the stunnel authors if this is wrong!), the Windows installer of stunnel brings its own copy of OpenSSL and some relateed libraries, so if the ones distributed with it at the time it was installed do not support TLS 1.2, that's it.
To the original poster: the bundled OpenSSL libraries are only one of the reasons stunnel installations, just like any other software, MUST be updated periodically. stunnel 5.01 is much too old, and I can think of many bugfixes and several security vulnerabilities that have been fixed in both stunnel and OpenSSL in that time. You MUST upgrade. I know it can be difficult to arrange in some production scenarios, but security-sensitive software must be kept up to date.
G'luck, Peter
Thank you to everyone who has posted and given me information. I am working with the client to upgrade stunnel but as Peter noted, it can be challenging in a production environment. Will hopefully be able to upgrade next week.
Thanks again, John
Hi,
Without wishing to polemicize, since obviously it is always necessary to have the software as up to date as possible, my answer was more aimed at confirming that with stunnel version 5.01 you could have TLSv1.2 working.
Moreover, as Peter rightly comments, my trace clearly shows that my stunnel 5.00 is running on a linux whose binary is compiled with openssl 1.0.1f from January 6, 2014. While in the traces uploaded by the thread opener it is seen that his stunnel 5.01 binary is compiling with openssl 1.0.1g of April 7, 2014.
I want to understand that if openssl version 1.0.1f already supported TLSv1.2 version 1.0.1g would as well.
Thank you all for the information shared in the thread.
Regards.
El 30/5/25 a las 11:47, Peter Pentchev via stunnel-users escribió:
On Thu, May 29, 2025 at 05:55:43PM +0200, Lista_-_Stunnel via stunnel-users wrote:
Hi,
Sorry for my english.
I have a stunnel 5.00 with TLSv1.2
+-+-+-+ stunnel 5.00 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1f 6 Jan 2014 Threading:PTHREAD Sockets:POLL,IPv4 SSL:ENGINE,OCSP errno: (*__errno_location ()) +-+-+-+
This is a Linux installation; it is entirely possible that it uses the system's OpenSSL library, which may have been updated sometime in the last ten years. The original poster uses a Windows one:
2014.05.15 13:38:22 LOG5[10132]: stunnel 5.01 on x86-pc-msvc-1500 platform
AFAIK (and many apologies to the stunnel authors if this is wrong!), the Windows installer of stunnel brings its own copy of OpenSSL and some relateed libraries, so if the ones distributed with it at the time it was installed do not support TLS 1.2, that's it.
To the original poster: the bundled OpenSSL libraries are only one of the reasons stunnel installations, just like any other software, MUST be updated periodically. stunnel 5.01 is much too old, and I can think of many bugfixes and several security vulnerabilities that have been fixed in both stunnel and OpenSSL in that time. You MUST upgrade. I know it can be difficult to arrange in some production scenarios, but security-sensitive software must be kept up to date.
G'luck, Peter
stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
-
Josealf.rm -
joverton@vital-soft.com -
Lista_-_Stunnel -
Peter Pentchev