[stunnel-users] How to disable SSLv2

Tommi Nieminen ttn at mbnet.fi
Fri Oct 27 17:48:51 CEST 2006

I'm using Stunnel 4.18. I would like to disable SSLv2, but
allow SSLv3 and TLSv1. Is this currently possible in Stunnel?

I've tried two things so far: first I tried to use the option

  options = SSL_OP_NO_SSLv2  (from "man SSL_CTX_set_options")

It didn't work. This is what I got:

2006.10.27 18:32:48 LOG7[6358:3082897088]: Snagged 64 random bytes
from /root/.rnd
2006.10.27 18:32:48 LOG7[6358:3082897088]: Wrote 1024 new random bytes
to /root/.rnd
2006.10.27 18:32:48 LOG7[6358:3082897088]: RAND_status claims sufficient
entropy for the PRNG
2006.10.27 18:32:48 LOG7[6358:3082897088]: PRNG seeded successfully
file /etc/stunnel/stunnel.conf line 18: Illegal SSL option

Nothing gets logged, the above is the response to the startup command.

The other thing I tried, though I really didn't expect it to work,
was replacing the "options" option with

  sslVersion = SSLv3 TLSv1

This option seems to accept only one version at a time, or
alternatively all of them with "all" on the right hand side,
so this failed, stunnel didn't start.

Any suggestions? The only thing I can think of is that the
SSL option SSL_OP_NO_SSLv2 is something that should have been
when configuring the OpenSSL installation, and since I have
a readily wrapped package, it has not been included there.
In that case I could install OpenSSL from the scratch. But
before I try that, I thought I would ask if somebody were
already familiar with the problem.

Tommi Nieminen

Here is the stunnel config file I was using:

CAfile = /etc/stunnel/root-cert.pem
cert = /etc/stunnel/device-cert.pem
key = /etc/stunnel/device-key.pem

output = /var/log/stunnel/stunnel.log
pid = /var/run/stunnel/stunnel.pid
debug = 7
client = no

accept  = 443
connect =
verify = 1
options = SSL_OP_NO_SSLv2
;sslVersion = SSLv3 TLSv1

More information about the stunnel-users mailing list