[stunnel-users] Problem with sslv2 clients

Markus Borst (HRZ) M.Borst at hrz.tu-darmstadt.de
Fri Dec 16 09:43:23 CET 2011

Am 12.12.2011 16:57, schrieb Michal Trojnara:
> Markus Borst wrote:
>> I want client and server to _NEGOTIATE_ a "higher" protocol.
> fips = no
> sslVersion = all
> options = NO_SSLv2
> According to my tests it does exactly what you want.
> Mike

Sorry for the late reply. Yes, thanks, this combination does indeed 
work. Older ssl client can connect and use either sslv3 or tlsv1. I 
would have thought that this would be default behaviour, but there are 
probably reasons to do it otherwise.

Since the use of these options in this combination is not clear from the 
documentation, I have a few suggestions to update the docs:
   - explain what fips does (not the whole specification, just which 
methods and ciphers are disabled)
   - clearly state which methods (SSL, TLS, ciphers) are used by 
default, with or without fips.
   - explain the "options = NO_SSLv2" option. Currently, it is not even 
As a longer term enhancement, I suggest making the "sslVersion" option 
multi-valued: Currently, I can only select one of the three, or all 
three, but not just two out of three. (I.e., what will we do when a 
TLSv2 comes around?)

And the above configuration should go as an example into the default 
config file, since this particular combination ("sslVersion=all" AND 
"options=NO_SSLv2") ist a bit counter intuitive.

Markus Borst

More information about the stunnel-users mailing list