[stunnel-users] STUNNEL --- How to chose the AES cipher with TLS v1.2

Leandro Avila leandro.avila at ymail.com
Thu Feb 14 20:50:37 CET 2013



Kevin,

The configuration directives that are relevant in this case
are
sslVersion = TLSv1.2
ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256


Keep in mind that TLS 1.2 is not widely deployed. So if you need
backward compatibility you might want to enable SSLv3, TLSv1, TLSv1.1

The documentation in the link you provided should allow you to tweak the ciphers you want
http://www.openssl.org/docs/apps/ciphers.html

-----------------
Leandro Avila


----- Original Message -----
> From: Editor <editor at cellmail.com>
> To: stunnel-users at stunnel.org
> Cc: 
> Sent: Monday, February 4, 2013 2:20 PM
> Subject: [stunnel-users] STUNNEL --- How to chose the AES cipher with TLS v1.2
> 
> Hi to all:
> 
> In reading the FAQ and looking at the sample configuration file, I do not see an 
> example of how to correctly configure the application to use the more current 
> AES-256 or the AES-128 cipher configurations.
> 
> I do have the current OpenSSL on the host (a Sun SPARC box). The idea is to use 
> this host as a SSL proxy for a number of services.
> 
> I did see this reference:
> 
> options = CIPHER_SERVER_PREFERENCE
> 
> But not how to then set the SSL cipher except as I found on Google.
> 
> There was this on the MAN page but it seems to fail in my configuration:
> 
> ciphers = cipherlist Select permitted SSL ciphers. A colon delimited list of the 
> ciphers to allow in the SSL connection. For example DES-CBC3-SHA:IDEA-CBC-MD5
> 
> Thanks.
> 
> Kevin
> 
> Reference Ciphers supported by OpenSSL: 
> http://www.openssl.org/docs/apps/ciphers.html
> 
> 
> 
> 
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>  



More information about the stunnel-users mailing list