[stunnel-users] help on options and sslversion

Rob Lockhart rlockhar at gmail.com
Fri Jul 10 21:28:06 CEST 2015

On Wed, Jul 8, 2015 at 7:56 AM, Madhava Gaikwad (madgaikw) <
madgaikw at cisco.com> wrote:
> I am using stunnel 5.03 version. I want to understand how the config
option “sslVersion “ and “options ” works.
> The problem I am trying to solve is: I want to enable say only particular
ssl connect methods, for example sslv3 and TLs1.2. I am not able to do it.
> For me if I do below setting:
> Options = all
> Option = NO_SSLv2
> Option = NO_SSLv3
> Option = NO_TLSv1
> Option = NO_TLSv1.1
> Option = NO_TLSv1.2
> Still I see all methods are being enabled. I removed Option = all, but no
effect. What is expected behavior?
> Also, the sslVersion seems enables either particular sslversion, or else
all the versions. So wondering what can be the escape mechanism. Any help
will be highly appreciated.

I cannot comment on such an old version of Stunnel (5.03 - Version 5.03,
2014.08.07 - nearly a year old!! from
https://www.stunnel.org/sdf_ChangeLog.html history). You really should
update your Stunnel and OpenSSL version, especially if you're using the
insecure OpenSSL versions.

I asked a similar question in the past, and Mike said that the above should
work for allowing multiple versions. Try this, from
https://www.stunnel.org/static/stunnel.html man page:
sslVersion = all
options = NO_SSLv2
options = NO_TLSv1
options = NO_TLSv1.1

That should only allow SSLv3 and TLSv1.2 and disallow the other three
above. I did test this (i.e., enabling the ones "turned off" in the client)
and it does indeed work. See what Mike said at the following URL:

Be sure that you're looking in the right place... there's "enabled by
software" and then "enabled by configuration"... the config can limit the

NOTE: The old posts can be searched here:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150710/c1bbc528/attachment.html>

More information about the stunnel-users mailing list