[stunnel-users] tls question

Sakthivel Ganesamoorthy sakthivelg at danlawinc.com
Mon Jul 2 15:23:59 CEST 2018


I did capture the Wireshark log to understand the TLS flow. But my Wireshark capture just shows the packets as "TLS" and I don’t see any  "TLS1.2" handshakes.

1) Rsync Server enabled with TLS1.2 over Stunnel
2) Rsync Client enabled with TLS1.2 over Stunnel

I captured the Wireshark at both ends and both of them just shows the packets as "TLS". I don’t see any "Client hello, cipher key message" exchanges shown in the capture. Please help.


-----Original Message-----
From: stunnel-users <stunnel-users-bounces at stunnel.org> On Behalf Of Rob Lockhart
Sent: Wednesday, June 27, 2018 11:34 AM
To: Daniel Trickett <daniel.trickett at emdmillipore.com>
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] tls question

Dan, use Wireshark, capture traffic using Stunnel, set a filter based on the destination IP (i.e., "ip.addr ==" if class C network), look for traffic with the host, and look for "Protocol"
column. For my captures, it shows "TLSv1.2" and for "Secure Sockets Layer" it shows the handshakes and ciphers as v1.2. You can drill down the TLS exchange, from the cipher suites offered and finally the negotiated version, it should show "TLS 1.2".

In your config file you can specify only TLS v1.2 by:
sslVersion = TLSv1.2

On my systems, it appears to negotiate at TLS v1.0 (the "Client
Hello") but the server Hello is at TLS v1.2. Once you see the Cipher suite, you can verify if the one chosen is TLS v1.2 by using this:

In your Wireshark captures, look for "Cipher Suite:" in the Server Hello, and that should tell you the Cipher used, and you can infer TLS
v1.2 based on the Cipher and that Cheat Sheet, and especially that Mozilla site ("cipher names correspondence table").


On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett <daniel.trickett at emdmillipore.com> wrote:
> If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
> Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
> Thanks and
> Best regards,
> Dan
stunnel-users mailing list
stunnel-users at stunnel.org

More information about the stunnel-users mailing list