[stunnel-users] tls question

• Previous message (by thread): [stunnel-users] tls question
• Next message (by thread): [stunnel-users] Potentially dangerous change of behavior in handling "global option" in stunnel after version 5.45
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan, use Wireshark, capture traffic using Stunnel, set a filter based
on the destination IP (i.e., "ip.addr == 10.5.2.0/24" if class C
network), look for traffic with the host, and look for "Protocol"
column. For my captures, it shows "TLSv1.2" and for "Secure Sockets
Layer" it shows the handshakes and ciphers as v1.2. You can drill down
the TLS exchange, from the cipher suites offered and finally the
negotiated version, it should show "TLS 1.2".

In your config file you can specify only TLS v1.2 by:
sslVersion = TLSv1.2

On my systems, it appears to negotiate at TLS v1.0 (the "Client
Hello") but the server Hello is at TLS v1.2. Once you see the Cipher
suite, you can verify if the one chosen is TLS v1.2 by using this:
https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet

In your Wireshark captures, look for "Cipher Suite:" in the Server
Hello, and that should tell you the Cipher used, and you can infer TLS
v1.2 based on the Cipher and that Cheat Sheet, and especially that
Mozilla site ("cipher names correspondence table").

Regards,
 -Rob

On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett
<daniel.trickett at emdmillipore.com> wrote:
>
> If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
>
> Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
>
> Thanks and
> Best regards,
> Dan

• Previous message (by thread): [stunnel-users] tls question
• Next message (by thread): [stunnel-users] Potentially dangerous change of behavior in handling "global option" in stunnel after version 5.45
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]