[stunnel-users] tls question

Rob Lockhart rlockhar at gmail.com
Wed Jun 27 17:33:32 CEST 2018

Dan, use Wireshark, capture traffic using Stunnel, set a filter based
on the destination IP (i.e., "ip.addr ==" if class C
network), look for traffic with the host, and look for "Protocol"
column. For my captures, it shows "TLSv1.2" and for "Secure Sockets
Layer" it shows the handshakes and ciphers as v1.2. You can drill down
the TLS exchange, from the cipher suites offered and finally the
negotiated version, it should show "TLS 1.2".

In your config file you can specify only TLS v1.2 by:
sslVersion = TLSv1.2

On my systems, it appears to negotiate at TLS v1.0 (the "Client
Hello") but the server Hello is at TLS v1.2. Once you see the Cipher
suite, you can verify if the one chosen is TLS v1.2 by using this:

In your Wireshark captures, look for "Cipher Suite:" in the Server
Hello, and that should tell you the Cipher used, and you can infer TLS
v1.2 based on the Cipher and that Cheat Sheet, and especially that
Mozilla site ("cipher names correspondence table").


On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett
<daniel.trickett at emdmillipore.com> wrote:
> If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
> Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
> Thanks and
> Best regards,
> Dan

More information about the stunnel-users mailing list