[stunnel-users] Extensions when negotiating TLS

Tom (AST) Watson thomas.3.watson at raytheon.com
Mon Nov 4 22:05:11 CET 2019

Well, I thought it would be "easy", but maybe not.  I have an application (#1) that uses http2, and isn't encrypted.  No problem here.  Now I have another application (#2) that insists on using https to talk to application #1.  So I gleefully setup stunnel to connect the two.  Well, application #2 starts talking to stunnel with a "Client Hello" packet, and it includes an extension "Application Layer Protocol Extension" of "h2".  While not versed in the minutia, I take this that the client (application #2) wants to talk "http2" to the server (application #1).  OK, that is what I want.  The problem is that stunnel doesn't respond with ANY "Application Layer Protocol Extension" indicating acceptance of this request in its "server hello".  This means that application #2 fails in its negotiation.  No joy!

Now I know that application #1 will nicely talk http2, but how do I get stunnel to communicate this to application #2 (as encrypted http2).  Am I missing something in my (pretty simple) configuration file?


Tom Watson              (I'm at work now)
Thomas.3.watson at raytheon.com

More information about the stunnel-users mailing list