[stunnel-users] Multiple versions of TLS in config?

Michal Trojnara Michal.Trojnara at mirt.net
Wed Mar 25 13:02:59 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24.03.2015 18:25, Rob Lockhart wrote:
> In order to support TLS v1.0, TLS v1.1 and TLS v1.2 but disable
> SSLv2 and SSLv3, you should have in the config file:
> 
> sslVersion = all options = NO_SSLv2 options = NO_SSLv3
> 
> (those last two lines may be default in the new Stunnel). However, 
> what if I want to just have TLSv1.1 and TLSv1.2 but NOT TLSv1.0?
[cut]
> Is there a way to allow TLSv1.1 and TLSv1.2 but disallow TLSv1.0?

sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1

The OpenSSL CHANGES document says:

Changes between 1.0.1a and 1.0.1b [26 Apr 2012]

*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
   1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
   mean any application compiled against OpenSSL 1.0.0 headers setting
   SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
   TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
   0x10000000L Any application which was previously compiled against
   OpenSSL 1.0.1 or 1.0.1a headers and which cares about
   SSL_OP_NO_TLSv1_1 will need to be recompiled as a result.
   Letting be results in inability to disable specifically TLS 1.1
   and in client context, in unlike event, limit maximum offered
   version to TLS 1.0 [see below].
   [Steve Henson]

*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
   disable just protocol X, but all protocols above X *if* there are
   protocols *below* X still enabled. In more practical terms it means
   that if application wants to disable TLS1.0 in favor of TLS1.1 and
   above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
   SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
   client side.
   [Andy Polyakov]

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVEqPzAAoJEC78f/DUFuAUO+sP/R41sMCthyxGoxHRo8lFROyY
G9a2taLMMrmegkEB1AjhmTKLEfrANytJYFqJUD1RSjis7iLcWCtIamEBw0As5Dn4
vIvd0gPsaKdVXVaDom9PyIgEWbvOCh5CQFHObDsg3pGJTcXBvAZ19NCZEyzaisiV
tCF0/hhHNZ1dj5BDrULPubtwkbFB0n2me32E3ZTs/dIab89pRAgX/ApyedOHbPZQ
WqCn18ZMvlYZYuyX+wR1QDIVkoXdcwivzH58kr3co/RxmHzAzpSKQz0nP0xajshE
2MhREI49/EEI75/zS4xspjsS9NyOP03fiU4SXDr3b1HCsHQBbXRN55nHpj7Lz0gQ
TEEXFbwCgAIC0qPTKPeuqFNDaK9LOZCjJy9tS5gfKqoA+jiQTsnTd9EcMMcG4ERI
Tj78XJtmP1vyxXkA0FFrwbB3YIWd/UvTvkZ4H6kvP8yMXJEWa56seN66Y3D6ud5V
ti6Hn/pPf5d2DFPwB36CcW9zcBmvt98WFHmytSoPycv9KFvyvzi3P95WY2jq3KWL
nNSQnqOXVWYwEwcKfL+y3tR1W/6WtCKwf3kJf+W+4mFAjV5IBPbuszvaKhhwnWIV
r7lT/TH+wNq6ygNeWc4+ViBRM3F/zxmAzhLocLxISNFjkfdbLBmmHbAHo5AuFQl3
mWjFLiTCQ+iVw5a0m8Ht
=AKlP
-----END PGP SIGNATURE-----

More information about the stunnel-users mailing list