<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi all:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Base on this link <a href="https://www.stunnel.org/sdf_ChangeLog.html">https://www.stunnel.org/sdf_ChangeLog.html</a>, to make TLS 1.2 work, I need to put stunnel in FIPS enable mode. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In stunnel config file, I have following to enable FIPS mode and select TLS 1.2. <o:p></o:p></p><p class=MsoNormal>sslVersion=TLSv1.2<o:p></o:p></p><p class=MsoNormal>FIPS = yes<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>But when my TLS 1.2 client send “client hello” with version TLS 1.2 to stunnel, stunnel still send “server hello” with TLS 1.0 back. Could somebody help on why stunnel does not support TLS 1.2 ? <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My stunnel is verstion 5.02, compiled with latest OpenSSL version 1.0.1h FIPS mode library. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Following is the log file:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>###################<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Clients allowed=500<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: stunnel 5.02 on i686-pc-linux-gnu platform<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Compiled with OpenSSL 1.1.0-fips-dev xx XXX xxxx<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Running with OpenSSL 1.0.1h-fips 5 Jun 2014<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Update OpenSSL shared libraries or rebuild stunnel<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: errno: (*__errno_location ())<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Reading configuration from file stunnel.K.tacacs+.conf<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: FIPS mode enabled ##################FIPS mode enabled############<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Compression disabled<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Snagged 64 random bytes from /root/.rnd<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Wrote 1024 new random bytes to /root/.rnd<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: PRNG seeded successfully<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG6[15491]: Initializing service [encrypted_tacplus]<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG6[15491]: Loading cert from file: /tftpboot/cacert-hyu.pem<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG6[15491]: Loading key from file: /tftpboot/privkey-hyu.pem<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG4[15491]: Insecure file permissions on /tftpboot/privkey-hyu.pem<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Private key check succeeded<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: DH initialization<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Could not load DH parameters from /tftpboot/cacert-hyu.pem<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Using hardcoded DH parameters<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: DH initialized with 2048-bit key<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: ECDH initialization<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: ECDH initialized with curve prime256v1<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: SSL options set: 0x00000004<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG5[15491]: Configuration successful<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:13 LOG7[15491]: Service [encrypted_tacplus] (FD=7) bound to 0.0.0.0:2249<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:09:14 LOG7[15491]: No pid file being created<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15506]: Service [encrypted_tacplus] accepted (FD=3) from 10.25.105.82:636<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: Service [encrypted_tacplus] started<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG5[15509]: Service [encrypted_tacplus] accepted connection from 10.25.105.82:636<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): before/accept initialization<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SNI: no virtual services defined<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 read client hello B ##########wireshark shows “client hello” version is TLS1.2, stunnel log shows it is TLS1.0. <o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server hello A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write certificate A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write key exchange A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server done A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 flush data<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read client key exchange A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read finished A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write change cipher spec A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write finished A<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 flush data<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 1 items in the session cache<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 client connects (SSL_connect())<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 client connects that finished<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 client renegotiations requested<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 1 server connects (SSL_accept())<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 1 server connects that finished<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 server renegotiations requested<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 session cache hits<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 external session cache hits<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 1 session cache misses<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: 0 session cache timeouts<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG6[15509]: No peer certificate received<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG6[15509]: SSL accepted: new session negotiated<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG6[15509]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES128-SHA (128-bit encryption) ##############negotiated as TLS1.0<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG6[15509]: Compression: null, expansion: null<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG6[15509]: s_connect: connecting 127.0.0.1:2250<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: s_connect: s_poll_wait 127.0.0.1:2250: waiting 10 seconds<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG5[15509]: s_connect: connected 127.0.0.1:2250<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG5[15509]: Service [encrypted_tacplus] connected remote server from 127.0.0.1:47369<o:p></o:p></p><p class=MsoNormal>2014.06.19 11:17:55 LOG7[15509]: Remote socket (FD=8) initialized<o:p></o:p></p></div></body></html>