<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Scott,<div class=""><br class=""></div><div class="">Thanks for the message.</div><div class="">I tried this but to no avail.</div><div class="">If I use that verbatim I get the error:</div><div class=""><div style="margin: 0px; font-size: 11px; line-height: normal; font-family: Menlo;" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">2016.09.21 06:46:46 LOG3[ui]: SSL_connect: 140740BF: error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available</span></div></div><div class="">In fact it seems like the only security protocol available to me is TLSv1, as the presence of the NO_SSLv2 and NO_SSLv3 options have no effect (which makes sense: I understand that Stunnel doesn’t use SSL v2 or v3 these days). I don’t know if this indicates something untoward..</div><div class=""><br class=""></div><div class="">Best, Dave.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 21 Sep 2016, at 03:15, Scott McKeown <<a href="mailto:scott@loadbalancer.org" class="">scott@loadbalancer.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class=""><div class="">Hi Guys,<br class=""></div>To me this looks like a cipher issue.<br class=""></div>There are a few options that you can try to resolve this if it is.<br class=""><br class=""></div>I would try adding the following lines into your STunnel Configuration file:<br class=""><br class=""><pre class=""><code class="gmail-bash gmail-hljs">delay = yes
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = CIPHER_SERVER_PREFERENCE
options = DONT_INSERT_EMPTY_FRAGMENTS</code></pre><br class=""></div>Delay will delay and DNS lookups that maybe actioned by the request (not normally needed but I always include if for sanity sake)<br class=""></div>The three 'options' sections turn off all the known problematic cipher lists if you need a key that is in one of these block feel free to remove that directive but I think a good start would be to leave the 'NO_SSLv3' option in place<br class=""></div>The 'CIPHER_SERVER_PREFERENCE' option will make set whether the client is allowed to renegotiat the ciphers that are to be used between the client and the server process.<br class=""></div>And finally 'DONT_INSERT_EMPTY_FRAGMENTS' will mitigate an issue in the CBC ciphers that was in the SSLv3 and TLS1.0 cipher lists again I only include it for sanity sake now but its better to have than to go without.<br class=""><br class=""></div></div></blockquote></div></div></body></html>