Hi Daniel,
The cipher suites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 are for TLS v1.2.
The Protocols field: {771, 65277} is a decimal representation of the value used in the TLS Version Field. 771 corresponds to 0x0303, which is TLS_1_2, and 65277 corresponds to 0xFEFD, which is DTLS_1_1.
You need to use sslVersion = TLSv1.2
Regards, Małgorzata Olszówka
W dniu 10.06.2024 o 16:33, Glick, Daniel pisze:
Classification: Restricted
Hi Duncan,
Thank you for your email.
The parameters we have set up in the stunnel config are as follows : (also we are using stunnel version 5.67)
; Certificate/key is needed in server mode and optional in client mode
cert = ARB03.pem
key = ARB03.pem
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
options = NO_SSLv3
sslVersion = TLSv1.3
ciphersuites = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_GCM_SHA25
the version of OpenSSL is
However when we reboot the server and check the stunnel log – we receive a fatal error, as the ciphers are not recognised
2024.06.10 15:00:34 LOG7[8]: TLS alert (write): fatal: internal error
2024.06.10 15:00:34 LOG3[8]: SSL_connect: ssl/statem/statem_clnt.c:3745: error:0A0000B5:SSL routines::no ciphers available
Any ideas
Thank you
Danny
*From:*Duncan Morris Duncan.Morris@cdl.co.uk *Sent:* Monday, 10 June 2024 14:44 *To:* Glick, Daniel DanielGlick@arbuthnot.co.uk; stunnel-users@stunnel.org *Subject:* RE: help required with stunnel cipher set up
Classification: Restricted
This message originated from outside your organization
Hi,
Have you updated the stunnel config file with your ciphersuites choices?
From: https://www.stunnel.org/static/stunnel.html#SERVICE-LEVEL-OPTIONS https://www.stunnel.org/static/stunnel.html#SERVICE-LEVEL-OPTIONS
*ciphersuites* = CIPHERSUITES_LIST
select permitted TLSv1.3 ciphersuites
A colon-delimited list of TLSv1.3 ciphersuites names in order of preference.
This option requires OpenSSL 1.1.1 or later.
default: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
Regards,
*Duncan Morris*
*OpenVMS Consultant Engineer***
CDL
www.cdl.co.uk http://www.cdl.co.uk/ohttp:/www.cdl.co.uk/
*Advanced Notice of Annual Leave: 18^th -28^th July 2024*
* 24^th Aug–4^th September 2024*
T: +44 (0)161 480 4420
T: +44 (0)161 475 4111
F: +44 (0)161 480 4415
M: +44 (0)7872 526049
**
CDL - EXTERNAL
*From:*Glick, Daniel <DanielGlick@arbuthnot.co.uk mailto:DanielGlick@arbuthnot.co.uk> *Sent:* Monday, June 10, 2024 11:28 AM *To:* stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org *Subject:* [stunnel-users] help required with stunnel cipher set up
You don't often get email from danielglick@arbuthnot.co.uk mailto:danielglick@arbuthnot.co.uk. Learn why this is important https://aka.ms/LearnAboutSenderIdentification
Classification: Restricted
Dear All,
Objective :
We have been informed by Euroclear that we must use the following ciphers below with our stunnel connection to them
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Server details :
The required cipher has been defined as being the first in the list.
Information security has confirmed that the cipher has been enabled
However after rebooting the server and starting stunnel – the old ciphers are still being used
Please can anyone point us in the right direction as to what we are doing wrong.
Thank you
*Daniel********** Glick *
*Application Specialist, Investment Management & Finance Platform*
Arbuthnot Latham & Co., Limited
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it from your system.
Internet communications are not secure and therefore Arbuthnot Latham & Co., Limited does not accept legal responsibility for the contents of this message or any damage sustained as a result of this email or its attachments. Any views or opinions presented are solely those of the author and do not necessarily represent those of Arbuthnot Latham & Co., Limited or any of its affiliates.
Please take some time to read our Privacy Notice https://www.arbuthnotlatham.co.uk/privacy-notice/, which provides information on what personal data we collect from you, what we do with it and who it might be shared with.
Registered in England and Wales No. 819519. Arbuthnot Latham & Co., Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Arbuthnot Latham & Co., Limited is on the Financial Services Register under Firm Reference Number 143336.
Arbuthnot Latham & Co., Limited Arbuthnot House 7 Wilson Street London EC2M 2SN
Tel : +44 (0)20 7012 2500 www.arbuthnotlatham.co.uk https://www.arbuthnotlatham.co.uk/
https://www.cdl.co.uk/media/newsletter.htmlhttps://www.cdl.co.uk/careers/vacancies.htmlhttp://twitter.com/CDL_Softwarehttp://www.linkedin.com/company/cdl-cheshire-datasystems-ltd-https://en-gb.facebook.com/CDLSoftware
Please consider the environment - Do you really need to print this email?
This email is intended only for the person(s) named above and may contain private and confidential information. If it has come to you in error, please destroy and permanently delete any copy in your possession, and contact us on +44 (0)161 480 4420. The information in this email is copyright © CDL Group Holdings Limited. We cannot accept liability for any loss or damage sustained as a result of software viruses. It is your responsibility to carry out such virus checking as is necessary before opening any attachment.
Cheshire Datasystems Limited uses software which automatically screens incoming emails for inappropriate content and attachments. If the software identifies such content or attachment, the email will be forwarded to our Technology department for checking. You should be aware that any email that you send to Cheshire Datasystems Limited is subject to this procedure.
*Cheshire Datasystems Limited, Strata House, Kings Reach Road, Stockport, SK4 2HD* Registered in England and Wales with company number 3991057 VAT registration: 727 1188 33
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it from your system.
Internet communications are not secure and therefore Arbuthnot Latham & Co., Limited does not accept legal responsibility for the contents of this message or any damage sustained as a result of this email or its attachments. Any views or opinions presented are solely those of the author and do not necessarily represent those of Arbuthnot Latham & Co., Limited or any of its affiliates.
Please take some time to read our Privacy Notice < https://www.arbuthnotlatham.co.uk/privacy-notice/%3E, which provides information on what personal data we collect from you, what we do with it and who it might be shared with.
Registered in England and Wales No. 819519. Arbuthnot Latham & Co., Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Arbuthnot Latham & Co., Limited is on the Financial Services Register under Firm Reference Number 143336.
Arbuthnot Latham & Co., Limited Arbuthnot House 7 Wilson Street London EC2M 2SN
Tel : +44 (0)20 7012 2500 www.arbuthnotlatham.co.uk https://www.arbuthnotlatham.co.uk
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org