On Wed, Jul 8, 2015 at 7:56 AM, Madhava Gaikwad (madgaikw) < madgaikw@cisco.com> wrote:
I am using stunnel 5.03 version. I want to understand how the config
option “sslVersion “ and “options ” works.
The problem I am trying to solve is: I want to enable say only particular
ssl connect methods, for example sslv3 and TLs1.2. I am not able to do it.
For me if I do below setting:
Options = all Option = NO_SSLv2 Option = NO_SSLv3 Option = NO_TLSv1 Option = NO_TLSv1.1 Option = NO_TLSv1.2
Still I see all methods are being enabled. I removed Option = all, but no
effect. What is expected behavior?
Also, the sslVersion seems enables either particular sslversion, or else
all the versions. So wondering what can be the escape mechanism. Any help will be highly appreciated.
I cannot comment on such an old version of Stunnel (5.03 - Version 5.03, 2014.08.07 - nearly a year old!! from https://www.stunnel.org/sdf_ChangeLog.html history). You really should update your Stunnel and OpenSSL version, especially if you're using the insecure OpenSSL versions.
I asked a similar question in the past, and Mike said that the above should work for allowing multiple versions. Try this, from https://www.stunnel.org/static/stunnel.html man page: sslVersion = all options = NO_SSLv2 options = NO_TLSv1 options = NO_TLSv1.1
That should only allow SSLv3 and TLSv1.2 and disallow the other three above. I did test this (i.e., enabling the ones "turned off" in the client) and it does indeed work. See what Mike said at the following URL: http://www.stunnel.org/pipermail/stunnel-users/2015-March/004985.html
Be sure that you're looking in the right place... there's "enabled by software" and then "enabled by configuration"... the config can limit the software.
NOTE: The old posts can be searched here: http://www.stunnel.org/pipermail/stunnel-users/
-Rob