On Wed, Jul 8, 2015 at 7:56 AM, Madhava Gaikwad (madgaikw) <madgaikw@cisco.com> wrote:
>
>
> I am using stunnel 5.03 version. I want to understand how the config option “sslVersion “ and “options ” works.
> The problem I am trying to solve is: I want to enable say only particular ssl connect methods, for example sslv3 and TLs1.2. I am not able to do it.
>
> For me if I do below setting:
>
> Options = all
> Option = NO_SSLv2
> Option = NO_SSLv3
> Option = NO_TLSv1
> Option = NO_TLSv1.1
> Option = NO_TLSv1.2
>
> Still I see all methods are being enabled. I removed Option = all, but no effect. What is expected behavior?
>
> Also, the sslVersion seems enables either particular sslversion, or else all the versions. So wondering what can be the escape mechanism. Any help will be highly appreciated.

I cannot comment on such an old version of Stunnel (5.03 - Version 5.03, 2014.08.07 - nearly a year old!! from https://www.stunnel.org/sdf_ChangeLog.html history). You really should update your Stunnel and OpenSSL version, especially if you're using the insecure OpenSSL versions.

I asked a similar question in the past, and Mike said that the above should work for allowing multiple versions. Try this, from https://www.stunnel.org/static/stunnel.html man page:

sslVersion = all

options = NO_SSLv2

options = NO_TLSv1

options = NO_TLSv1.1

That should only allow SSLv3 and TLSv1.2 and disallow the other three above. I did test this (i.e., enabling the ones "turned off" in the client) and it does indeed work. See what Mike said at the following URL:

http://www.stunnel.org/pipermail/stunnel-users/2015-March/004985.html

Be sure that you're looking in the right place... there's "enabled by software" and then "enabled by configuration"... the config can limit the software.

NOTE: The old posts can be searched here:

http://www.stunnel.org/pipermail/stunnel-users/

-Rob