I am trying to configure Stunnel to use the insecure cipher PSK-NULL-SHA@SECLEVEL=0 but am encountering issues where a different cipher appears to be negotiated instead. My goal is to authenticate endpoints without encryption.

Here are the details of my setup:

Stunnel Version: 5.63

Operating System: Ubuntu

Stunnel Configuration:

; Stunnel Configuration

; Global Options

fips = no

output = /var/log/stunnel.log

; Specify the pre-shared key file

PSKsecrets = /etc/stunnel/psk.txt

sslVersion = TLSv1.2

; PSK Server Configuration

[PSK server]

accept = 192.168.20.11:5074

connect = 192.168.30.11:5074

ciphers = PSK-NULL-SHA  ;

In OpenSSL, I can achieve my goal using the following command, which works as expected:

openssl s_client -port 5074 -cipher "PSK-NULL-SHA@SECLEVEL=0" -psk 4f8583bca4d311ee9fd6034d1fcbd7c3 -tls1

However, with Stunnel, it appears a different cipher is negotiated, and I do not see any error messages in the logs.

I tcpdumped the connection and observed the traffic is being encrypt which was not the case when using openssl.  In my usecase I need to authenticate endpoints without encryption, hence the use of PSK-NULL-SHA@SECLEVEL=0.

Could you please advise on how to properly configure Stunnel to use the PSK-NULL-SHA@SECLEVEL=0 cipher, or if this is supported?

Thank you for your assistance.

Flavio Castro