So I've configured my stunnel to only use TLS1.2 and usually works ok. However when client gets some bad L7 response it send a TCP RST, after which all subsequent stunnel TLS Client Hellos are some hybrid of TLS1.0/TLS1.2, as can be seen in tshark output below. Once I restart the whole stunnel process subsequent TLS handshakes work fine using TLS1.2, until the next client RST is received.
$ stunnel -version stunnel 4.56 on x86_64-redhat-linux-gnu platform
$ cat /etc/centos-release CentOS Linux release 7.8.2003 (Core)
$cat /etc/stunnel/dsr2rtcg-stunnel.conf output = /var/log/stunnel pid = /etc/stunnel/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
[poc] cert = /etc/pki/tls/certs/stunnel/aaa.crt key = /etc/pki/tls/private/stunnel/aaa.key CAfile = /etc/pki/tls/certs/stunnel/bbb.crt client = yes sslVersion = TLSv1.2 options = NO_TLSv1 accept = 172.18.180.78:45154 connect = 10.74.0.196:45154 ciphers = TLSv1.2+HIGH:!aNULL
$ tshark -nn -V -d tcp.port==45154,ssl -r 20200729_09:42:44-port45154.pcap -2R "ssl.handshake" -c 1 | grep -i tls -B3 Secure Sockets Layer SSL Record Layer: Handshake Protocol: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) -- Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1610 Version: TLS 1.2 (0x0303)