So I've configured my stunnel to only use TLS1.2  and usually works ok. However when client gets some bad L7 response it send a TCP RST, after which all subsequent stunnel TLS Client Hellos are some hybrid of TLS1.0/TLS1.2, as can be seen in tshark output below. Once I restart the whole stunnel process subsequent TLS handshakes work fine using TLS1.2, until the next client RST is received.

$ stunnel -version
stunnel 4.56 on x86_64-redhat-linux-gnu platform

$ cat /etc/centos-release
CentOS Linux release 7.8.2003 (Core)

$cat /etc/stunnel/dsr2rtcg-stunnel.conf
output = /var/log/stunnel
pid = /etc/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[poc]
cert = /etc/pki/tls/certs/stunnel/aaa.crt
key = /etc/pki/tls/private/stunnel/aaa.key
CAfile = /etc/pki/tls/certs/stunnel/bbb.crt
client = yes
sslVersion = TLSv1.2
options = NO_TLSv1
accept = 172.18.180.78:45154
connect = 10.74.0.196:45154
ciphers = TLSv1.2+HIGH:!aNULL


$ tshark -nn -V -d tcp.port==45154,ssl -r 20200729_09:42:44-port45154.pcap -2R "ssl.handshake" -c 1 | grep -i tls -B3
Secure Sockets Layer
    SSL Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
--
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 1610
            Version: TLS 1.2 (0x0303)