Thanks for the fantastic answer Rob. Yes it works for me. With SSLversion, you select all protocols and then with options, you selectively disable protocols you don’t wanted. This works like charm, even easy for me to automate the config generation.
Thank you. Madhava
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Rob Lockhart Sent: Saturday, July 11, 2015 12:58 AM To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] help on options and sslversion
On Wed, Jul 8, 2015 at 7:56 AM, Madhava Gaikwad (madgaikw) <madgaikw@cisco.commailto:madgaikw@cisco.com> wrote:
I am using stunnel 5.03 version. I want to understand how the config option “sslVersion “ and “options ” works. The problem I am trying to solve is: I want to enable say only particular ssl connect methods, for example sslv3 and TLs1.2. I am not able to do it.
For me if I do below setting:
Options = all Option = NO_SSLv2 Option = NO_SSLv3 Option = NO_TLSv1 Option = NO_TLSv1.1 Option = NO_TLSv1.2
Still I see all methods are being enabled. I removed Option = all, but no effect. What is expected behavior?
Also, the sslVersion seems enables either particular sslversion, or else all the versions. So wondering what can be the escape mechanism. Any help will be highly appreciated.
I cannot comment on such an old version of Stunnel (5.03 - Version 5.03, 2014.08.07 - nearly a year old!! from https://www.stunnel.org/sdf_ChangeLog.html history). You really should update your Stunnel and OpenSSL version, especially if you're using the insecure OpenSSL versions.
I asked a similar question in the past, and Mike said that the above should work for allowing multiple versions. Try this, from https://www.stunnel.org/static/stunnel.html man page: sslVersion = all options = NO_SSLv2 options = NO_TLSv1 options = NO_TLSv1.1
That should only allow SSLv3 and TLSv1.2 and disallow the other three above. I did test this (i.e., enabling the ones "turned off" in the client) and it does indeed work. See what Mike said at the following URL: http://www.stunnel.org/pipermail/stunnel-users/2015-March/004985.html
Be sure that you're looking in the right place... there's "enabled by software" and then "enabled by configuration"... the config can limit the software.
NOTE: The old posts can be searched here: http://www.stunnel.org/pipermail/stunnel-users/
-Rob