Thanks for the fantastic answer Rob. Yes it works for me. With SSLversion,  you select all protocols and then with options, you selectively disable protocols you don’t wanted. This works like charm, even easy for me to automate the config generation.

 

Thank you.

Madhava

 

From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Rob Lockhart
Sent: Saturday, July 11, 2015 12:58 AM
To: stunnel-users@stunnel.org
Subject: Re: [stunnel-users] help on options and sslversion

 

On Wed, Jul 8, 2015 at 7:56 AM, Madhava Gaikwad (madgaikw) <madgaikw@cisco.com> wrote:
>
>
> I am using stunnel 5.03 version. I want to understand how the config option “sslVersion “ and “options ” works.
> The problem I am trying to solve is: I want to enable say only particular ssl connect methods, for example sslv3 and TLs1.2. I am not able to do it.
>
> For me if I do below setting:
>
> Options = all
> Option = NO_SSLv2
> Option = NO_SSLv3
> Option = NO_TLSv1
> Option = NO_TLSv1.1
> Option = NO_TLSv1.2
>
> Still I see all methods are being enabled. I removed Option = all, but no effect. What is expected behavior?
>
> Also, the sslVersion seems enables either particular sslversion, or else all the versions. So wondering what can be the escape mechanism. Any help will be highly appreciated.

I cannot comment on such an old version of Stunnel (5.03 - Version 5.03, 2014.08.07 - nearly a year old!! from https://www.stunnel.org/sdf_ChangeLog.html history). You really should update your Stunnel and OpenSSL version, especially if you're using the insecure OpenSSL versions.

 

I asked a similar question in the past, and Mike said that the above should work for allowing multiple versions. Try this, from https://www.stunnel.org/static/stunnel.html man page:

sslVersion = all

options = NO_SSLv2

options = NO_TLSv1

options = NO_TLSv1.1

 

That should only allow SSLv3 and TLSv1.2 and disallow the other three above. I did test this (i.e., enabling the ones "turned off" in the client) and it does indeed work. See what Mike said at the following URL:

http://www.stunnel.org/pipermail/stunnel-users/2015-March/004985.html

 

Be sure that you're looking in the right place... there's "enabled by software" and then "enabled by configuration"... the config can limit the software.

 

NOTE: The old posts can be searched here:

http://www.stunnel.org/pipermail/stunnel-users/

 

 -Rob