Hi all:

 

Base on this link https://www.stunnel.org/sdf_ChangeLog.html, to make TLS 1.2 work, I need to put stunnel in FIPS enable mode.

 

In stunnel config file, I have following to enable FIPS mode and select TLS 1.2.

sslVersion=TLSv1.2

FIPS = yes

 

But when my TLS 1.2 client send “client hello” with version TLS 1.2  to stunnel, stunnel still send “server hello” with TLS 1.0 back. Could somebody help on why stunnel does not support TLS 1.2 ?  

 

My stunnel is verstion 5.02, compiled with latest OpenSSL version 1.0.1h FIPS mode library.

 

Following is the log file:

 

###################

2014.06.19 11:09:13 LOG7[15491]: Clients allowed=500

2014.06.19 11:09:13 LOG5[15491]: stunnel 5.02 on i686-pc-linux-gnu platform

2014.06.19 11:09:13 LOG5[15491]: Compiled with OpenSSL 1.1.0-fips-dev xx XXX xxxx

2014.06.19 11:09:13 LOG5[15491]: Running  with OpenSSL 1.0.1h-fips 5 Jun 2014

2014.06.19 11:09:13 LOG5[15491]: Update OpenSSL shared libraries or rebuild stunnel

2014.06.19 11:09:13 LOG5[15491]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP

2014.06.19 11:09:13 LOG7[15491]: errno: (*__errno_location ())

2014.06.19 11:09:13 LOG5[15491]: Reading configuration from file stunnel.K.tacacs+.conf

2014.06.19 11:09:13 LOG5[15491]: FIPS mode enabled ##################FIPS mode enabled############

2014.06.19 11:09:13 LOG7[15491]: Compression disabled

2014.06.19 11:09:13 LOG7[15491]: Snagged 64 random bytes from /root/.rnd

2014.06.19 11:09:13 LOG7[15491]: Wrote 1024 new random bytes to /root/.rnd

2014.06.19 11:09:13 LOG7[15491]: PRNG seeded successfully

2014.06.19 11:09:13 LOG6[15491]: Initializing service [encrypted_tacplus]

2014.06.19 11:09:13 LOG6[15491]: Loading cert from file: /tftpboot/cacert-hyu.pem

2014.06.19 11:09:13 LOG6[15491]: Loading key from file: /tftpboot/privkey-hyu.pem

2014.06.19 11:09:13 LOG4[15491]: Insecure file permissions on /tftpboot/privkey-hyu.pem

2014.06.19 11:09:13 LOG7[15491]: Private key check succeeded

2014.06.19 11:09:13 LOG7[15491]: DH initialization

2014.06.19 11:09:13 LOG7[15491]: Could not load DH parameters from /tftpboot/cacert-hyu.pem

2014.06.19 11:09:13 LOG7[15491]: Using hardcoded DH parameters

2014.06.19 11:09:13 LOG7[15491]: DH initialized with 2048-bit key

2014.06.19 11:09:13 LOG7[15491]: ECDH initialization

2014.06.19 11:09:13 LOG7[15491]: ECDH initialized with curve prime256v1

2014.06.19 11:09:13 LOG7[15491]: SSL options set: 0x00000004

2014.06.19 11:09:13 LOG5[15491]: Configuration successful

2014.06.19 11:09:13 LOG7[15491]: Service [encrypted_tacplus] (FD=7) bound to 0.0.0.0:2249

2014.06.19 11:09:14 LOG7[15491]: No pid file being created

 

2014.06.19 11:17:52 LOG7[15506]: Service [encrypted_tacplus] accepted (FD=3) from 10.25.105.82:636

2014.06.19 11:17:52 LOG7[15509]: Service [encrypted_tacplus] started

2014.06.19 11:17:52 LOG5[15509]: Service [encrypted_tacplus] accepted connection from 10.25.105.82:636

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): before/accept initialization

2014.06.19 11:17:52 LOG7[15509]: SNI: no virtual services defined

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 read client hello B          ##########wireshark shows “client hello” version is TLS1.2, stunnel log shows it is TLS1.0.  

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server hello A

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write certificate A

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write key exchange A

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server done A

2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 flush data

2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read client key exchange A

2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read finished A

2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write change cipher spec A

2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write finished A

2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 flush data

2014.06.19 11:17:55 LOG7[15509]:    1 items in the session cache

2014.06.19 11:17:55 LOG7[15509]:    0 client connects (SSL_connect())

2014.06.19 11:17:55 LOG7[15509]:    0 client connects that finished

2014.06.19 11:17:55 LOG7[15509]:    0 client renegotiations requested

2014.06.19 11:17:55 LOG7[15509]:    1 server connects (SSL_accept())

2014.06.19 11:17:55 LOG7[15509]:    1 server connects that finished

2014.06.19 11:17:55 LOG7[15509]:    0 server renegotiations requested

2014.06.19 11:17:55 LOG7[15509]:    0 session cache hits

2014.06.19 11:17:55 LOG7[15509]:    0 external session cache hits

2014.06.19 11:17:55 LOG7[15509]:    1 session cache misses

2014.06.19 11:17:55 LOG7[15509]:    0 session cache timeouts

2014.06.19 11:17:55 LOG6[15509]: No peer certificate received

2014.06.19 11:17:55 LOG6[15509]: SSL accepted: new session negotiated

2014.06.19 11:17:55 LOG6[15509]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES128-SHA (128-bit encryption) ##############negotiated as TLS1.0

2014.06.19 11:17:55 LOG6[15509]: Compression: null, expansion: null

2014.06.19 11:17:55 LOG6[15509]: s_connect: connecting 127.0.0.1:2250

2014.06.19 11:17:55 LOG7[15509]: s_connect: s_poll_wait 127.0.0.1:2250: waiting 10 seconds

2014.06.19 11:17:55 LOG5[15509]: s_connect: connected 127.0.0.1:2250

2014.06.19 11:17:55 LOG5[15509]: Service [encrypted_tacplus] connected remote server from 127.0.0.1:47369

2014.06.19 11:17:55 LOG7[15509]: Remote socket (FD=8) initialized