I'll bite - probably missing something. Why not have your application output clear text to stunnel and set stunnel to TLSv1.2? In other words, drop the SSL from your application.
If that won't work I think you can do it with two stunnels (I got it to work once before I did the above). One accepts SSLv3 and outputs clear text . it is the client=no option. The output goes to a stunnel that is client=yes and is set to TLSv1.2 . which outputs to your final destination.
The output from the client=no would be to localhost on some port that fires the second stunnel.
I suspect you have to use different port numbers.
All guesses as I am not sure exactly what you are doing . but if it helps, great :)
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Daniel Trickett Sent: Monday, August 19, 2019 11:21 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] https to https proxy
Hi,
Our punchout vendor switched their site to only accept tls 1.2 over the weekend. Unfortunately our application will only support SSL.
We are using stunnel with other vendors but can control the inbound host name. This recent one is one we can't manage as it is the software provider.
I found a solution for doing https to https. I'm unclear how I get the first https traffic to route to stunnel as the initial call will be from the application will be to the external host..
Any thoughts on whether this would work for my situation? Appreciate any thoughts..
[Tunnel_in] client = yes accept = host_ip:443 connect = localhost:54321
[Tunnel_out] client = no accept = localhost:54321 connect = externalhostname:443
Best regards,
Dan
You may also have to hack your application server host file to redirect the name to the IP of your stunnel server.
From: stunnel-users stunnel-users-bounces@stunnel.org On Behalf Of Eric Eberhard Sent: Monday, 19 August 2019 7:55 PM To: 'Daniel Trickett' daniel.trickett@milliporesigma.com; stunnel-users@stunnel.org Subject: Re: [stunnel-users] https to https proxy
I'll bite - probably missing something. Why not have your application output clear text to stunnel and set stunnel to TLSv1.2? In other words, drop the SSL from your application.
If that won't work I think you can do it with two stunnels (I got it to work once before I did the above). One accepts SSLv3 and outputs clear text ... it is the client=no option. The output goes to a stunnel that is client=yes and is set to TLSv1.2 ... which outputs to your final destination.
The output from the client=no would be to localhost on some port that fires the second stunnel.
I suspect you have to use different port numbers.
All guesses as I am not sure exactly what you are doing ... but if it helps, great :)
Eric
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Daniel Trickett Sent: Monday, August 19, 2019 11:21 AM To: stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org Subject: [stunnel-users] https to https proxy
Hi,
Our punchout vendor switched their site to only accept tls 1.2 over the weekend. Unfortunately our application will only support SSL.
We are using stunnel with other vendors but can control the inbound host name. This recent one is one we can't manage as it is the software provider.
I found a solution for doing https to https. I'm unclear how I get the first https traffic to route to stunnel as the initial call will be from the application will be to the external host.. Any thoughts on whether this would work for my situation? Appreciate any thoughts..
[Tunnel_in] client = yes accept = host_ip:443 connect = localhost:54321
[Tunnel_out] client = no accept = localhost:54321 connect = externalhostname:443
Best regards,
Dan