Hi,
If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols. Thanks and
Best regards,
Dan
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.
Click http://www.emdgroup.com/emd/imprint/mail_disclaimer.html to access the German, French, Spanish and Portuguese versions of this disclaimer.
Hi,
Look at the documentation: https://www.stunnel.org/static/stunnel.html
Read the section *sslVersion*.
On Wed, Jun 27, 2018 at 4:08 PM, Daniel Trickett < daniel.trickett@emdmillipore.com> wrote:
Hi,
If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
Thanks and
Best regards,
Dan
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.
Click http://www.emdgroup.com/emd/imprint/mail_disclaimer.html to access the German, French, Spanish and Portuguese versions of this disclaimer.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Dan, use Wireshark, capture traffic using Stunnel, set a filter based on the destination IP (i.e., "ip.addr == 10.5.2.0/24" if class C network), look for traffic with the host, and look for "Protocol" column. For my captures, it shows "TLSv1.2" and for "Secure Sockets Layer" it shows the handshakes and ciphers as v1.2. You can drill down the TLS exchange, from the cipher suites offered and finally the negotiated version, it should show "TLS 1.2".
In your config file you can specify only TLS v1.2 by: sslVersion = TLSv1.2
On my systems, it appears to negotiate at TLS v1.0 (the "Client Hello") but the server Hello is at TLS v1.2. Once you see the Cipher suite, you can verify if the one chosen is TLS v1.2 by using this: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
In your Wireshark captures, look for "Cipher Suite:" in the Server Hello, and that should tell you the Cipher used, and you can infer TLS v1.2 based on the Cipher and that Cheat Sheet, and especially that Mozilla site ("cipher names correspondence table").
Regards, -Rob
On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett daniel.trickett@emdmillipore.com wrote:
If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
Thanks and Best regards, Dan
Hi,
I did capture the Wireshark log to understand the TLS flow. But my Wireshark capture just shows the packets as "TLS" and I don’t see any "TLS1.2" handshakes.
1) Rsync Server enabled with TLS1.2 over Stunnel 2) Rsync Client enabled with TLS1.2 over Stunnel
I captured the Wireshark at both ends and both of them just shows the packets as "TLS". I don’t see any "Client hello, cipher key message" exchanges shown in the capture. Please help.
Thanks, Sakthi
-----Original Message----- From: stunnel-users stunnel-users-bounces@stunnel.org On Behalf Of Rob Lockhart Sent: Wednesday, June 27, 2018 11:34 AM To: Daniel Trickett daniel.trickett@emdmillipore.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] tls question
Dan, use Wireshark, capture traffic using Stunnel, set a filter based on the destination IP (i.e., "ip.addr == 10.5.2.0/24" if class C network), look for traffic with the host, and look for "Protocol" column. For my captures, it shows "TLSv1.2" and for "Secure Sockets Layer" it shows the handshakes and ciphers as v1.2. You can drill down the TLS exchange, from the cipher suites offered and finally the negotiated version, it should show "TLS 1.2".
In your config file you can specify only TLS v1.2 by: sslVersion = TLSv1.2
On my systems, it appears to negotiate at TLS v1.0 (the "Client Hello") but the server Hello is at TLS v1.2. Once you see the Cipher suite, you can verify if the one chosen is TLS v1.2 by using this: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet
In your Wireshark captures, look for "Cipher Suite:" in the Server Hello, and that should tell you the Cipher used, and you can infer TLS v1.2 based on the Cipher and that Cheat Sheet, and especially that Mozilla site ("cipher names correspondence table").
Regards, -Rob
On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett daniel.trickett@emdmillipore.com wrote:
If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? Is it the default?
Working with supplier sites which still accept 1.0/1.1, but want to make sure that I am using 1.2, as they will be disabling the older protocols.
Thanks and Best regards, Dan
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Daniel Trickett -
Flo Rance -
Rob Lockhart -
Sakthivel Ganesamoorthy