Hello all:
I'm running Stunnel 4.52 under WinXP SP3.
Last night I had some questions about how the cipher list in Stunnel interacts with the cipher negotiation routine between client and server, so I did some experiments in an attempt to address those questions.
In the course of doing so, I noticed that, if I attempt to load certain ciphers, Stunnel would stall at configuration load.
Using OpenSSL to list TLS ciphers with 4.52's libraries yields the following:
~~~~~~~~~~~~~~~~~~~~~
C:\Program Files\stunnel>openssl ciphers -v -tls1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
C:\Program Files\stunnel>
~~~~~~~~~~~~~~~~~~~~~
As such, ciphers RC4-SHA and RC4-MD5 appear to be valid. However, any attempt at using those in client mode causes Stunnel to stall when reading the cipher from stunnel.conf:
~~~~~~~~~~~~~~~~~~~~~
2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file stunnel.conf 2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled 2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled 2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.1 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.1.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation lookup file 2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004 2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.2 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.2.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation lookup file 2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration file 2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty
~~~~~~~~~~~~~~~~~~~~
This is the relevant snippet from my stunnel.conf file:
~~~~~~~~~~~~~~~~~~~~
debug = 7 delay = yes output = stunnel.log
[nntps.1] client = yes sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA cafile = peer-nntps.1.pem verify = 4 accept = 127.0.1.1:119 connect = news.server.com:443
[nntps.2] client = yes sslVersion = TLSv1 ciphers = RC4-SHA cafile = peer-nntps.2.pem verify = 4 accept = 127.0.1.2:119 connect = news.server.org:563
~~~~~~~~~~~~~~~~~~~~
Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS specified, results in the same configuration crash.
I don't really need to use those ciphers, but since I observed this behavior, I thought I'd better report it.
Any comments welcome.
Regards;
Thomas .
Update:
I uninstalled version 4.52, then reinstalled version 4.47. RC4-SHA cipher now works correctly, with the same stunnel.conf.
~~~~~~~~~~~~~~~~~~~~~~
2012.03.08 23:36:50 LOG5[420:580]: stunnel 4.47 on x86-pc-mingw32-gnu platform 2012.03.08 23:36:50 LOG5[420:580]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2012.03.08 23:36:50 LOG5[420:580]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2012.03.08 23:36:50 LOG5[420:580]: Reading configuration from file stunnel.conf 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.1 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.2 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG5[420:580]: Configuration successful 2012.03.08 23:37:08 LOG5[420:2804]: Service nntps.2 accepted connection from 127.0.1.2:1033 2012.03.08 23:37:08 LOG6[420:2804]: connect_blocking: connecting 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: connect_blocking: connected 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: Service nntps.2 connected remote server from 173.89.4.172:1034 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=2, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=1, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 2012.03.08 23:37:09 LOG6[420:2804]: CERT: Locally installed certificate matched 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=0, /description=436134-bRSt8Rml1Sum890r/CN=news.eternal-september.org/emailAddress=wolfgang@weyand-hg.de 2012.03.08 23:37:09 LOG6[420:2804]: SSL connected: new session negotiated 2012.03.08 23:37:09 LOG6[420:2804]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2012.03.08 23:37:20 LOG6[420:2804]: SSL_shutdown successfully sent close_notify 2012.03.08 23:37:20 LOG5[420:2804]: Connection closed: 1251 bytes sent to SSL, 1861 bytes sent to socket
Regards;
Thomas
On 3/8/2012 8:44 PM, Thomas Eifert wrote:
Hello all:
I'm running Stunnel 4.52 under WinXP SP3.
Last night I had some questions about how the cipher list in Stunnel interacts with the cipher negotiation routine between client and server, so I did some experiments in an attempt to address those questions.
In the course of doing so, I noticed that, if I attempt to load certain ciphers, Stunnel would stall at configuration load.
Using OpenSSL to list TLS ciphers with 4.52's libraries yields the following:
C:\Program Files\stunnel>openssl ciphers -v -tls1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export C:\Program Files\stunnel>As such, ciphers RC4-SHA and RC4-MD5 appear to be valid. However, any attempt at using those in client mode causes Stunnel to stall when reading the cipher from stunnel.conf:
2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file stunnel.conf 2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled 2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled 2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.1 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.1.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation lookup file 2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004 2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.2 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.2.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation lookup file 2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration file 2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty ~~~~~~~~~~~~~~~~~~~~ This is the relevant snippet from my stunnel.conf file: ~~~~~~~~~~~~~~~~~~~~ debug = 7 delay = yes output = stunnel.log [nntps.1] client = yes sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA cafile = peer-nntps.1.pem verify = 4 accept = 127.0.1.1:119 connect = news.server.com:443 [nntps.2] client = yes sslVersion = TLSv1 ciphers = RC4-SHA cafile = peer-nntps.2.pem verify = 4 accept = 127.0.1.2:119 connect = news.server.org:563 ~~~~~~~~~~~~~~~~~~~~ Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS specified, results in the same configuration crash. I don't really need to use those ciphers, but since I observed this behavior, I thought I'd better report it. Any comments welcome. Regards; Thomas .
Parting thoughts.
One of the striking differences between version 4.47 and 4.52, in my experience, is that version 4.47 does not negotiate for strong ciphers in client mode with a "plain vanilla" stunnel.conf. With 4.47, if I do not specify which ciphers to use, the session always uses a 128-bit cipher. Even if I specify sslVersion = TLSv1 in stunnel.conf, the session still defaults to something like RC4-SHA. When I first observed this behavior, it didn't make sense to me.
From Wiki on TLS:
[quote]
The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and presents a list of supported cipher suites (ciphers and hash functions).
From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of the decision.
[/quote]
Which is not what was happening. All of the servers I connect to support 256-bit ciphers, but I wasn't getting that level of encryption until I specifically told Stunnel which ciphers to use.
With version 4.52, I don't have to specify any ciphers at all in stunnel.conf. I always end up with strong encryption, even without sslVersion = TLSv1 .
In any case, things are back up and working as expected once again. I think I'll call it a night.
To all of Stunnel's developers/contributors.. thanks for making this great utility available. What a fantastic learning experience this has been.
Regards;
Thomas
On 3/8/2012 11:40 PM, Thomas Eifert wrote:
Update:
I uninstalled version 4.52, then reinstalled version 4.47. RC4-SHA cipher now works correctly, with the same stunnel.conf.
2012.03.08 23:36:50 LOG5[420:580]: stunnel 4.47 on x86-pc-mingw32-gnu platform 2012.03.08 23:36:50 LOG5[420:580]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2012.03.08 23:36:50 LOG5[420:580]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2012.03.08 23:36:50 LOG5[420:580]: Reading configuration from file stunnel.conf 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.1 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.2 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG5[420:580]: Configuration successful 2012.03.08 23:37:08 LOG5[420:2804]: Service nntps.2 accepted connection from 127.0.1.2:1033 2012.03.08 23:37:08 LOG6[420:2804]: connect_blocking: connecting 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: connect_blocking: connected 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: Service nntps.2 connected remote server from 173.89.4.172:1034 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=2, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=1, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 2012.03.08 23:37:09 LOG6[420:2804]: CERT: Locally installed certificate matched 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=0, /description=436134-bRSt8Rml1Sum890r/CN=news.eternal-september.org/emailAddress=wolfgang@weyand-hg.de 2012.03.08 23:37:09 LOG6[420:2804]: SSL connected: new session negotiated 2012.03.08 23:37:09 LOG6[420:2804]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2012.03.08 23:37:20 LOG6[420:2804]: SSL_shutdown successfully sent close_notify 2012.03.08 23:37:20 LOG5[420:2804]: Connection closed: 1251 bytes sent to SSL, 1861 bytes sent to socket Regards; Thomas On 3/8/2012 8:44 PM, Thomas Eifert wrote: > Hello all: > > I'm running Stunnel 4.52 under WinXP SP3. > > Last night I had some questions about how the cipher list in Stunnel > interacts with the > cipher negotiation routine between client and server, so I did some > experiments in an > attempt to address those questions. > > In the course of doing so, I noticed that, if I attempt to load > certain ciphers, Stunnel > would stall at configuration load. > > Using OpenSSL to list TLS ciphers with 4.52's libraries yields the > following: > > ~~~~~~~~~~~~~~~~~~~~~ > > C:\Program Files\stunnel>openssl ciphers -v -tls1 > > DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 > DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 > AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 > EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 > EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 > DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 > DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 > AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 > IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 > RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 > RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 > EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 > EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 > DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 > EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) > Mac=SHA1 export > EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) > Mac=SHA1 export > EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) > Mac=SHA1 export > EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) > Mac=MD5 export > EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) > Mac=MD5 export > > C:\Program Files\stunnel> > > ~~~~~~~~~~~~~~~~~~~~~ > > As such, ciphers RC4-SHA and RC4-MD5 appear to be valid. However, > any attempt at using those > in client mode causes Stunnel to stall when reading the cipher from > stunnel.conf: > > ~~~~~~~~~~~~~~~~~~~~~ > > 2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file > stunnel.conf > 2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled > 2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled > 2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd > 2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to > C:/.rnd > 2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully > 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for > service nntps.1 > 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from > peer-nntps.1.pem > 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation > lookup file > 2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004 > 2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized > 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for > service nntps.2 > 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from > peer-nntps.2.pem > 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation > lookup file > 2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: > error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match > 2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration > file > 2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty > > ~~~~~~~~~~~~~~~~~~~~ > > This is the relevant snippet from my stunnel.conf file: > > ~~~~~~~~~~~~~~~~~~~~ > > debug = 7 > delay = yes > output = stunnel.log > > [nntps.1] > client = yes > sslVersion = TLSv1 > ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA > cafile = peer-nntps.1.pem > verify = 4 > accept = 127.0.1.1:119 > connect = news.server.com:443 > > [nntps.2] > client = yes > sslVersion = TLSv1 > ciphers = RC4-SHA > cafile = peer-nntps.2.pem > verify = 4 > accept = 127.0.1.2:119 > connect = news.server.org:563 > > ~~~~~~~~~~~~~~~~~~~~ > > Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS > specified, results in > the same configuration crash. > > I don't really need to use those ciphers, but since I observed this > behavior, I thought I'd better > report it. > > Any comments welcome. > > Regards; > > Thomas > . >
Thomas Eifert kxkvi@wi.rr.com wrote:
Even if I specify sslVersion = TLSv1 in stunnel.conf, the session still defaults to something like RC4-SHA. When I first observed this behavior, it didn't make sense to me.
Hi Thomas,
To be able to use non-FIPS-apporoved algorithms use: fips = no
Mike
-
Michal Trojnara -
Thomas Eifert