Hi all:
Base on this link https://www.stunnel.org/sdf_ChangeLog.html, to make TLS 1.2 work, I need to put stunnel in FIPS enable mode.
In stunnel config file, I have following to enable FIPS mode and select TLS 1.2. sslVersion=TLSv1.2 FIPS = yes
But when my TLS 1.2 client send "client hello" with version TLS 1.2 to stunnel, stunnel still send "server hello" with TLS 1.0 back. Could somebody help on why stunnel does not support TLS 1.2 ?
My stunnel is verstion 5.02, compiled with latest OpenSSL version 1.0.1h FIPS mode library.
Following is the log file:
################### 2014.06.19 11:09:13 LOG7[15491]: Clients allowed=500 2014.06.19 11:09:13 LOG5[15491]: stunnel 5.02 on i686-pc-linux-gnu platform 2014.06.19 11:09:13 LOG5[15491]: Compiled with OpenSSL 1.1.0-fips-dev xx XXX xxxx 2014.06.19 11:09:13 LOG5[15491]: Running with OpenSSL 1.0.1h-fips 5 Jun 2014 2014.06.19 11:09:13 LOG5[15491]: Update OpenSSL shared libraries or rebuild stunnel 2014.06.19 11:09:13 LOG5[15491]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2014.06.19 11:09:13 LOG7[15491]: errno: (*__errno_location ()) 2014.06.19 11:09:13 LOG5[15491]: Reading configuration from file stunnel.K.tacacs+.conf 2014.06.19 11:09:13 LOG5[15491]: FIPS mode enabled ##################FIPS mode enabled############ 2014.06.19 11:09:13 LOG7[15491]: Compression disabled 2014.06.19 11:09:13 LOG7[15491]: Snagged 64 random bytes from /root/.rnd 2014.06.19 11:09:13 LOG7[15491]: Wrote 1024 new random bytes to /root/.rnd 2014.06.19 11:09:13 LOG7[15491]: PRNG seeded successfully 2014.06.19 11:09:13 LOG6[15491]: Initializing service [encrypted_tacplus] 2014.06.19 11:09:13 LOG6[15491]: Loading cert from file: /tftpboot/cacert-hyu.pem 2014.06.19 11:09:13 LOG6[15491]: Loading key from file: /tftpboot/privkey-hyu.pem 2014.06.19 11:09:13 LOG4[15491]: Insecure file permissions on /tftpboot/privkey-hyu.pem 2014.06.19 11:09:13 LOG7[15491]: Private key check succeeded 2014.06.19 11:09:13 LOG7[15491]: DH initialization 2014.06.19 11:09:13 LOG7[15491]: Could not load DH parameters from /tftpboot/cacert-hyu.pem 2014.06.19 11:09:13 LOG7[15491]: Using hardcoded DH parameters 2014.06.19 11:09:13 LOG7[15491]: DH initialized with 2048-bit key 2014.06.19 11:09:13 LOG7[15491]: ECDH initialization 2014.06.19 11:09:13 LOG7[15491]: ECDH initialized with curve prime256v1 2014.06.19 11:09:13 LOG7[15491]: SSL options set: 0x00000004 2014.06.19 11:09:13 LOG5[15491]: Configuration successful 2014.06.19 11:09:13 LOG7[15491]: Service [encrypted_tacplus] (FD=7) bound to 0.0.0.0:2249 2014.06.19 11:09:14 LOG7[15491]: No pid file being created
2014.06.19 11:17:52 LOG7[15506]: Service [encrypted_tacplus] accepted (FD=3) from 10.25.105.82:636 2014.06.19 11:17:52 LOG7[15509]: Service [encrypted_tacplus] started 2014.06.19 11:17:52 LOG5[15509]: Service [encrypted_tacplus] accepted connection from 10.25.105.82:636 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): before/accept initialization 2014.06.19 11:17:52 LOG7[15509]: SNI: no virtual services defined 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 read client hello B ##########wireshark shows "client hello" version is TLS1.2, stunnel log shows it is TLS1.0. 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server hello A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write certificate A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write key exchange A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 write server done A 2014.06.19 11:17:52 LOG7[15509]: SSL state (accept): SSLv3 flush data 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read client key exchange A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 read finished A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write change cipher spec A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 write finished A 2014.06.19 11:17:55 LOG7[15509]: SSL state (accept): SSLv3 flush data 2014.06.19 11:17:55 LOG7[15509]: 1 items in the session cache 2014.06.19 11:17:55 LOG7[15509]: 0 client connects (SSL_connect()) 2014.06.19 11:17:55 LOG7[15509]: 0 client connects that finished 2014.06.19 11:17:55 LOG7[15509]: 0 client renegotiations requested 2014.06.19 11:17:55 LOG7[15509]: 1 server connects (SSL_accept()) 2014.06.19 11:17:55 LOG7[15509]: 1 server connects that finished 2014.06.19 11:17:55 LOG7[15509]: 0 server renegotiations requested 2014.06.19 11:17:55 LOG7[15509]: 0 session cache hits 2014.06.19 11:17:55 LOG7[15509]: 0 external session cache hits 2014.06.19 11:17:55 LOG7[15509]: 1 session cache misses 2014.06.19 11:17:55 LOG7[15509]: 0 session cache timeouts 2014.06.19 11:17:55 LOG6[15509]: No peer certificate received 2014.06.19 11:17:55 LOG6[15509]: SSL accepted: new session negotiated 2014.06.19 11:17:55 LOG6[15509]: Negotiated TLSv1/SSLv3 ciphersuite: DHE-RSA-AES128-SHA (128-bit encryption) ##############negotiated as TLS1.0 2014.06.19 11:17:55 LOG6[15509]: Compression: null, expansion: null 2014.06.19 11:17:55 LOG6[15509]: s_connect: connecting 127.0.0.1:2250 2014.06.19 11:17:55 LOG7[15509]: s_connect: s_poll_wait 127.0.0.1:2250: waiting 10 seconds 2014.06.19 11:17:55 LOG5[15509]: s_connect: connected 127.0.0.1:2250 2014.06.19 11:17:55 LOG5[15509]: Service [encrypted_tacplus] connected remote server from 127.0.0.1:47369 2014.06.19 11:17:55 LOG7[15509]: Remote socket (FD=8) initialized
-
Hui Yu