Hi there,

i have a problem (maybe with understanding) with stunnel.

I'm using the newest version 5.70 but had this also with 5.66 and 5.69. My goal was to access an Exchange server IIS (on port 443, which understands only TLS1.1 and below) with TLS1.2 and upper.

I was able to achieve this with the following config

--------------------------- debug = 7 output = stunnel.log

[Exserver] accept = 441 connect = 442 cert = stunneldd.pem TIMEOUTclose = 0

[Exclient] client = yes accept = 442 connect = 443 ---------------------------

stunneldd.pem i made with openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunneldd.pem -keyout stunneldd.pem

This is working so far.

My problem is, stunnel is no longer accepting TLS1.0 and TLS1.1. I need this for some clients which couldn't talk TLS1.2.

But why? All infos i could find (and this was days, not hours) are showing that it should work. Even with the added line sllVerison = all or sslVersionMin = TLSv1 sslVersionMax = TLSv1.3 it ws not accepting TLS1 queries.

My steps to confirm this: ------------------------- - install stunnel 5.70 - take the config shown above - make a cert with openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out stunneldd.pem -keyout stunneldd.pem - start stunnel - test it with openssl s_client -connect localhost:441 -tls1_1 -debug

stunnel log: ------------ 2023.07.13 09:53:04 LOG7[25]: TLS alert (write): fatal: internal error 2023.07.13 09:53:04 LOG3[25]: SSL_accept: ssl/t1_lib.c:3342: error:0A000076:SSL routines::no suitable signature algorithm

I'm thinking, that the bind OpenSSL doesn't support TLS1.1 anymore but the [Exclient] which is talking to Port 443 uses TLS1.1. Or has the cert anything to do with it. I think no, because the andshake failed and that is befor the cert is used? What I'm missing? I want stunnel to accept TLs1.0, TLS1.1. TLS1.2 and upwards on the same port.

Would be nice if anybody could help me with this?

Many thanks.