It is not the list of ciphers that I want to choose from. We are indeed using a select set of ciphers and that seems to be working fine. My problem is that when stunnel connects to the server it is trying sslv3, and this causes an error as the server is only supporting TLS. I could easily be wrong...
John
I need to talk to a server that is requiring pure TLS. It seems that STUNNEL always starts with SSL. How do I get STUNNEL to
start the client
side conversation with TLS?
http://www.stunnel.org/faq/stunnel.html#global_options
ciphers = cipherlist
Select permitted SSL ciphers A colon delimited list of the ciphers to allow in the SSLconnection. For example DES-CBC3-SHA:IDEA-CBC-MD5
For an exhaustive table of allowed ciphersuite values, if it's not in the stunnel manual check http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
Jan
On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:
It is not the list of ciphers that I want to choose from. We are indeed using a select set of ciphers and that seems to be working fine. My problem is that when stunnel connects to the server it is trying sslv3, and this causes an error as the server is only supporting TLS. I could easily be wrong...
Ah, that way.
options = SSL_options OpenSSL library options
The parameter is the OpenSSL option name as described in the SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several options can be used to specify multiple options.
For example for compatibility with erroneous Eudora SSL implementation the following option can be used:
options = DONT_INSERT_EMPTY_FRAGMENTS
Check the SSL_CTX_set_options manpage, it says -amongst other things-:
SSL_OP_NO_SSLv2 Do not use the SSLv2 protocol.
SSL_OP_NO_SSLv3 Do not use the SSLv3 protocol.
SSL_OP_NO_TLSv1 Do not use the TLSv1 protocol.
That ought to do the trick I'd say.
Let us know if it did :)
Jan
-
Jan Meijer -
Moehrke, John (GE Healthcare)