[stunnel-users] How to disable SSLv2
Tommi Nieminen
ttn at mbnet.fi
Fri Oct 27 17:48:51 CEST 2006
I'm using Stunnel 4.18. I would like to disable SSLv2, but
allow SSLv3 and TLSv1. Is this currently possible in Stunnel?
I've tried two things so far: first I tried to use the option
options = SSL_OP_NO_SSLv2 (from "man SSL_CTX_set_options")
It didn't work. This is what I got:
2006.10.27 18:32:48 LOG7[6358:3082897088]: Snagged 64 random bytes
from /root/.rnd
2006.10.27 18:32:48 LOG7[6358:3082897088]: Wrote 1024 new random bytes
to /root/.rnd
2006.10.27 18:32:48 LOG7[6358:3082897088]: RAND_status claims sufficient
entropy for the PRNG
2006.10.27 18:32:48 LOG7[6358:3082897088]: PRNG seeded successfully
file /etc/stunnel/stunnel.conf line 18: Illegal SSL option
Nothing gets logged, the above is the response to the startup command.
The other thing I tried, though I really didn't expect it to work,
was replacing the "options" option with
sslVersion = SSLv3 TLSv1
This option seems to accept only one version at a time, or
alternatively all of them with "all" on the right hand side,
so this failed, stunnel didn't start.
Any suggestions? The only thing I can think of is that the
SSL option SSL_OP_NO_SSLv2 is something that should have been
when configuring the OpenSSL installation, and since I have
a readily wrapped package, it has not been included there.
In that case I could install OpenSSL from the scratch. But
before I try that, I thought I would ask if somebody were
already familiar with the problem.
Tommi Nieminen
---------------------------------------------------
Here is the stunnel config file I was using:
CAfile = /etc/stunnel/root-cert.pem
cert = /etc/stunnel/device-cert.pem
key = /etc/stunnel/device-key.pem
output = /var/log/stunnel/stunnel.log
pid = /var/run/stunnel/stunnel.pid
debug = 7
client = no
[https]
accept = 443
connect = 192.168.10.17:5010
verify = 1
options = SSL_OP_NO_SSLv2
;sslVersion = SSLv3 TLSv1
More information about the stunnel-users
mailing list