[stunnel-users] Problem with sslv2 clients
Markus Borst (HRZ)
M.Borst at hrz.tu-darmstadt.de
Fri Dec 16 09:43:23 CET 2011
Am 12.12.2011 16:57, schrieb Michal Trojnara:
> Markus Borst wrote:
>> I want client and server to _NEGOTIATE_ a "higher" protocol.
>
> fips = no
> sslVersion = all
> options = NO_SSLv2
>
> According to my tests it does exactly what you want.
>
> Mike
Sorry for the late reply. Yes, thanks, this combination does indeed
work. Older ssl client can connect and use either sslv3 or tlsv1. I
would have thought that this would be default behaviour, but there are
probably reasons to do it otherwise.
Since the use of these options in this combination is not clear from the
documentation, I have a few suggestions to update the docs:
- explain what fips does (not the whole specification, just which
methods and ciphers are disabled)
- clearly state which methods (SSL, TLS, ciphers) are used by
default, with or without fips.
- explain the "options = NO_SSLv2" option. Currently, it is not even
mentioned.
As a longer term enhancement, I suggest making the "sslVersion" option
multi-valued: Currently, I can only select one of the three, or all
three, but not just two out of three. (I.e., what will we do when a
TLSv2 comes around?)
And the above configuration should go as an example into the default
config file, since this particular combination ("sslVersion=all" AND
"options=NO_SSLv2") ist a bit counter intuitive.
Greetings
Markus Borst
More information about the stunnel-users
mailing list