[stunnel-users] TLS1.0 fallback when only TLS1.2 allowed
Wojciech Machula
wmachula at gmail.com
Wed Jul 29 13:49:00 CEST 2020
So I've configured my stunnel to only use TLS1.2 and usually works ok.
However when client gets some bad L7 response it send a TCP RST, after
which all subsequent stunnel TLS Client Hellos are some hybrid of
TLS1.0/TLS1.2, as can be seen in tshark output below. Once I restart the
whole stunnel process subsequent TLS handshakes work fine using TLS1.2,
until the next client RST is received.
$ stunnel -version
stunnel 4.56 on x86_64-redhat-linux-gnu platform
$ cat /etc/centos-release
CentOS Linux release 7.8.2003 (Core)
$cat /etc/stunnel/dsr2rtcg-stunnel.conf
output = /var/log/stunnel
pid = /etc/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[poc]
cert = /etc/pki/tls/certs/stunnel/aaa.crt
key = /etc/pki/tls/private/stunnel/aaa.key
CAfile = /etc/pki/tls/certs/stunnel/bbb.crt
client = yes
sslVersion = TLSv1.2
options = NO_TLSv1
accept = 172.18.180.78:45154
connect = 10.74.0.196:45154
ciphers = TLSv1.2+HIGH:!aNULL
$ tshark -nn -V -d tcp.port==45154,ssl -r 20200729_09:42:44-port45154.pcap
-2R "ssl.handshake" -c 1 | grep -i tls -B3
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
--
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 1610
Version: TLS 1.2 (0x0303)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200729/eee36c5b/attachment.htm>
More information about the stunnel-users
mailing list