Hi Scott, Thanks for the message. I tried this but to no avail. If I use that verbatim I get the error: 2016.09.21 06:46:46 LOG3[ui]: SSL_connect: 140740BF: error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available In fact it seems like the only security protocol available to me is TLSv1, as the presence of the NO_SSLv2 and NO_SSLv3 options have no effect (which makes sense: I understand that Stunnel doesn’t use SSL v2 or v3 these days). I don’t know if this indicates something untoward..
Best, Dave. > On 21 Sep 2016, at 03:15, Scott McKeown <[email protected]> wrote: > > Hi Guys, > To me this looks like a cipher issue. > There are a few options that you can try to resolve this if it is. > > I would try adding the following lines into your STunnel Configuration file: > > delay = yes > options = NO_SSLv2 > options = NO_SSLv3 > options = NO_TLSv1 > options = CIPHER_SERVER_PREFERENCE > options = DONT_INSERT_EMPTY_FRAGMENTS > > Delay will delay and DNS lookups that maybe actioned by the request (not > normally needed but I always include if for sanity sake) > The three 'options' sections turn off all the known problematic cipher lists > if you need a key that is in one of these block feel free to remove that > directive but I think a good start would be to leave the 'NO_SSLv3' option in > place > The 'CIPHER_SERVER_PREFERENCE' option will make set whether the client is > allowed to renegotiat the ciphers that are to be used between the client and > the server process. > And finally 'DONT_INSERT_EMPTY_FRAGMENTS' will mitigate an issue in the CBC > ciphers that was in the SSLv3 and TLS1.0 cipher lists again I only include it > for sanity sake now but its better to have than to go without. >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
