Hi Scott,

Thanks for the message.
I tried this but to no avail.
If I use that verbatim I get the error:
2016.09.21 06:46:46 LOG3[ui]: SSL_connect: 140740BF: error:140740BF:SSL 
routines:SSL23_CLIENT_HELLO:no protocols available
In fact it seems like the only security protocol available to me is TLSv1, as 
the presence of the NO_SSLv2 and NO_SSLv3 options have no effect (which makes 
sense: I understand that Stunnel doesn’t use SSL v2 or v3 these days).  I don’t 
know if this indicates something untoward..

Best, Dave.



> On 21 Sep 2016, at 03:15, Scott McKeown <sc...@loadbalancer.org> wrote:
> 
> Hi Guys,
> To me this looks like a cipher issue.
> There are a few options that you can try to resolve this if it is.
> 
> I would try adding the following lines into your STunnel Configuration file:
> 
> delay = yes
> options = NO_SSLv2
> options = NO_SSLv3
> options = NO_TLSv1
> options = CIPHER_SERVER_PREFERENCE
> options = DONT_INSERT_EMPTY_FRAGMENTS
> 
> Delay will delay and DNS lookups that maybe actioned by the request (not 
> normally needed but I always include if for sanity sake)
> The three 'options' sections turn off all the known problematic cipher lists 
> if you need a key that is in one of these block feel free to remove that 
> directive but I think a good start would be to leave the 'NO_SSLv3' option in 
> place
> The 'CIPHER_SERVER_PREFERENCE' option will make set whether the client is 
> allowed to renegotiat the ciphers that are to be used between the client and 
> the server process.
> And finally 'DONT_INSERT_EMPTY_FRAGMENTS' will mitigate an issue in the CBC 
> ciphers that was in the SSLv3 and TLS1.0 cipher lists again I only include it 
> for sanity sake now but its better to have than to go without.
> 
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to