Hi there,
i have a problem (maybe with understanding) with stunnel.
I'm using the newest version 5.70 but had this also with 5.66 and 5.69.
My goal was to access an Exchange server IIS (on port 443, which understands
only TLS1.1 and below)
with TLS1.2 and upper.
I was able to achieve this with the following config
---------------------------
debug = 7
output = stunnel.log
[Exserver]
accept = 441
connect = 442
cert = stunneldd.pem
TIMEOUTclose = 0
[Exclient]
client = yes
accept = 442
connect = 443
---------------------------
stunneldd.pem i made with
openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out
stunneldd.pem -keyout stunneldd.pem
This is working so far.
My problem is, stunnel is no longer accepting TLS1.0 and TLS1.1.
I need this for some clients which couldn't talk TLS1.2.
But why? All infos i could find (and this was days, not hours) are showing that
it should work.
Even with the added line
sllVerison = all
or
sslVersionMin = TLSv1
sslVersionMax = TLSv1.3
it ws not accepting TLS1 queries.
My steps to confirm this:
-------------------------
- install stunnel 5.70
- take the config shown above
- make a cert with
openssl req -new -x509 -days 365 -nodes -config openssl.cnf -out
stunneldd.pem -keyout stunneldd.pem
- start stunnel
- test it with
openssl s_client -connect localhost:441 -tls1_1 -debug
stunnel log:
------------
2023.07.13 09:53:04 LOG7[25]: TLS alert (write): fatal: internal error
2023.07.13 09:53:04 LOG3[25]: SSL_accept: ssl/t1_lib.c:3342: error:0A000076:SSL
routines::no suitable signature algorithm
I'm thinking, that the bind OpenSSL doesn't support TLS1.1 anymore but the
[Exclient] which is talking to Port 443 uses TLS1.1.
Or has the cert anything to do with it. I think no, because the andshake failed
and that is befor the cert is used?
What I'm missing?
I want stunnel to accept TLs1.0, TLS1.1. TLS1.2 and upwards on the same port.
Would be nice if anybody could help me with this?
Many thanks.
_______________________________________________
stunnel-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
