Stunnel options9/19/2023 ![]() ![]() ![]() add to make this work on *buntu (it should work with 2 in Debian, see above). ![]() according to Kurt Roeckx, when not breaking the RNG, the DH key exchanges for TLSv1 were moved to seclevel 0, but the RSA-based ones are still available (I know I’ve got them working at 2 in Debian sid with s_client even) so force AES256-SHA which is available in the higher levels and supported by the server.I found a workaround… there seems to be some trouble between OpenSSL 3 and stunnel. The OpenSSL configuration I use is (pretty much Debian standard except at the very end)… too long, I’m attaching /etc/ssl/ openssl. # openssl s_client -CApath /etc/ssl/certs -connect x.x.x.x:xxxxx -quietĭepth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1ĭepth=1 C = US, O = Let's Encrypt, CN = R3 On Debian, it worked with “sslVersion = all” and no “options” line.Ĭonnections with openssl(1) from the same Ubuntu jammy box *do* work, so this is a bug in/with stunnel: ssl/ statem/ statem_ lib.c:104: error:0A0000BF:SSL routines::no protocols availableĢ022.09.13 00:47:21 LOG5: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket This is an Ubuntu-specific bug, it works in Debian with the OpenSSL configuration provided (I actually copied the config from a Debian sid box to the Ubuntu jammy box). ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |