stunnel and TLSv1.3

Issues related to applications and software problems and general support
Post Reply
BlueBull
Posts: 5
Joined: 2014/12/01 09:40:43

stunnel and TLSv1.3

Post by BlueBull » 2020/09/16 09:27:21

CentOS 8.2, openssl-1.1.1c, stunnel-5.48-5
What is the easiest way to make stunnel connect with TLSv1.3?

BlueBull
Posts: 5
Joined: 2014/12/01 09:40:43

Re: stunnel and TLSv1.3

Post by BlueBull » 2020/09/18 16:40:53

I answer myself:
1) wait for CentOS 8.3
2) run newer versions in container.
Case closed.

User avatar
TrevorH
Forum Moderator
Posts: 29430
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: stunnel and TLSv1.3

Post by TrevorH » 2020/09/18 17:11:13

I missed this before but I just tried it here and it works for me on 8.2.

Code: Select all

setuid = nobody
setgid = nobody
pid = /var/run/stunnel/stunnel.pid
foreground = yes
debug = info
output = /var/log/stunnel.log
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = NO_TLSv1.2

[gmail-smtp]
client = yes
accept = 127.0.0.1:25
connect = smtp.gmail.com:465
Had to touch and chown nobody:nobosy /var/log/stunnel.log and mkdir /var/run/stunnel and change its ownership too.
2020.09.18 18:07:08 LOG5[ui]: stunnel 5.48 on x86_64-redhat-linux-gnu platform
2020.09.18 18:07:08 LOG5[ui]: Compiled with OpenSSL 1.1.1 FIPS 11 Sep 2018
2020.09.18 18:07:08 LOG5[ui]: Running with OpenSSL 1.1.1c FIPS 28 May 2019
2020.09.18 18:07:08 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2020.09.18 18:07:08 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
2020.09.18 18:07:08 LOG5[ui]: UTF-8 byte order mark detected
2020.09.18 18:07:08 LOG5[ui]: FIPS mode disabled
2020.09.18 18:07:08 LOG6[ui]: Initializing service [gmail-pop3]
2020.09.18 18:07:08 LOG6[ui]: Initializing service [gmail-imap]
2020.09.18 18:07:08 LOG6[ui]: Initializing service [gmail-smtp]
2020.09.18 18:07:08 LOG4[ui]: Service [gmail-smtp] needs authentication to prevent MITM attacks
2020.09.18 18:07:08 LOG5[ui]: Configuration successful
2020.09.18 18:07:08 LOG6[ui]: Service [gmail-pop3] (FD=10) bound to 127.0.0.1:110
2020.09.18 18:07:08 LOG6[ui]: Service [gmail-imap] (FD=11) bound to 127.0.0.1:143
2020.09.18 18:07:08 LOG6[ui]: Service [gmail-smtp] (FD=12) bound to 127.0.0.1:25
2020.09.18 18:07:11 LOG5[0]: Service [gmail-smtp] accepted connection from 127.0.0.1:40636
2020.09.18 18:07:11 LOG6[0]: failover: priority, starting at entry #0
2020.09.18 18:07:11 LOG6[0]: s_connect: connecting 2a00:1450:400c:c08::6d:465
2020.09.18 18:07:12 LOG5[0]: s_connect: connected 2a00:1450:400c:c08::6d:465
2020.09.18 18:07:12 LOG5[0]: Service [gmail-smtp] connected remote server from 2001:470:1f09:50d:5153:a65b:5705:8ff4:47036
2020.09.18 18:07:12 LOG6[0]: SNI: sending servername: smtp.gmail.com
2020.09.18 18:07:12 LOG6[0]: Peer certificate not required
2020.09.18 18:07:12 LOG6[0]: Certificate verification disabled
2020.09.18 18:07:12 LOG6[0]: Certificate verification disabled
2020.09.18 18:07:12 LOG6[0]: TLS connected: new session negotiated
2020.09.18 18:07:12 LOG6[0]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption)
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 8 - General Support”