Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Configuring Stunnel to use TLS1.2
3,700 views
Skip to first unread message
John
Nov 11, 2021, 6:12:52 AM11/11/21
to
I received an email today from Microsoft saying that they are retiring
TLS 1.0 and 1.1 in January 2022 for the Microsoft 365 service i.e. all
of my emails. I received the email because they have detected that I am
using either 1.0 or 1.1 for SMTP
I set up my Stunnel with advice from this group using the following
simple config:
[pop3]
client = yes
accept = 127.0.0.1:3112
connect = outlook.office365.com:995
[smtp]
protocol = smtp
client = yes
accept = 127.0.0.1:25
connect = smtp.office365.com:587
Everything else is commented out, except higher up there is:
cert=stunnel.pem
options = NO_SSLv2
I have searched for the solution, but all of the articles I have found
are much more complex than this and involve different certificates.
Can anybody point me to the simple config changes required to enable
TLS1.2?
Thanks in advance
--
John
TLS 1.0 and 1.1 in January 2022 for the Microsoft 365 service i.e. all
of my emails. I received the email because they have detected that I am
using either 1.0 or 1.1 for SMTP
I set up my Stunnel with advice from this group using the following
simple config:
[pop3]
client = yes
accept = 127.0.0.1:3112
connect = outlook.office365.com:995
[smtp]
protocol = smtp
client = yes
accept = 127.0.0.1:25
connect = smtp.office365.com:587
Everything else is commented out, except higher up there is:
cert=stunnel.pem
options = NO_SSLv2
I have searched for the solution, but all of the articles I have found
are much more complex than this and involve different certificates.
Can anybody point me to the simple config changes required to enable
TLS1.2?
Thanks in advance
--
John
Chrisj194801
Nov 11, 2021, 7:53:44 AM11/11/21
to
> Everything else is commented out, except higher up there is:
>
> cert=stunnel.pem
> options = NO_SSLv2
>
> I have searched for the solution, but all of the articles I have found
> are much more complex than this and involve different certificates.
> Can anybody point me to the simple config changes required to enable
> TLS1.2?
>
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
I suspect the sslversion line is the important one. I have not tried this myself. I update my version of stunnel periodically to get the latest fixes.
Regards
Chris
Martin Liddle
Nov 11, 2021, 10:17:12 AM11/11/21
to
On 11/11/2021 11:03, John wrote:
>
> I have searched for the solution, but all of the articles I have found
> are much more complex than this and involve different certificates. Can
> anybody point me to the simple config changes required to enable TLS1.2?
>
I think it might help if you say which version of Stunnel you are running.
>
> I have searched for the solution, but all of the articles I have found
> are much more complex than this and involve different certificates. Can
> anybody point me to the simple config changes required to enable TLS1.2?
>
--
Martin Liddle, Tynemouth Computer Services
Staveley, Chesterfield, Derbyshire UK
John
Nov 11, 2021, 10:33:00 AM11/11/21
to
In message <6eda3934-95e8-43c8...@googlegroups.com>,
Chrisj194801 <chris...@edimatrix.co.uk> writes
send and receive emails. Whether they are TLS 1.3 I can't tell, but
hopefully so.
I also keep my version of Stunnel up to date, but the config file is now
very old and probably needed updating
--
John
Chrisj194801 <chris...@edimatrix.co.uk> writes
>A suggestion I have seen is, instead of the options line, to substitute
>
>options = NO_SSLv2
>options = NO_SSLv3
>options = NO_TLSv1
>options = NO_TLSv1.1
>sslVersion = TLSv1.2
>
>I suspect the sslversion line is the important one. I have not tried
>this myself. I update my version of stunnel periodically to get the
>latest fixes.
>
Thanks Chris. I've tried that and it works, in so far as I can still
>
>options = NO_SSLv2
>options = NO_SSLv3
>options = NO_TLSv1
>options = NO_TLSv1.1
>sslVersion = TLSv1.2
>
>I suspect the sslversion line is the important one. I have not tried
>this myself. I update my version of stunnel periodically to get the
>latest fixes.
>
send and receive emails. Whether they are TLS 1.3 I can't tell, but
hopefully so.
I also keep my version of Stunnel up to date, but the config file is now
very old and probably needed updating
--
John
John
Nov 11, 2021, 10:43:02 AM11/11/21
to
In message <smjc5n$kdl$1...@dont-email.me>, Martin Liddle
<new...@tynecomp.co.uk> writes
I've just seen in the manual that options and sslVersion are Service
Level Options and not Global Options. Does this mean that I need to put
a copy in each service or can I just have a single version at the top,
as it is currently?
--
John
<new...@tynecomp.co.uk> writes
>On 11/11/2021 11:03, John wrote:
>> I have searched for the solution, but all of the articles I have
>>found are much more complex than this and involve different
>>certificates. Can anybody point me to the simple config changes
>>required to enable TLS1.2?
>>
>I think it might help if you say which version of Stunnel you are
>running.
>
It's v5.57 on Win 32
>> I have searched for the solution, but all of the articles I have
>>found are much more complex than this and involve different
>>certificates. Can anybody point me to the simple config changes
>>required to enable TLS1.2?
>>
>I think it might help if you say which version of Stunnel you are
>running.
>
I've just seen in the manual that options and sslVersion are Service
Level Options and not Global Options. Does this mean that I need to put
a copy in each service or can I just have a single version at the top,
as it is currently?
--
John
John Hall
Nov 11, 2021, 1:23:55 PM11/11/21
to
In message <wucZuABt...@nospam.demon.co.uk>, John
<jo...@nospam.demon.co.uk> writes
I think you need a newer version of Stunnel that will handle TLS 1.2,
rather than to change your configuration. The stunnel.org site is no
longer updating the 32-bit version, only 64-bit, but fortunately the
excellent Jose Alf is doing so. You can find the latest version here:
https://github.com/josealf/stunnel-win32
The file with the most up-to-date version is:
stunnel-win32-5.60-openssl-1.1.1k-installer.exe
Run it to extract v5.60.
--
John Hall
"Home is heaven and orgies are vile,
But you *need* an orgy, once in a while."
Ogden Nash (1902-1971)
<jo...@nospam.demon.co.uk> writes
rather than to change your configuration. The stunnel.org site is no
longer updating the 32-bit version, only 64-bit, but fortunately the
excellent Jose Alf is doing so. You can find the latest version here:
https://github.com/josealf/stunnel-win32
The file with the most up-to-date version is:
stunnel-win32-5.60-openssl-1.1.1k-installer.exe
Run it to extract v5.60.
--
John Hall
"Home is heaven and orgies are vile,
But you *need* an orgy, once in a while."
Ogden Nash (1902-1971)
John Hall
Nov 11, 2021, 1:33:55 PM11/11/21
to
In message <6eda3934-95e8-43c8...@googlegroups.com>,
Chrisj194801 <chris...@edimatrix.co.uk> writes
>
Chrisj194801 <chris...@edimatrix.co.uk> writes
>
and so far the email server that I use hasn't complained. I wonder if I
should add it in case one day in the not too distant furure they start
requiring it.
John
Nov 11, 2021, 2:14:23 PM11/11/21
to
In message <sEaDDsBq$VjhFwTs@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes
Microsoft, as I use Outlook365 (from Namesco) as my email server. It
didn't mention the POP3 downloads but did say that my SMTP client was
using either TLS 1.0 or 1.1
"We're making some changes to Direct Routing SIP interface.
On January 3rd 2022, to provide the best-in-class encryption to our
customers, we will begin retiring Transport Layer Security (TLS)
versions 1.0 and 1.1 and begin obligating TLS1.2 usage for the Direct
Routing SIP interface.
•The move to TLS 1.2 is to ensure that our service is secure by
default and in alignment with the rest of Microsoft 365 services as
previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018,
MC186827 in July 2019, MC218794 in July 2020, MC240160 in February 2021,
and MC292797 in October 2021).
You are receiving this message because our reporting indicates that your
organization is still connecting using SMTP Auth client submission via
smtp.office365.com with TLS1.0 or TLS1.1 to connect to Exchange Online.
--
John
<john_...@jhall.co.uk> writes
>>A suggestion I have seen is, instead of the options line, to substitute
>>
>>options = NO_SSLv2
>>options = NO_SSLv3
>>options = NO_TLSv1
>>options = NO_TLSv1.1
>>sslVersion = TLSv1.2
>>
>>I suspect the sslversion line is the important one. I have not tried
>>this myself. I update my version of stunnel periodically to get the
>>latest fixes.
>
>That's interesting. I don't have the sslVersion = TLSv1.2 line myself,
>and so far the email server that I use hasn't complained. I wonder if I
>should add it in case one day in the not too distant furure they start
>requiring it.
As I said in the original post, I was alerted to it by an email from
>>
>>options = NO_SSLv2
>>options = NO_SSLv3
>>options = NO_TLSv1
>>options = NO_TLSv1.1
>>sslVersion = TLSv1.2
>>
>>I suspect the sslversion line is the important one. I have not tried
>>this myself. I update my version of stunnel periodically to get the
>>latest fixes.
>
>That's interesting. I don't have the sslVersion = TLSv1.2 line myself,
>and so far the email server that I use hasn't complained. I wonder if I
>should add it in case one day in the not too distant furure they start
>requiring it.
Microsoft, as I use Outlook365 (from Namesco) as my email server. It
didn't mention the POP3 downloads but did say that my SMTP client was
using either TLS 1.0 or 1.1
"We're making some changes to Direct Routing SIP interface.
On January 3rd 2022, to provide the best-in-class encryption to our
customers, we will begin retiring Transport Layer Security (TLS)
versions 1.0 and 1.1 and begin obligating TLS1.2 usage for the Direct
Routing SIP interface.
•The move to TLS 1.2 is to ensure that our service is secure by
default and in alignment with the rest of Microsoft 365 services as
previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018,
MC186827 in July 2019, MC218794 in July 2020, MC240160 in February 2021,
and MC292797 in October 2021).
You are receiving this message because our reporting indicates that your
organization is still connecting using SMTP Auth client submission via
smtp.office365.com with TLS1.0 or TLS1.1 to connect to Exchange Online.
--
John
John
Nov 11, 2021, 2:14:23 PM11/11/21
to
In message <l0FB$HBV8VjhFwxe@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes
recommendation in a post in October 2020, so it should support TLS1.2,
but I will upgrade now in case that is part of the issue.
--
John
<john_...@jhall.co.uk> writes
>I think you need a newer version of Stunnel that will handle TLS 1.2,
>rather than to change your configuration. The stunnel.org site is no
>longer updating the 32-bit version, only 64-bit, but fortunately the
>excellent Jose Alf is doing so. You can find the latest version here:
>
>https://github.com/josealf/stunnel-win32
>
>The file with the most up-to-date version is:
>
>stunnel-win32-5.60-openssl-1.1.1k-installer.exe
>
>Run it to extract v5.60.
I am running v5.57, which I downloaded from that site, on your
>rather than to change your configuration. The stunnel.org site is no
>longer updating the 32-bit version, only 64-bit, but fortunately the
>excellent Jose Alf is doing so. You can find the latest version here:
>
>https://github.com/josealf/stunnel-win32
>
>The file with the most up-to-date version is:
>
>stunnel-win32-5.60-openssl-1.1.1k-installer.exe
>
>Run it to extract v5.60.
recommendation in a post in October 2020, so it should support TLS1.2,
but I will upgrade now in case that is part of the issue.
--
John
John Hall
Nov 11, 2021, 2:36:23 PM11/11/21
to
In message <PmkWsaGMoWjhFwE$@nospam.demon.co.uk>, John
<jo...@nospam.demon.co.uk> writes
That's interesting, since as far as I can work out from looking at the
online Stunnel manual, if you don't specify a sslVersion parameter the
connection should be capable of defaulting to any TLS version up to 1.3
that the remote server might require.
I found that in addition to the parameters mentioned above there are
also sslVersionMax and sslVersionMin, that you can set to the maximum
and minimum versions of TLS that you want to allow to be used. So you
could try
sslVersionMax=TLSv1.3
sslVersionMin=TLSv1.2
The manual also says
Use sslVersionMax or sslVersionMin option instead of disabling specific
TLS protocol versions when compiled with OpenSSL 1.1.0 or later.
<jo...@nospam.demon.co.uk> writes
online Stunnel manual, if you don't specify a sslVersion parameter the
connection should be capable of defaulting to any TLS version up to 1.3
that the remote server might require.
I found that in addition to the parameters mentioned above there are
also sslVersionMax and sslVersionMin, that you can set to the maximum
and minimum versions of TLS that you want to allow to be used. So you
could try
sslVersionMax=TLSv1.3
sslVersionMin=TLSv1.2
The manual also says
Use sslVersionMax or sslVersionMin option instead of disabling specific
TLS protocol versions when compiled with OpenSSL 1.1.0 or later.
John
Nov 12, 2021, 5:57:09 AM11/12/21
to
In message <73j2fmAN6WjhFwDz@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes
configuration if it fails.
I was also confused, as I assumed that the server and Stunnel would
negotiate the required version of TLS and 1.2 has been around for a long
time now.
Does anyone know if or how I can test which version of TLS is actually
being used?
--
John
<john_...@jhall.co.uk> writes
>That's interesting, since as far as I can work out from looking at the
>online Stunnel manual, if you don't specify a sslVersion parameter the
>connection should be capable of defaulting to any TLS version up to 1.3
>that the remote server might require.
>
>I found that in addition to the parameters mentioned above there are
>also sslVersionMax and sslVersionMin, that you can set to the maximum
>and minimum versions of TLS that you want to allow to be used. So you
>could try
>
>sslVersionMax=TLSv1.3
>sslVersionMin=TLSv1.2
>
>The manual also says
>
>Use sslVersionMax or sslVersionMin option instead of disabling specific
>TLS protocol versions when compiled with OpenSSL 1.1.0 or later.
Thanks John. I will try that. I can always revert to the previous
>online Stunnel manual, if you don't specify a sslVersion parameter the
>connection should be capable of defaulting to any TLS version up to 1.3
>that the remote server might require.
>
>I found that in addition to the parameters mentioned above there are
>also sslVersionMax and sslVersionMin, that you can set to the maximum
>and minimum versions of TLS that you want to allow to be used. So you
>could try
>
>sslVersionMax=TLSv1.3
>sslVersionMin=TLSv1.2
>
>The manual also says
>
>Use sslVersionMax or sslVersionMin option instead of disabling specific
>TLS protocol versions when compiled with OpenSSL 1.1.0 or later.
configuration if it fails.
I was also confused, as I assumed that the server and Stunnel would
negotiate the required version of TLS and 1.2 has been around for a long
time now.
Does anyone know if or how I can test which version of TLS is actually
being used?
--
John
John Hall
Nov 12, 2021, 11:58:12 AM11/12/21
to
In message <QFbhUxAx...@nospam.demon.co.uk>, John
<jo...@nospam.demon.co.uk> writes
box at the bottom for Debug Information and then log the session. I
don't know if that will provide the information that you need, but it
might. Alternatively - and possibly more likely to tell you what you
need - you could set Stunnel itself to a highish logging level and then
look at its log file. (You might even find that your current logging
level is high enough and that the info is already there.)
<jo...@nospam.demon.co.uk> writes
>Does anyone know if or how I can test which version of TLS is actually
>being used?
In Connect, under Configure > Email Transfer, you could try ticking the
>being used?
box at the bottom for Debug Information and then log the session. I
don't know if that will provide the information that you need, but it
might. Alternatively - and possibly more likely to tell you what you
need - you could set Stunnel itself to a highish logging level and then
look at its log file. (You might even find that your current logging
level is high enough and that the info is already there.)
John Hall
Nov 12, 2021, 2:00:39 PM11/12/21
to
In message <uhKC46AHtpjhFwRV@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes
2021.11.12 18:40:37 LOG6[1]: TLS connected: new session negotiated
2021.11.12 18:40:37 LOG6[1]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
My own configuration file includes the lines:
; Debugging stuff (may useful for troubleshooting)
debug = 6
output = stunnel.log
log = overwrite
(I remember when I first started using Stunnel I didn't specify the
"overwrite" parameter, so stunnel.log soon grew to thousands of lines in
length.)
<john_...@jhall.co.uk> writes
>In message <QFbhUxAx...@nospam.demon.co.uk>, John
><jo...@nospam.demon.co.uk> writes
>>Does anyone know if or how I can test which version of TLS is actually
>>being used?
>
>In Connect, under Configure > Email Transfer, you could try ticking the
>box at the bottom for Debug Information and then log the session. I
>don't know if that will provide the information that you need, but it
>might. Alternatively - and possibly more likely to tell you what you
>need - you could set Stunnel itself to a highish logging level and then
>look at its log file. (You might even find that your current logging
>level is high enough and that the info is already there.)
Just checked my own stunnel.log and it has that information:
><jo...@nospam.demon.co.uk> writes
>>Does anyone know if or how I can test which version of TLS is actually
>>being used?
>
>In Connect, under Configure > Email Transfer, you could try ticking the
>box at the bottom for Debug Information and then log the session. I
>don't know if that will provide the information that you need, but it
>might. Alternatively - and possibly more likely to tell you what you
>need - you could set Stunnel itself to a highish logging level and then
>look at its log file. (You might even find that your current logging
>level is high enough and that the info is already there.)
2021.11.12 18:40:37 LOG6[1]: TLS connected: new session negotiated
2021.11.12 18:40:37 LOG6[1]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
My own configuration file includes the lines:
; Debugging stuff (may useful for troubleshooting)
debug = 6
output = stunnel.log
log = overwrite
(I remember when I first started using Stunnel I didn't specify the
"overwrite" parameter, so stunnel.log soon grew to thousands of lines in
length.)
John
Nov 13, 2021, 9:37:48 AM11/13/21
to
In message <jTYhUiAMmrjhFwTr@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes
>
--
John
<john_...@jhall.co.uk> writes
>
>Just checked my own stunnel.log and it has that information:
>
>2021.11.12 18:40:37 LOG6[1]: TLS connected: new session negotiated
>2021.11.12 18:40:37 LOG6[1]: TLSv1.2 ciphersuite:
>ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
>
>My own configuration file includes the lines:
>
>; Debugging stuff (may useful for troubleshooting)
>debug = 6
>output = stunnel.log
>log = overwrite
>
>(I remember when I first started using Stunnel I didn't specify the
>"overwrite" parameter, so stunnel.log soon grew to thousands of lines
>in length.)
Thanks John. Getting the same result here so hopefully all OK now
>
>2021.11.12 18:40:37 LOG6[1]: TLS connected: new session negotiated
>2021.11.12 18:40:37 LOG6[1]: TLSv1.2 ciphersuite:
>ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption)
>
>My own configuration file includes the lines:
>
>; Debugging stuff (may useful for troubleshooting)
>debug = 6
>output = stunnel.log
>log = overwrite
>
>(I remember when I first started using Stunnel I didn't specify the
>"overwrite" parameter, so stunnel.log soon grew to thousands of lines
>in length.)
--
John
0 new messages