Hi, I did capture the Wireshark log to understand the TLS flow. But my Wireshark capture just shows the packets as "TLS" and I don’t see any "TLS1.2" handshakes.
1) Rsync Server enabled with TLS1.2 over Stunnel 2) Rsync Client enabled with TLS1.2 over Stunnel I captured the Wireshark at both ends and both of them just shows the packets as "TLS". I don’t see any "Client hello, cipher key message" exchanges shown in the capture. Please help. Thanks, Sakthi -----Original Message----- From: stunnel-users <[email protected]> On Behalf Of Rob Lockhart Sent: Wednesday, June 27, 2018 11:34 AM To: Daniel Trickett <[email protected]> Cc: [email protected] Subject: Re: [stunnel-users] tls question Dan, use Wireshark, capture traffic using Stunnel, set a filter based on the destination IP (i.e., "ip.addr == 10.5.2.0/24" if class C network), look for traffic with the host, and look for "Protocol" column. For my captures, it shows "TLSv1.2" and for "Secure Sockets Layer" it shows the handshakes and ciphers as v1.2. You can drill down the TLS exchange, from the cipher suites offered and finally the negotiated version, it should show "TLS 1.2". In your config file you can specify only TLS v1.2 by: sslVersion = TLSv1.2 On my systems, it appears to negotiate at TLS v1.0 (the "Client Hello") but the server Hello is at TLS v1.2. Once you see the Cipher suite, you can verify if the one chosen is TLS v1.2 by using this: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet In your Wireshark captures, look for "Cipher Suite:" in the Server Hello, and that should tell you the Cipher used, and you can infer TLS v1.2 based on the Cipher and that Cheat Sheet, and especially that Mozilla site ("cipher names correspondence table"). Regards, -Rob On Wed, Jun 27, 2018 at 10:17 AM Daniel Trickett <[email protected]> wrote: > > If I use stunnel 5.44, how do I know that the protocol being used is TLS1.2? > Is it the default? > > Working with supplier sites which still accept 1.0/1.1, but want to make sure > that I am using 1.2, as they will be disabling the older protocols. > > Thanks and > Best regards, > Dan _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
