I've got Stunnel running on a Raspberry Pi which is acting as a TLS wrapper for an apache2 server. I've configured it to use TLS-PSK (correctly, I think), but the logs show the following when I try to complete the TLS handshake:
2016.04.11 21:05:53 LOG7[0]: Service [PSK_server] started
2016.04.11 21:05:53 LOG5[0]: Service [PSK_server] accepted connection from 192.168.42.10:4097
2016.04.11 21:05:53 LOG7[0]: SSL state (accept): before/accept initialization
2016.04.11 21:05:53 LOG7[0]: SNI: no virtual services defined
2016.04.11 21:05:53 LOG7[0]: SSL alert (write): fatal: protocol version
2016.04.11 21:05:53 LOG3[0]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
2016.04.11 21:05:53 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.04.11 21:05:53 LOG7[0]: Deallocating application specific data for addr index
2016.04.11 21:05:53 LOG7[0]: Local descriptor (FD=3) closed
2016.04.11 21:05:53 LOG7[0]: Service [PSK_server] finished (0 left)</code>
I've checked in Wireshark, and the packets I'm sending are all TLS 1.2.
My stunnel config file looks like this:
output = /etc/stunnel/stunnel.log
client = no
fips = no
ciphers = PSK
PSKsecrets = /home/psk.txt
debug = 7
sslVersion = TLSv1.2
[PSK_server]
accept = PSK_server
connect = 80
It sends a TLS fatal alert packet with error code 70 (which is protocol_version, so it doesn't really tell me much more than the logs)
It's weird; I can send the Client Hello message, and the server sends Server Hello and Server Hello Done with no problem. It's only when I send my Client Key Exchange message that I get the alert.
Any help/suggestions would be appreciated!
Best Answer
I would downgraded the TLS Version
This is working for me from a raspberry pi