Protecting against POODLE SSL on stunnel

You can disable SSLv3 protocol on stunnel altogether.

From stunnel documentation:

sslVersion = SSL_VERSION

select version of SSL protocol Allowed

options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2

I've added this to the config file:

sslVersion = TLSv1 TLSv1.1 TLSv1.2

And now I am not able to connect with SSLv3 (using openssl s_client -connect my.domain.com:443 -ssl3)

NOTE: Some older versions of stunnel and OpenSSL don't support TLSv1.2 (and even TLSv1.1). In this case, remove them from sslVersion directive to avoid incorrect version of ssl protocol error.

if you prefer to stick with older stunnel (like the 4.53 in your Debian Stable), you can disable SSLv2 and SSLv3 with:

sslVersion = all
options = NO_SSLv2
options = NO_SSLv3

instead of

sslVersion = TLSv1

which would disable TLSv1.1 and TLSv1.2 also.

Since I cannot comment, I will "answer" (sorry).

Anyway, I am running stunnel 5.01 and I also get the "incorrect version of SSL" error after making the change to sslVersion:

[!] Server is down
[.] Reading configuration from file stunnel.conf
[!] Line 4: "sslVersion = TLSv1 TLSv1.1 TLSv1.2": Incorrect version of SSL protocol

Fixed (for me). Had to upgrade stunnel to v5.06 (most current release as of today). Conf file is exactly the same so I guess there is some mojo happening between v5.01 and v5.06 that goes beyond a mere mortal to understand.