stunnel-users May 2011

stunnel-users@stunnel.org

16 participants
26 discussions

Re: [stunnel-users] problem with stunnel 4.36 (server mode), error after the 1st connexion
by Jose Alf. 15 May '11

15 May '11

Hi Laurent, Does it works fine with a previous version? If so, What's the lates version that works? If you google for "bind#1: Invalid argument (22) aix stunnel" you will find a mail thread with a similar issue. Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: stunnel-users(a)stunnel.org Sent: Fri, May 13, 2011 6:39:29 AM Subject: [stunnel-users] problem with stunnel 4.36 (server mode), error after the 1st connexion Hi everyone, i have installed the stunnel 4.36 today and now i have some errors... The 1st connexion is working fine : 011.05.13 13:23:44 LOG5[1802366:1]: Reading configuration from file /opt/freeware/etc/stunnel/stunnel_server_level1.conf 2011.05.13 13:23:44 LOG7[1802366:1]: Snagged 64 random bytes from //.rnd 2011.05.13 13:23:44 LOG7[1802366:1]: Wrote 1024 new random bytes to //.rnd 2011.05.13 13:23:44 LOG7[1802366:1]: PRNG seeded successfully 2011.05.13 13:23:44 LOG7[1802366:1]: Using DH parameters from /opt/freeware/etc/stunnel/ca_nopass.pem 2011.05.13 13:23:44 LOG6[1802366:1]: DH initialized with 512 bit key 2011.05.13 13:23:44 LOG7[1802366:1]: ECDH initialized 2011.05.13 13:23:44 LOG7[1802366:1]: Certificate: /opt/freeware/etc/stunnel/ca_nopass.pem 2011.05.13 13:23:44 LOG7[1802366:1]: Certificate loaded 2011.05.13 13:23:44 LOG7[1802366:1]: Key file: /opt/freeware/etc/stunnel/ca_nopass.pem 2011.05.13 13:23:44 LOG7[1802366:1]: Private key loaded 2011.05.13 13:23:44 LOG7[1802366:1]: Verify directory set to /opt/freeware/etc/stunnel/CA_files/ 2011.05.13 13:23:44 LOG7[1802366:1]: Added /opt/freeware/etc/stunnel/CA_files/ revocation lookup directory 2011.05.13 13:23:44 LOG7[1802366:1]: Added /opt/freeware/etc/stunnel/CRL_files/ revocation lookup directory 2011.05.13 13:23:44 LOG5[1802366:1]: Peer certificate location /opt/freeware/etc/stunnel/CA_files/ 2011.05.13 13:23:44 LOG7[1802366:1]: SSL context initialized for service pesitip 2011.05.13 13:23:44 LOG5[1802366:1]: Configuration successful 2011.05.13 13:23:44 LOG5[1802366:1]: No limit detected for the number of clients 2011.05.13 13:23:44 LOG7[1802366:1]: signal_pipe: FD=4 allocated (blocking mode) 2011.05.13 13:23:44 LOG7[1802366:1]: signal_pipe: FD=5 allocated (blocking mode) 2011.05.13 13:23:44 LOG7[1802366:1]: accept socket: FD=6 allocated (non-blocking mode) 2011.05.13 13:23:44 LOG7[1802366:1]: Option SO_REUSEADDR set on accept socket 2011.05.13 13:23:44 LOG7[1802366:1]: Service pesitip bound to 0.0.0.0:10443 2011.05.13 13:23:44 LOG7[1802366:1]: Service pesitip opened FD=6 2011.05.13 13:23:44 LOG7[1802366:1]: Created pid file /var/adm/stunnel_server_level1.pid 2011.05.13 13:23:44 LOG5[1802366:1]: stunnel 4.36 on powerpc-ibm-aix5.2.0.0 with OpenSSL 0.9.8k 25 Mar 2009 2011.05.13 13:23:44 LOG5[1802366:1]: Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL, IPv6 2011.05.13 13:28:36 LOG7[1802366:1]: local socket: FD=7 allocated (non-blocking mode) 2011.05.13 13:28:36 LOG7[1802366:1]: Service pesitip accepted FD=7 from 10.254.181.230:2991 2011.05.13 13:28:36 LOG7[1802366:258]: Service pesitip started 2011.05.13 13:28:36 LOG7[1802366:258]: Option TCP_NODELAY set on local socket 2011.05.13 13:28:36 LOG5[1802366:258]: Service pesitip accepted connection from 10.254.181.230:2991 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): before/accept initialization 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): SSLv3 read client hello A 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): SSLv3 write server hello A 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): SSLv3 write certificate A 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): SSLv3 write certificate request A 2011.05.13 13:28:36 LOG7[1802366:258]: SSL state (accept): SSLv3 flush data 2011.05.13 13:28:37 LOG7[1802366:258]: Starting certificate verification: depth=1, /O=SWIFT 2011.05.13 13:28:37 LOG5[1802366:258]: Certificate accepted: depth=1, /O=SWIFT 2011.05.13 13:28:37 LOG7[1802366:258]: Starting certificate verification: depth=0, /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts 2011.05.13 13:28:37 LOG5[1802366:258]: Certificate accepted: depth=0, /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 read client certificate A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 read client key exchange A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 read certificate verify A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 read finished A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 write change cipher spec A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 write finished A 2011.05.13 13:28:37 LOG7[1802366:258]: SSL state (accept): SSLv3 flush data 2011.05.13 13:28:37 LOG7[1802366:258]: 1 items in the session cache 2011.05.13 13:28:37 LOG7[1802366:258]: 0 client connects (SSL_connect()) 2011.05.13 13:28:37 LOG7[1802366:258]: 0 client connects that finished 2011.05.13 13:28:37 LOG7[1802366:258]: 0 client renegotiations requested 2011.05.13 13:28:37 LOG7[1802366:258]: 1 server connects (SSL_accept()) 2011.05.13 13:28:37 LOG7[1802366:258]: 1 server connects that finished 2011.05.13 13:28:37 LOG7[1802366:258]: 0 server renegotiations requested 2011.05.13 13:28:37 LOG7[1802366:258]: 0 session cache hits 2011.05.13 13:28:37 LOG7[1802366:258]: 0 external session cache hits 2011.05.13 13:28:37 LOG7[1802366:258]: 0 session cache misses 2011.05.13 13:28:37 LOG7[1802366:258]: 0 session cache timeouts 2011.05.13 13:28:37 LOG6[1802366:258]: SSL accepted: new session negotiated 2011.05.13 13:28:37 LOG6[1802366:258]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2011.05.13 13:28:37 LOG7[1802366:258]: remote socket: FD=8 allocated (non-blocking mode) 2011.05.13 13:28:37 LOG6[1802366:258]: connect_blocking: connecting 159.50.5.165:10016 2011.05.13 13:28:37 LOG5[1802366:258]: connect_blocking: connected 159.50.5.165:10016 2011.05.13 13:28:37 LOG5[1802366:258]: Service pesitip connected remote server from 159.50.5.165:52585 2011.05.13 13:28:37 LOG7[1802366:258]: Remote FD=8 initialized 2011.05.13 13:28:37 LOG7[1802366:258]: Option TCP_NODELAY set on remote socket 2011.05.13 13:31:25 LOG7[1802366:258]: SSL alert (read): warning: close notify 2011.05.13 13:31:25 LOG7[1802366:258]: SSL closed on SSL_read 2011.05.13 13:31:25 LOG7[1802366:258]: Sending socket write shutdown 2011.05.13 13:31:25 LOG3[1802366:258]: readsocket: Connection reset by peer (73) 2011.05.13 13:31:25 LOG5[1802366:258]: Connection reset: 275 bytes sent to SSL, 17935 bytes sent to socket 2011.05.13 13:31:25 LOG7[1802366:258]: Service pesitip finished (0 left) 2011.05.13 13:31:25 LOG7[1802366:258]: str_stats: 36 blocks, 4350 bytes but when its the second i always have the error : 011.05.13 13:32:19 LOG7[1802366:1]: local socket: FD=7 allocated (non-blocking mode) 2011.05.13 13:32:19 LOG7[1802366:1]: Service pesitip accepted FD=7 from 10.254.181.230:3007 2011.05.13 13:32:19 LOG7[1802366:259]: Service pesitip started 2011.05.13 13:32:19 LOG7[1802366:259]: Option TCP_NODELAY set on local socket 2011.05.13 13:32:19 LOG5[1802366:259]: Service pesitip accepted connection from 10.254.181.230:3007 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): before/accept initialization 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 read client hello A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 write server hello A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 write certificate A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 write certificate request A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 flush data 2011.05.13 13:32:19 LOG7[1802366:259]: Starting certificate verification: depth=1, /O=SWIFT 2011.05.13 13:32:19 LOG6[1802366:259]: CERT: Verification not enabled 2011.05.13 13:32:19 LOG5[1802366:259]: Certificate accepted: depth=1, /O=SWIFT 2011.05.13 13:32:19 LOG7[1802366:259]: Starting certificate verification: depth=0, /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts 2011.05.13 13:32:19 LOG6[1802366:259]: CERT: Verification not enabled 2011.05.13 13:32:19 LOG5[1802366:259]: Certificate accepted: depth=0, /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 read client certificate A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 read client key exchange A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 read certificate verify A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 read finished A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 write change cipher spec A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 write finished A 2011.05.13 13:32:19 LOG7[1802366:259]: SSL state (accept): SSLv3 flush data 2011.05.13 13:32:19 LOG7[1802366:259]: 2 items in the session cache 2011.05.13 13:32:19 LOG7[1802366:259]: 0 client connects (SSL_connect()) 2011.05.13 13:32:19 LOG7[1802366:259]: 0 client connects that finished 2011.05.13 13:32:19 LOG7[1802366:259]: 0 client renegotiations requested 2011.05.13 13:32:19 LOG7[1802366:259]: 2 server connects (SSL_accept()) 2011.05.13 13:32:19 LOG7[1802366:259]: 2 server connects that finished 2011.05.13 13:32:19 LOG7[1802366:259]: 0 server renegotiations requested 2011.05.13 13:32:19 LOG7[1802366:259]: 0 session cache hits 2011.05.13 13:32:19 LOG7[1802366:259]: 0 external session cache hits 2011.05.13 13:32:19 LOG7[1802366:259]: 0 session cache misses 2011.05.13 13:32:19 LOG7[1802366:259]: 0 session cache timeouts 2011.05.13 13:32:19 LOG6[1802366:259]: SSL accepted: new session negotiated 2011.05.13 13:32:19 LOG6[1802366:259]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2011.05.13 13:32:19 LOG7[1802366:259]: socket#1: FD=8 allocated (non-blocking mode) 2011.05.13 13:32:19 LOG7[1802366:259]: socket#2: FD=9 allocated (non-blocking mode) 2011.05.13 13:32:19 LOG7[1802366:259]: bind#1: Invalid argument (22) 2011.05.13 13:32:19 LOG7[1802366:259]: bind#2: Invalid argument (22) 2011.05.13 13:32:19 LOG7[1802366:259]: accept: FD=10 allocated (non-blocking mode) 2011.05.13 13:32:19 LOG6[1802366:259]: Local mode child started (PID=614488) 2011.05.13 13:32:19 LOG7[1802366:259]: Remote FD=10 initialized 2011.05.13 13:32:19 LOG7[1802366:259]: Option TCP_NODELAY set on remote socket 2011.05.13 13:32:19 LOG3[1802366:259]: transfer: s_poll_wait: Invalid argument (22) 2011.05.13 13:32:19 LOG3[614488:259]: : No such file or directory (2) 2011.05.13 13:32:19 LOG5[1802366:259]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket my configuration file is : ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv3 sslVersion = all ;ciphers = DES-CBC-SHA: ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail CRLpath = /opt/freeware/etc/stunnel/CRL_files/ ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 ; Use it for client mode client = no ; Service-level configuration [pesitip] accept = 10443 connect = XXXXXXXXXXXXX:10016 Can you help me to find a solution for this problem please? Thanks you very much. Laurent UK This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment. --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement.

1 0

stunnel 4.36 compilation problems with Sun Studio compiler
by Ross Richardson 11 May '11

11 May '11

There are several minor problems using the Sun Studion 12 compiler (on Solaris 10 SPARC)... - in str.c, use of STR causes errors because /usr/include/sys/stropts.h contains: #define STR ('S'<<8) The this just requires replacing "STR" with something safer, such as "XSTR". - things fail horribly because SIZEOF_UNSIGNED_CHAR and friends get defined to 0. AFAICT, this happens because configure erroneously decides that cc suports -pendantic (which it appears to, but which causes linking to fail with the symbol "mcount" undefined). The following patch works around this: Index: configure --- configure.orig 2011-05-03 08:14:28.000000000 +1000 +++ configure 2011-05-04 13:51:53.785750000 +1000 @@ -4210,7 +4210,7 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ /* end confdefs.h. */ int main() {return 0;} _ACEOF -if ac_fn_c_try_compile "$LINENO"; then : +if ac_fn_c_try_link "$LINENO"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else - the compiler also gives warnings for the '\r' characters in version.h Hope this helps, rlr -- Ross L Richardson <URL:mailto:Ross.Richardson@utas.edu.au> Senior Systems Administrator Phone : +61 (0)3 6226 6233 Information Technology Resources Fax : +61 (0)3 6226 7171 University of Tasmania, AUSTRALIA

2 4

stunnel high load and lower network I/O yields
by jay＠experts-exchange.com 10 May '11

10 May '11

Folks, We are finding a bottleneck with stunnel for video intensive apps where it will run with weighted CPU near 120% and network interface will yield 30.3Mb, whereas without stunnel the rates will top off near 53.1Mb during the 10 second intervals as reported by iftop. The peaks are higher, but this is not sustained for either case. In order to improve stunnel's performance, is it possible to use a less intensive compute processing encryption, or fork the stunnel per connection? Thanks

2 1

Re: [stunnel-users] Temporary failure in name resolution, (Michal Trojnara)
by Phil Wieland 08 May '11

08 May '11

On 30/04/11 11:00, stunnel-users-request(a)stunnel.org wrote: > > Your stunnel.conf contains: > chroot = /var/lib/stunnel4/ > > Unfortunately this directory does not contain resolver configuration > files: [] >> > These are WITHOUT the suggested patch, I am not really equipped for >> > building on this server. > The patch should solve your problem by causing stunnel to wait until your > resolver is available before chroot(2) is executed. > > Workarounds: > 1. mkdir /var/lib/stunnel4/etc&& cp /etc/resolv.conf > /var/lib/stunnel4/etc/ > 2. Use IP address instead of host names in your stunnel.conf > 3. Add static IP address of your remote host to /etc/hosts > > Best regards, > Mike > > Many thanks for the analysis, Mike. I'll have to organise myself to build so I can apply the patch. Can I be really cheeky and ask one more question? Why does the problem not go away when my resolver is available - Shouldn't stunnel look again for this stuff after getting a temporary error? Thanks again, Phil

2 2

UTF-8 Compatibility
by RetailDecisions 06 May '11

06 May '11

Hi, Can someone tell me from what version of STUNNEL is fully UTF-8 compatible? -- View this message in context: http://old.nabble.com/UTF-8-Compatibility-tp31559422p31559422.html Sent from the Stunnel - Users mailing list archive at Nabble.com.

1 0

UTF-8 Compatibility
by Greg Piazza 06 May '11

06 May '11

Morning All, Can someone tell me from what version(s) of STUNNEL fully support UTF-8? Thanks, Greg Gregory J. Piazza Director of Development Retail Decisions, Inc (ReD) Metropark 379 Thornall St, 7th floor Edison, NJ 08837 USA Direct - +1 732-452-2457 Fax - +1 732-549-0101 Email - gpiazza(a)red-usa.com<mailto:gpiazza@red-usa.com> Web - http://www.retaildecisions.com<http://www.retaildecisions.com/> Making Payments Simple and Secure

1 0

Patch for XMPP in client mode
by Philipp Hartwig 05 May '11

05 May '11

Hi, I've attached a small patch which adds support for the XMPP protocol in client mode. It does pretty much what Brian Hatch has outlined under [1]. I've tested it with several Jabber servers and it seems to work nicely. I'd be very happy about any comments. Regards, Philipp [1] http://stunnel.mirt.net/pipermail/stunnel-users/2009-February/002278.html

1 1

transparent = source, stunnel connect always times out
by Robert Hardy 05 May '11

05 May '11

I've been fighting with stunnel, trying to get its transparent proxy support to work. No matter what I do, as soon as transparent = source support is turned on, tests with my mail client just time out. If I turn transparent proxy support off it works but appears as if connections are from localhost, which is undesirable. My goal is to have stunnel listen on *:465 and provide SSL protected connectivity, which appear to arrive from the remote client IP, on my mail server's external IP address on port 25. My mail server and the firewall with the rules on it are the same physical machine. Can someone please make some suggestions as to what else I can try to get this working? I'm running Linux 2.6.38 on a current CentOS/rhel5 box and I've got modules built for most netfilter options, including: NF_CONNTRACK=m NETFILTER_TPROXY=m NETFILTER_XT_MATCH_SOCKET=m NETFILTER_XT_TARGET_TPROXY=m /proc/sys/net/ipv4/conf/all/rp_filter = 0 /proc/sys/net/ipv4/ip_forward = 1 This is my stunnel config: cert = /etc/stunnel/assps.crt key = /etc/stunnel/assps.key pid = /var/run/stunnel/stunnel_smtps.pid verify = 0 debug = 7 output = /var/log/stunnel_smtps.log TIMEOUTconnect = 60 [smtps] accept = 465 connect = MY_EXTERNAL_IP:25 transparent = source My stunnel seems happy with the DH Parameters in my cert file. My firewall relevant rules: iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 # stunnel -version stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 July 2008 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH curve = sect163r2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none # stunnel -sockets Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 87380 SO_SNDBUF -- -- -- 16384 SO_RCVLOWAT -- -- -- 1 SO_SNDLOWAT -- -- -- 1 SO_RCVTIMEO -- -- -- 0:0 SO_SNDTIMEO -- -- -- 0:0 SO_REUSEADDR 1 -- -- 0 SO_BINDTODEVICE -- -- -- -- TCP_KEEPCNT -- -- -- 9 TCP_KEEPIDLE -- -- -- 7200 TCP_KEEPINTVL -- -- -- 75 IP_TOS -- -- -- 0 IP_TTL -- -- -- 64 TCP_NODELAY -- -- -- 0 Here is the log file with the connection timeout: 2011.03.20 15:26:43 LOG5[23214:3073877712]: Reading configuration from file /etc/stunnel/stunnel-assp_smtps.conf 2011.03.20 15:26:43 LOG7[23214:3073877712]: Snagged 64 random bytes from /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: Wrote 1024 new random bytes to /root/.rnd 2011.03.20 15:26:43 LOG7[23214:3073877712]: PRNG seeded successfully 2011.03.20 15:26:43 LOG7[23214:3073877712]: Using DH parameters from /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG6[23214:3073877712]: DH initialized with 512 bit key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate: /etc/stunnel/assps.crt 2011.03.20 15:26:43 LOG7[23214:3073877712]: Certificate loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: Key file: /etc/stunnel/assps.key 2011.03.20 15:26:43 LOG7[23214:3073877712]: Private key loaded 2011.03.20 15:26:43 LOG7[23214:3073877712]: SSL context initialized for service smtps 2011.03.20 15:26:43 LOG5[23214:3073877712]: Configuration successful 2011.03.20 15:26:43 LOG5[23214:3073877712]: No limit detected for the number of clients 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=3 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=4 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=5 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=6 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=7 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: libwrap_init: FD=8 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=9 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: signal_pipe: FD=10 allocated (blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: accept socket: FD=11 allocated (non-blocking mode) 2011.03.20 15:26:43 LOG7[23214:3073877712]: Option SO_REUSEADDR set on accept socket 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps bound to 0.0.0.0:465 2011.03.20 15:26:43 LOG7[23214:3073877712]: Service smtps opened FD=11 2011.03.20 15:26:44 LOG7[23220:3073877712]: Created pid file /var/run/stunnel/stunnel_smtps.pid 2011.03.20 15:26:44 LOG5[23220:3073877712]: stunnel 4.35 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.03.20 15:26:44 LOG5[23220:3073877712]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.03.20 15:26:56 LOG7[23220:3073877712]: local socket: FD=0 allocated (non-blocking mode) 2011.03.20 15:26:56 LOG7[23220:3073877712]: Service smtps accepted FD=0 from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps started 2011.03.20 15:26:56 LOG7[23220:3073874832]: Option TCP_NODELAY set on local socket 2011.03.20 15:26:56 LOG7[23220:3073874832]: Waiting for a libwrap process 2011.03.20 15:26:56 LOG7[23220:3073874832]: Acquired libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Releasing libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Released libwrap process #0 2011.03.20 15:26:56 LOG7[23220:3073874832]: Service smtps permitted by libwrap from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG5[23220:3073874832]: Service smtps accepted connection from MY_TESTING_CLIENT_IP:56765 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): before/accept initialization 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write server hello A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write certificate request A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read client key exchange A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 read finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write change cipher spec A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 write finished A 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL state (accept): SSLv3 flush data 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 items in the session cache 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects (SSL_connect()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 client renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects (SSL_accept()) 2011.03.20 15:26:56 LOG7[23220:3073874832]: 1 server connects that finished 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 server renegotiations requested 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 external session cache hits 2011.03.20 15:26:56 LOG7[23220:3073874832]: 0 session cache misses 2011.03.20 15:26:57 LOG7[23220:3073874832]: 0 session cache timeouts 2011.03.20 15:26:57 LOG6[23220:3073874832]: SSL accepted: new session negotiated 2011.03.20 15:26:57 LOG6[23220:3073874832]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2011.03.20 15:26:57 LOG7[23220:3073874832]: remote socket: FD=1 allocated (non-blocking mode) 2011.03.20 15:26:57 LOG6[23220:3073874832]: local_bind succeeded on the original port 2011.03.20 15:26:57 LOG6[23220:3073874832]: connect_blocking: connecting MY_EXTERNAL_IP:25 2011.03.20 15:26:57 LOG7[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: waiting 60 seconds 2011.03.20 15:27:57 LOG3[23220:3073874832]: connect_blocking: s_poll_wait MY_EXTERNAL_IP:25: TIMEOUTconnect exceeded 2011.03.20 15:27:57 LOG5[23220:3073874832]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.03.20 15:27:57 LOG7[23220:3073874832]: Service smtps finished (0 left) 2011.03.20 15:29:21 LOG7[23220:3073877712]: Dispatching signals from the signal pipe 2011.03.20 15:29:21 LOG5[23220:3073877712]: Received signal 15; terminating 2011.03.20 15:29:21 LOG7[23220:3073877712]: removing pid file /var/run/stunnel/stunnel_smtps.pid The only even slightly odd thing I see other than the timeouts is the " 2011.03.20 15:26:56 LOG7[23220:3073874832]: SSL alert (read): warning: no certificate" I'm not sure what that is about, but it doesn't seem critical...

2 3

Re: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
by Leandro Avila 04 May '11

04 May '11

Hi Laurent, Good to see you figured out the issue. I also learned more things myself. Thanks Jose ! To my knowledge cipher suites that use SHA2 are part of the TLS 1.2 specification but I don't think OpenSSL has that implemented. Cheers ---------------- Leandro Avila ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wednesday, May 4, 2011 11:02 AM Subject: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Hi everyone, It's ok now i have found the solution i add the root and intermediate certificate of verisign in my Capath and i use in s_client the option -CApath and now it's ok : New, TLSv1/SSLv3, Cipher is DES-CBC-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DES-CBC-SHA Session-ID: XXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1304524805 Timeout : 7200 (sec) Verify return code: 0 (ok) but i have another question: How can i test the SHA-2? i search the cipher corresponding in SHA-2 but i didn't found it. Thanks for your help. Regards, Laurent UK Laurent UK Analyste PROTOCOLES RBIS - DBF PBMF2 DOMAINE PMF202 ELECTRONIC FILES 41, rue de Valmy - 93100 Montreuil - ACI CME04B1 Bureau 4226 Tel: 01.58.16.86.45 (68645) 04/05/2011 15:36 Pour josealf(a)rocketmail.com cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHALien Jose, thanks you, i use my client certificate but have another error now : 1028202:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1028202:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Enter pass phrase for /opt/freeware/etc/stunnel/keystore/crl-3skey.pem: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts i:/O=SWIFT --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- subject=/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 2633 bytes and written 1732 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: XXXXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1304515751 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Do you know the reason of this error? Maybe i have to add the first certificate file to a specific folder ? Regards, Laurent UK Internet josealf(a)rocketmail.com 04/05/2011 15:09 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, We need to present a client certificate to the server. That's the important part missing. Do that by adding -cert your_cert_filename to the command, like: openssl s_client -ssl3 -state -cert your_client_cert_filename -connect your-stunnel-ip:10443 See http://www.openssl.org/docs/apps/s_client.html Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wed, May 4, 2011 6:55:19 AM Subject: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, thanks you for your response, i use the openssl s_client command but i have the following error : 1499296:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1499296:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL3 alert write:warning:no certificate SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 1499296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40 1499296:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: is it normal? Thanks. Regards. Laurent UK Internet josealf(a)rocketmail.com 04/05/2011 13:38 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Ideally, you should terminate the SSL connection on your final server. But that's not the problem here. It should work as is. Mosty likely the problem is on the client SSL software you are using to connect to stunnel. The cipher you are trying to use DESC-CBC-SHA works with SSLv3 and TLSv1. Can you force your client to use those protocols? Maybe it is trying to negotiate SSLv2. Also are you sure it is speaking SSL instead of plain text? You can test your connection to stunnel server with openssl s_client command. Example openssl s_client -ssl3 -state -connect your-stunnel-ip:10443 openssl s_client -tls1 -state -connect your-stunnel-ip:10443 if this works, we found the culprit. Regards Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wed, May 4, 2011 2:05:07 AM Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, I use 2 servers in my configuration: the first one who listenning on the port 10443 (where we receive encrypted traffic from software using ssl) and the second one who listenning the port 10016 (where we receive decrypted traffic). The first one receive the encrypted traffic, it decrypted it and send it to the second server that's why i only use the server mode on my fist server. Do you think that i also need to change this configuration? Cordialement, Laurent UK Internet josealf(a)rocketmail.com 03/05/2011 19:18 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, I'm not sure you are connecting the dots right. I see an stunnel server configuration. In this case, your stunnel is a front-end to a service you run on host XXXX port 10016. What is that service? Is stunnel running on the same host? Note that If stunnel is not running on the same host with IP XXXX, then you may have some traffic in clear text in your network (from the device running stunnel to the device hosting the service on port 10016). You need a client to connect to the stunnel server. Unless your client support SSL natively, you also should have an stunnel running on your client device with entries like these: client=yes [pestip] accept = 10443 connect = Your-Stunnel-server-IP:10443 In this case your client apps connects locally to port 10443, traffic is encrypted and sent to your server listening on port 10443, where it is decripted and send to IP XXXX port 10016. Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Tue, May 3, 2011 10:48:11 AM Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Dear Jose, here is the configuration file of my stunnel : ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv2 sslVersion = all ;ciphers = DES-CBC-SHA ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 ; Use it for client mode client = no ; Service-level configuration [pesitip] accept = 10443 connect = XXXXXXX:10016 Thanks for your help. Regards. Laurent UK Internet josealf(a)rocketmail.com 03/05/2011 14:52 Veuillez répondre à josealf(a)rocketmail.com Pour Laurent UK, stunnel-users-bounces(a)stunnel.org, stunnel-users(a)stunnel.org cc Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Can you post your configuration? For security, You should change the real IPs (but not the ports) before posting. You can check: 1. Does your stunnel client config has client=yes? 2. Does your stunnel server config has client=no 3. Check your packet flow, that is: your accept/connect settings. Regards Jose -----Original Message----- From: laurent.uk(a)bnpparibas.com Sender: stunnel-users-bounces(a)stunnel.org Date: Tue, 3 May 2011 14:16:09 To: <stunnel-users(a)stunnel.org> Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version number with cipher DES-CBC-SHA _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment. --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement. _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

2 1

Re: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
by Jose Alf. 04 May '11

04 May '11

Laurent, Everything looks fine to me. Your were connected to the server using SSLv3 and AES256-SHA ciphers. The zlib error can be ignored. Message "Verify return code: 21 (unable to verify the first certificate)" indicates that openssl s_client was unable to verify the server certificate. You can get rid of this by giving the CAPath in the paremters and making sure the verisign root Ca cert is there. Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wed, May 4, 2011 8:36:16 AM Subject: Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, thanks you, i use my client certificate but have another error now : 1028202:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1028202:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Enter pass phrase for /opt/freeware/etc/stunnel/keystore/crl-3skey.pem: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts i:/O=SWIFT --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- subject=/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 2633 bytes and written 1732 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: XXXXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1304515751 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- Do you know the reason of this error? Maybe i have to add the first certificate file to a specific folder ? Regards, Laurent UK Internet josealf(a)rocketmail.com 04/05/2011 15:09 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, We need to present a client certificate to the server. That's the important part missing. Do that by adding -cert your_cert_filename to the command, like: openssl s_client -ssl3 -state -cert your_client_cert_filename -connect your-stunnel-ip:10443 See http://www.openssl.org/docs/apps/s_client.html Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wed, May 4, 2011 6:55:19 AM Subject: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, thanks you for your response, i use the openssl s_client command but i have the following error : 1499296:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1499296:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL3 alert write:warning:no certificate SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 1499296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40 1499296:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: is it normal? Thanks. Regards. Laurent UK Internet josealf(a)rocketmail.com 04/05/2011 13:38 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Ideally, you should terminate the SSL connection on your final server. But that's not the problem here. It should work as is. Mosty likely the problem is on the client SSL software you are using to connect to stunnel. The cipher you are trying to use DESC-CBC-SHA works with SSLv3 and TLSv1. Can you force your client to use those protocols? Maybe it is trying to negotiate SSLv2. Also are you sure it is speaking SSL instead of plain text? You can test your connection to stunnel server with openssl s_client command. Example openssl s_client -ssl3 -state -connect your-stunnel-ip:10443 openssl s_client -tls1 -state -connect your-stunnel-ip:10443 if this works, we found the culprit. Regards Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Wed, May 4, 2011 2:05:07 AM Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, I use 2 servers in my configuration: the first one who listenning on the port 10443 (where we receive encrypted traffic from software using ssl) and the second one who listenning the port 10016 (where we receive decrypted traffic). The first one receive the encrypted traffic, it decrypted it and send it to the second server that's why i only use the server mode on my fist server. Do you think that i also need to change this configuration? Cordialement, Laurent UK Internet josealf(a)rocketmail.com 03/05/2011 19:18 Pour Laurent UK cc stunnel-users(a)stunnel.org, stunnel-users-bounces(a)stunnel.org Objet Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, I'm not sure you are connecting the dots right. I see an stunnel server configuration. In this case, your stunnel is a front-end to a service you run on host XXXX port 10016. What is that service? Is stunnel running on the same host? Note that If stunnel is not running on the same host with IP XXXX, then you may have some traffic in clear text in your network (from the device running stunnel to the device hosting the service on port 10016). You need a client to connect to the stunnel server. Unless your client support SSL natively, you also should have an stunnel running on your client device with entries like these: client=yes [pestip] accept = 10443 connect = Your-Stunnel-server-IP:10443 In this case your client apps connects locally to port 10443, traffic is encrypted and sent to your server listening on port 10443, where it is decripted and send to IP XXXX port 10016. Regards, Jose ________________________________ From: "laurent.uk(a)bnpparibas.com" <laurent.uk(a)bnpparibas.com> To: josealf(a)rocketmail.com Cc: stunnel-users(a)stunnel.org; stunnel-users-bounces(a)stunnel.org Sent: Tue, May 3, 2011 10:48:11 AM Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Dear Jose, here is the configuration file of my stunnel : ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv2 sslVersion = all ;ciphers = DES-CBC-SHA ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 ; Use it for client mode client = no ; Service-level configuration [pesitip] accept = 10443 connect = XXXXXXX:10016 Thanks for your help. Regards. Laurent UK Internet josealf(a)rocketmail.com 03/05/2011 14:52 Veuillez répondre à josealf(a)rocketmail.com Pour Laurent UK, stunnel-users-bounces(a)stunnel.org, stunnel-users(a)stunnel.org cc Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Can you post your configuration? For security, You should change the real IPs (but not the ports) before posting. You can check: 1. Does your stunnel client config has client=yes? 2. Does your stunnel server config has client=no 3. Check your packet flow, that is: your accept/connect settings. Regards Jose -----Original Message----- From: laurent.uk(a)bnpparibas.com Sender: stunnel-users-bounces(a)stunnel.org Date: Tue, 3 May 2011 14:16:09 To: <stunnel-users(a)stunnel.org> Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version number with cipher DES-CBC-SHA _______________________________________________ stunnel-users mailing list stunnel-users(a)stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment. --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users May 2011