Hi,
Last week I disabled SSLv3 on my stunnel-server. I thought I tested it,
but this morning I had to use it and I couldn't get access.
Now at the office I tried again, with the same result. After enabling
SSLv3 again I could get access. So my configuration seems wrong.
My server runs Ubuntu 12.04 LTS, stunnel is 4.42-1ubuntu (stock ubuntu).
This is my stunnel.conf (tunnels removed/edited) :
client = no
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
debug = debug
output = /var/log/stunnel4/stunnel.log
options = NO_SSLv2
options = NO_SSLv3
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CApath = /etc/stunnel-certs
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/lace3.keycrt
[tunnel vnc]
accept = 12345
connect = remotehost:5901
The log on the server :
2014.10.21 08:32:15 LOG7[28587:140281088546560]: Service tunnel vnc
accepted FD=0 from 192.168.1.14:55708
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc started
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Option TCP_NODELAY set
on local socket
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Waiting for a libwrap
process
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Acquired libwrap process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Releasing libwrap
process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Released libwrap process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc
permitted by libwrap from 192.168.1.14:55708
2014.10.21 08:32:15 LOG5[28587:140281088538368]: Service tunnel vnc
accepted connection from 192.168.1.14:55708
2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL state (accept):
before/accept initialization
2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL alert (write):
fatal: handshake failure
2014.10.21 08:32:15 LOG3[28587:140281088538368]: SSL_accept: 1408A10B:
error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2014.10.21 08:32:15 LOG5[28587:140281088538368]: Connection reset: 0
bytes sent to SSL, 0 bytes sent to socket
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc
finished (0 left)
2014.10.21 08:32:15 LOG7[28587:140281088538368]: str_stats: 0 block(s),
0 byte(s)
The log on the client (opensuse 13.1) :
2014.10.21 08:47:47 LOG7[978:140089725433664]: local socket: FD=0
allocated (non-blocking mode)
2014.10.21 08:47:47 LOG7[978:140089725433664]: Service tunnel vnc
accepted FD=0 from 127.0.0.1:39609
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc started
2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on
local socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: Waiting for a libwrap process
2014.10.21 08:47:47 LOG7[978:140089725630208]: Acquired libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Releasing libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Released libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc
permitted by libwrap from 127.0.0.1:39609
2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc
accepted connection from 127.0.0.1:39609
2014.10.21 08:47:47 LOG7[978:140089725630208]: remote socket: FD=1
allocated (non-blocking mode)
2014.10.21 08:47:47 LOG6[978:140089725630208]: connect_blocking:
connecting 192.168.0.30:12345
2014.10.21 08:47:47 LOG7[978:140089725630208]: connect_blocking:
s_poll_wait 192.168.0.30:13001: waiting 10 seconds
2014.10.21 08:47:47 LOG5[978:140089725630208]: connect_blocking:
connected 192.168.0.30:12345
2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc
connected remote server from 192.168.1.14:55770
2014.10.21 08:47:47 LOG7[978:140089725630208]: Remote FD=1 initialized
2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on
remote socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect):
before/connect initialization
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect):
SSLv3 write client hello A
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL alert (read): fatal:
handshake failure
2014.10.21 08:47:47 LOG3[978:140089725630208]: SSL_connect: 14094410:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2014.10.21 08:47:47 LOG5[978:140089725630208]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc
finished (0 left)
2014.10.21 08:47:47 LOG7[978:140089725630208]: str_stats: 0 blocks, 0 bytes
Am I missing something ?
I would like to stay with Ubuntu's standard packages.
Thanks for any advice.
Koenraad Lelong.