On 02/03/2015 04:00 PM, christian.tenvenne@lhsystems.com wrote:
My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used.
How come, stunnel log still shows "SSLv3" ?
The protocols etc. that happen "under the hood" haven't been redefined *completely from scratch* for TLS, so "old" names reappear when you dig into the details. OpenSSL talks about "SSLv3" when making a TLS 1.2 connection, too:
$ ( sleep 1 ; echo "HEAD / HTTP/1.0" ; echo "" ; sleep 2 ) | \
openssl s_client -connect www.nec-store.de:443 -tls1_2 -state 2>&1 \ | egrep '(SSL|TLS)v' SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2
Regards, J. Bern -- *NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>: Server--Storage--Virtualisierung--Management SW--Passion for Performance Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/> Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27 Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202 Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel