On 02/03/2015 04:00 PM, christian.tenvenne@lhsystems.com wrote:
My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used.
How come, stunnel log still shows "SSLv3" ?
The protocols etc. that happen "under the hood" haven't been redefined *completely from scratch* for TLS, so "old" names reappear when you dig into the details. OpenSSL talks about "SSLv3" when making a TLS 1.2 connection, too:
$ ( sleep 1 ; echo "HEAD / HTTP/1.0" ; echo "" ; sleep 2 ) | \
openssl s_client -connect www.nec-store.de:443 -tls1_2 -state 2>&1 \ | egrep '(SSL|TLS)v'
SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2
Regards, J. Bern