Actually I think the SSLv3 in the log is a lie - as this is also in the log just before the below:
TLS state (connect): before/connect initialization TLS state (connect): SSLv3 write client hello A TLS state (connect): SSLv3 read server hello A
So I am thinking the eliptic curve stuff is more likely the issue?
Eric
VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322
928-567-3727 (land line) 928-301-7537 (cell phone)
http://www.vicsmba.com http://www.vicsmba.com/ https://www.facebook.com/groups/286143052248115
_____________________________________________ From: Eberhard flash@vicsmba.com Sent: Tuesday, March 14, 2023 9:15 AM To: 'stunnel-users@stunnel.org' stunnel-users@stunnel.org Subject: Help with disabling SSLv3 Importance: High
I am suddenly getting errors from Fedex:
TLS state (connect): SSLv3 read server certificate A
error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC lib error queue: 100AE081: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error queue: 100AF003: error:100AF003:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:BN lib SSL_connect: 3078072: error:03078072:bignum routines:BN_EXPAND_INTERNAL:bignum too long
My .conf file says:
output = /tmp/fedex.log debug = 7 RNDfile = /visanet/ssl/stunnel.rnd RNDoverwrite = yes client = yes connect = ws.fedex.com:443 ;connect = gateway.fedex.com:443 ;connect = wssha1ends12172016.fedex.com:443 sslVersion = TLSv1.2 options = NO_SSLv3 sslVersionMin = TLSv1.2 CAfile = /usr/local/ssl/certs/cacert.pem
It is a very old version of stunnel but I cannot upgrade as this is a 15 year old AIX (IBM) computer
stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform Compiled/running with OpenSSL 1.0.2 22 Jan 2015 Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI Invalid configuration file name "--version" realpath: No such file or directory (2)
Yet the log implies I am still trying SSLv3.
Any ideas? Thanks in advance.
Eric
VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322
928-567-3727 (land line) 928-301-7537 (cell phone)
http://www.vicsmba.com http://www.vicsmba.com/ https://www.facebook.com/groups/286143052248115