Actually I think the SSLv3 in the log is a lie as this is also in the log just before the below:

TLS state (connect): before/connect initialization     

 TLS state (connect): SSLv3 write client hello A        

 TLS state (connect): SSLv3 read server hello A         

So I am thinking the eliptic curve stuff is more likely the issue?

Eric



VICS, LLC

Eric S Eberhard

2933 W Middle Verde Rd

Camp Verde, AZ  86322

928-567-3727            (land line)

928-301-7537            (cell phone)

http://www.vicsmba.com

https://www.facebook.com/groups/286143052248115



_____________________________________________
From: Eberhard <flash@vicsmba.com>
Sent: Tuesday, March 14, 2023 9:15 AM
To: 'stunnel-users@stunnel.org' <stunnel-users@stunnel.org>
Subject: Help with disabling SSLv3
Importance: High


I am suddenly getting errors from Fedex:

TLS state (connect): SSLv3 read server certificate A                                                  

 error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC lib                       

 error queue: 100AE081: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group

 error queue: 100AF003: error:100AF003:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:BN lib           

 SSL_connect: 3078072: error:03078072:bignum routines:BN_EXPAND_INTERNAL:bignum too long               

My .conf file says:

output = /tmp/fedex.log                    

debug = 7                                  

RNDfile = /visanet/ssl/stunnel.rnd         

RNDoverwrite = yes                         

client = yes                               

connect = ws.fedex.com:443                 

;connect = gateway.fedex.com:443           

;connect = wssha1ends12172016.fedex.com:443

sslVersion = TLSv1.2                       

options = NO_SSLv3                         

sslVersionMin = TLSv1.2                    

CAfile = /usr/local/ssl/certs/cacert.pem

It is a very old version of stunnel but I cannot upgrade as this is a 15 year old AIX (IBM) computer

stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform               

 Compiled/running with OpenSSL 1.0.2 22 Jan 2015               

 Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI 

 Invalid configuration file name "--version"                   

 realpath: No such file or directory (2)                       

Yet the log implies I am still trying SSLv3.

Any ideas?  Thanks in advance.

Eric

 

VICS, LLC

Eric S Eberhard

2933 W Middle Verde Rd

Camp Verde, AZ  86322

928-567-3727            (land line)

928-301-7537            (cell phone)

http://www.vicsmba.com

https://www.facebook.com/groups/286143052248115