FW: Help with disabling SSLv3

Actually I think the SSLv3 in the log is a lie – as this is also in the log just before the below:

TLS state (connect): before/connect initialization

TLS state (connect): SSLv3 write client hello A

TLS state (connect): SSLv3 read server hello A

So I am thinking the eliptic curve stuff is more likely the issue?

Eric

VICS, LLC

Eric S Eberhard

2933 W Middle Verde Rd

Camp Verde, AZ 86322

928-567-3727 (land line)

928-301-7537 (cell phone)

http://www.vicsmba.com

https://www.facebook.com/groups/286143052248115

_____________________________________________
From: Eberhard <flash@vicsmba.com>
Sent: Tuesday, March 14, 2023 9:15 AM
To: 'stunnel-users@stunnel.org' <stunnel-users@stunnel.org>
Subject: Help with disabling SSLv3
Importance: High

I am suddenly getting errors from Fedex:

TLS state (connect): SSLv3 read server certificate A

error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC lib

error queue: 100AE081: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group

error queue: 100AF003: error:100AF003:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:BN lib

SSL_connect: 3078072: error:03078072:bignum routines:BN_EXPAND_INTERNAL:bignum too long

My .conf file says:

output = /tmp/fedex.log

debug = 7

RNDfile = /visanet/ssl/stunnel.rnd

RNDoverwrite = yes

client = yes

connect = ws.fedex.com:443

;connect = gateway.fedex.com:443

;connect = wssha1ends12172016.fedex.com:443

sslVersion = TLSv1.2

options = NO_SSLv3

sslVersionMin = TLSv1.2

CAfile = /usr/local/ssl/certs/cacert.pem

It is a very old version of stunnel but I cannot upgrade as this is a 15 year old AIX (IBM) computer

stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform

Compiled/running with OpenSSL 1.0.2 22 Jan 2015

Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI

Invalid configuration file name "--version"

realpath: No such file or directory (2)

Yet the log implies I am still trying SSLv3.

Any ideas? Thanks in advance.