Hi,
Last week I disabled SSLv3 on my stunnel-server. I thought I tested it, but this morning I had to use it and I couldn't get access. Now at the office I tried again, with the same result. After enabling SSLv3 again I could get access. So my configuration seems wrong. My server runs Ubuntu 12.04 LTS, stunnel is 4.42-1ubuntu (stock ubuntu). This is my stunnel.conf (tunnels removed/edited) : client = no setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel4/stunnel4.pid debug = debug output = /var/log/stunnel4/stunnel.log
options = NO_SSLv2 options = NO_SSLv3
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CApath = /etc/stunnel-certs CAfile = /etc/stunnel/cacert.pem cert = /etc/stunnel/lace3.keycrt
[tunnel vnc] accept = 12345 connect = remotehost:5901
The log on the server : 2014.10.21 08:32:15 LOG7[28587:140281088546560]: Service tunnel vnc accepted FD=0 from 192.168.1.14:55708 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc started 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Option TCP_NODELAY set on local socket 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Waiting for a libwrap process 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Acquired libwrap process #0 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Releasing libwrap process #0 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Released libwrap process #0 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc permitted by libwrap from 192.168.1.14:55708 2014.10.21 08:32:15 LOG5[28587:140281088538368]: Service tunnel vnc accepted connection from 192.168.1.14:55708 2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL state (accept): before/accept initialization 2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL alert (write): fatal: handshake failure 2014.10.21 08:32:15 LOG3[28587:140281088538368]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number 2014.10.21 08:32:15 LOG5[28587:140281088538368]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc finished (0 left) 2014.10.21 08:32:15 LOG7[28587:140281088538368]: str_stats: 0 block(s), 0 byte(s)
The log on the client (opensuse 13.1) : 2014.10.21 08:47:47 LOG7[978:140089725433664]: local socket: FD=0 allocated (non-blocking mode) 2014.10.21 08:47:47 LOG7[978:140089725433664]: Service tunnel vnc accepted FD=0 from 127.0.0.1:39609 2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc started 2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on local socket 2014.10.21 08:47:47 LOG7[978:140089725630208]: Waiting for a libwrap process 2014.10.21 08:47:47 LOG7[978:140089725630208]: Acquired libwrap process #0 2014.10.21 08:47:47 LOG7[978:140089725630208]: Releasing libwrap process #0 2014.10.21 08:47:47 LOG7[978:140089725630208]: Released libwrap process #0 2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc permitted by libwrap from 127.0.0.1:39609 2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc accepted connection from 127.0.0.1:39609 2014.10.21 08:47:47 LOG7[978:140089725630208]: remote socket: FD=1 allocated (non-blocking mode) 2014.10.21 08:47:47 LOG6[978:140089725630208]: connect_blocking: connecting 192.168.0.30:12345 2014.10.21 08:47:47 LOG7[978:140089725630208]: connect_blocking: s_poll_wait 192.168.0.30:13001: waiting 10 seconds 2014.10.21 08:47:47 LOG5[978:140089725630208]: connect_blocking: connected 192.168.0.30:12345 2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc connected remote server from 192.168.1.14:55770 2014.10.21 08:47:47 LOG7[978:140089725630208]: Remote FD=1 initialized 2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on remote socket 2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect): before/connect initialization 2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect): SSLv3 write client hello A 2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL alert (read): fatal: handshake failure 2014.10.21 08:47:47 LOG3[978:140089725630208]: SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 2014.10.21 08:47:47 LOG5[978:140089725630208]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc finished (0 left) 2014.10.21 08:47:47 LOG7[978:140089725630208]: str_stats: 0 blocks, 0 bytes
Am I missing something ? I would like to stay with Ubuntu's standard packages.
Thanks for any advice.
Koenraad Lelong.