the connection had to be retried using SSL 3.0. This typically means that the server is using very old software and may have other security issues :(
Hi, while I'm trying to get stunnel working for more than a few hours, I've also notice this warning in google chrome : the connection had to be retried using SSL 3.0. This typically means that
the server is using very old software and may have other security issues.
[image: Inline image 1] gmail for example has AES_128_CBC for crypting, can we get that without much effort? What should be set to get rid of this warning ? I thought SSL v3 was the best (quickly pick acrross several example on the net) what is the best setting for this ? Thanks for your help, Thomas. My config : debug = 7 output = /var/log/stunnel4/extranet.service.com_stunnel.log setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel4/extranet.service.com.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [extranet.service.com] key = /etc/stunnel/sites/extranet.service.com/extranet.service.com.key cert = /etc/stunnel/sites/extranet.service.com/extranet.service.com.crt accept = 8.90.17.4:443 connect = 127.0.0.1:82 sslVersion = SSLv3 TIMEOUTclose = 0
Thomas Manson wrote:
gmail for example has AES_128_CBC for crypting, can we get that without much effort?
Of course. The option you want is: ciphers = AES128-SHA BTW: Bear in mind that CBC-based ciphers are vulnerable to the Beast attack, and thus *less* secure than stunnel default. https://www.net-security.org/article.php?id=1638 Mike
Hi Mike, thanks for the explanation. So according to you, I should set anything to use the stunnel defaults? what's very strange is that from another PC (a colleague) - google chrome I don't see the same crypting technology (CAMELLIA_256_CBC, Firefox report the same) - says the certificate can't be approved.(in another firefox too) - I've asked her to flush dns cache and retry On my desktop compter I get the same crypting but no certificate error On my laptop : I've the crypting I've reported in my first post. and the warning..; Any idea why the crypting are different ? (chrome versions are different on minor versions, same version for Firefox) Thomas. On Fri, Apr 6, 2012 at 12:53, Michal Trojnara <Michal.Trojnara@mirt.net>wrote:
ciphers = AES128-SHA
Thomas, The most likely cause for the different algorithms is the use of different libraries. Stunnel uses OpenSSL Mozilla uses NSS Not sure what Google Chrome uses. Each library implements different cipher suites. So each browser might select different ciphers to connect to the same server. ----------------- Leandro Avila ________________________________ From: Thomas Manson <dev.mansonthomas@gmail.com> To: Michal Trojnara <Michal.Trojnara@mirt.net> Cc: stunnel-users@stunnel.org Sent: Friday, April 6, 2012 6:35 AM Subject: Re: [stunnel-users] the connection had to be retried using SSL 3.0. This typically means that the server is using very old software and may have other security issues :( Hi Mike, thanks for the explanation. So according to you, I should set anything to use the stunnel defaults? what's very strange is that from another PC (a colleague) * google chrome I don't see the same crypting technology (CAMELLIA_256_CBC, Firefox report the same) * says the certificate can't be approved.(in another firefox too) * I've asked her to flush dns cache and retry On my desktop compter I get the same crypting but no certificate error On my laptop : I've the crypting I've reported in my first post. and the warning..; Any idea why the crypting are different ? (chrome versions are different on minor versions, same version for Firefox) Thomas. On Fri, Apr 6, 2012 at 12:53, Michal Trojnara <Michal.Trojnara@mirt.net> wrote: ciphers = AES128-SHA _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Ok, but the same browser accross different machine will not do the same. Still strange to me. (same behavior with stunnel 4.53 and 4.35, so as you said, it seems a client related behavior) Regards, Thomas. On Tue, Apr 10, 2012 at 04:33, Leandro Avila <leandro.avila@ymail.com>wrote:
Thomas,
The most likely cause for the different algorithms is the use of different libraries.
Stunnel uses OpenSSL Mozilla uses NSS Not sure what Google Chrome uses.
Each library implements different cipher suites. So each browser might select different ciphers to connect to the same server.
----------------- Leandro Avila
________________________________ From: Thomas Manson <dev.mansonthomas@gmail.com> To: Michal Trojnara <Michal.Trojnara@mirt.net> Cc: stunnel-users@stunnel.org Sent: Friday, April 6, 2012 6:35 AM Subject: Re: [stunnel-users] the connection had to be retried using SSL 3.0. This typically means that the server is using very old software and may have other security issues :(
Hi Mike,
thanks for the explanation.
So according to you, I should set anything to use the stunnel defaults? what's very strange is that from another PC (a colleague)
* google chrome I don't see the same crypting technology (CAMELLIA_256_CBC, Firefox report the same) * says the certificate can't be approved.(in another firefox too) * I've asked her to flush dns cache and retry
On my desktop compter I get the same crypting but no certificate error
On my laptop : I've the crypting I've reported in my first post. and the warning..;
Any idea why the crypting are different ? (chrome versions are different on minor versions, same version for Firefox)
Thomas.
On Fri, Apr 6, 2012 at 12:53, Michal Trojnara <Michal.Trojnara@mirt.net> wrote:
ciphers = AES128-SHA
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
participants (3)
-
Leandro Avila -
Michal Trojnara -
Thomas Manson