Re: [stunnel-users] exclusively TLS - stunnel-users

24 Jan 2006


      I've been working through the same problem as John, but I tried using Jan's
solution by setting the options and still haven't been able to get it to
work.
On server1 I am running openssl s_server with tls-only specified:
openssl s_server -accept 8443 -cert XDS_REG_HXTI.cer -key hxti1.key -tls1
On the client side (server2), I have stunnel set up as a client listening on
localhost port 8100, and forwarding over to server1, port 8443.  Then to
test I run 'telnet localhost 8100' and see the error message from s_server:
ACCEPT
ERROR
16656:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
number:s3_srvr.c:683:
shutting down SSL
CONNECTION CLOSED
In my stunnel.log file I can see this error message:
SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure
So to me it still seems to be sending out a client hello in sslv3, despite
my efforts to the contrary.  Below are the pertinent parts of my
stunnel_client.conf file.  Any help you could give would be greatly
appreciated.
Thanks,
Jesse
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3
[toOtherServer]
accept  = 8100
connect = devapp:8443
-----Original Message-----
From: Jan Meijer [mailto:jan.meijer@surfnet.nl] 
Sent: Friday, January 20, 2006 5:20 PM
To: Moehrke, John (GE Healthcare)
Cc: stunnel-users@mirt.net
Subject: RE: [stunnel-users] exclusively TLS
On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:
...
It is not the list of ciphers that I want to choose from. We are
indeed
...
using a select set of ciphers and that seems to be working fine. My
problem is that when stunnel connects to the server it is trying
sslv3,
...
and this causes an error as the server is only supporting TLS. I could
easily be wrong...
Ah, that way.
options = SSL_options
     OpenSSL library options
The parameter is the OpenSSL option name as described in the 
SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several 
options can be used to specify multiple options.
For example for compatibility with erroneous Eudora SSL
implementation 
the following option can be used:
options = DONT_INSERT_EMPTY_FRAGMENTS
Check the SSL_CTX_set_options manpage, it says -amongst other things-:
SSL_OP_NO_SSLv2
            Do not use the SSLv2 protocol.
SSL_OP_NO_SSLv3
            Do not use the SSLv3 protocol.
SSL_OP_NO_TLSv1
            Do not use the TLSv1 protocol.
That ought to do the trick I'd say.
Let us know if it did :)
Jan
-- 
http://www.surfnet.nl/organisatie/jame