Is it just me, or does stunnel not seem to obey the ssl 'options' setting in the config file? I have the lines:
options = TLS_ROLLBACK_BUG options = NO_TLSv1 options = NO_SSLv3
And when I start stunnel, the output is:
2004.12.20 07:47:46 LOG7[9981:1024]: Configuration SSL options: 0x06800000 2004.12.20 07:47:46 LOG7[9981:1024]: SSL options set: 0x06800000
So all looks well ang good... But then when it sends the client hello message, one would expect an ssl2 message, but we get the following output:
2004.12.20 07:47:51 LOG7[9984:1026]: SSL state (connect): SSLv3 write client hello A 2004.12.20 07:47:51 LOG7[9984:1026]: waitforsocket: FD=10, DIR=read 2004.12.20 07:47:51 LOG7[9984:1026]: waitforsocket: ok 2004.12.20 07:47:51 LOG7[9984:1026]: SSL alert (write): fatal: handshake failure 2004.12.20 07:47:51 LOG3[9984:1026]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
That first line seems to indicate that it's still sending a v3 message. Is this actually what's happening?
Justin Miller wrote:
So all looks well ang good... But then when it sends the client hello message, one would expect an ssl2 message, but we get the following
Stunnel is not supposed to act as SSLv2 client. It uses SSLv3_client_method() in src/ssl.c file. If you really need SSLv2 - change it to SSLv2_client_method() and recompile stunnel. It's not recommended for security, anyway.
See SSL_CTX_new(3) manual for details.
Best regards, Mike
-
Justin Miller -
Michal Trojnara