Actually I think the SSLv3 in the log is a lie - as this is also in the log just before the below:
TLS state (connect): before/connect initialization TLS state (connect): SSLv3 write client hello A TLS state (connect): SSLv3 read server hello A
So I am thinking the eliptic curve stuff is more likely the issue?
Eric
VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322
928-567-3727 (land line) 928-301-7537 (cell phone)
http://www.vicsmba.com http://www.vicsmba.com/ https://www.facebook.com/groups/286143052248115
_____________________________________________ From: Eberhard flash@vicsmba.com Sent: Tuesday, March 14, 2023 9:15 AM To: 'stunnel-users@stunnel.org' stunnel-users@stunnel.org Subject: Help with disabling SSLv3 Importance: High
I am suddenly getting errors from Fedex:
TLS state (connect): SSLv3 read server certificate A
error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC lib error queue: 100AE081: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group error queue: 100AF003: error:100AF003:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:BN lib SSL_connect: 3078072: error:03078072:bignum routines:BN_EXPAND_INTERNAL:bignum too long
My .conf file says:
output = /tmp/fedex.log debug = 7 RNDfile = /visanet/ssl/stunnel.rnd RNDoverwrite = yes client = yes connect = ws.fedex.com:443 ;connect = gateway.fedex.com:443 ;connect = wssha1ends12172016.fedex.com:443 sslVersion = TLSv1.2 options = NO_SSLv3 sslVersionMin = TLSv1.2 CAfile = /usr/local/ssl/certs/cacert.pem
It is a very old version of stunnel but I cannot upgrade as this is a 15 year old AIX (IBM) computer
stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform Compiled/running with OpenSSL 1.0.2 22 Jan 2015 Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI Invalid configuration file name "--version" realpath: No such file or directory (2)
Yet the log implies I am still trying SSLv3.
Any ideas? Thanks in advance.
Eric
VICS, LLC Eric S Eberhard 2933 W Middle Verde Rd Camp Verde, AZ 86322
928-567-3727 (land line) 928-301-7537 (cell phone)
http://www.vicsmba.com http://www.vicsmba.com/ https://www.facebook.com/groups/286143052248115
On 3/14/23 13:20, Eberhard wrote:
Actually I think the SSLv3 in the log is a lie–as this is also in the log just before the below:
TLS state (connect): before/connect initialization
TLS state (connect): SSLv3 write client hello A
TLS state (connect): SSLv3 read server hello A
So I am thinking the elipticcurve stuff is more likely the issue?
It's common to see an SSLv3 "hello" to be as compatible as possible. It's possible that common code paths that existed back to SSLv3 still log that way even when being used in a TLSvx.y handshake.
https://www.ssllabs.com/ssltest/analyze.html?d=ws.fedex.com
They only support a small set of cipher suites, which is good.
Qualys says you should be able to connect with TLSv1.2 with cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 which is supported by OpenSSL 1.0.2.
Are you able to connect with:
$ openssl s_client -connect ws.fedex.com:443
You may be required to provide a client-cert in order to connect. See the usage information for "s_client" to see how to do that.
-chris
*From:*Eberhard flash@vicsmba.com *Sent:*Tuesday, March 14, 2023 9:15 AM *To:*'stunnel-users@stunnel.org' stunnel-users@stunnel.org *Subject:*Help with disabling SSLv3 *Importance:*High
I am suddenly getting errors from Fedex:
TLS state (connect): SSLv3 read server certificate A
error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC lib
error queue: 100AE081: error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group
error queue: 100AF003: error:100AF003:elliptic curve routines:EC_GROUP_NEW_FROM_DATA:BN lib
SSL_connect: 3078072: error:03078072:bignum routines:BN_EXPAND_INTERNAL:bignum too long
My .conf file says:
output = /tmp/fedex.log
debug = 7
RNDfile = /visanet/ssl/stunnel.rnd
RNDoverwrite = yes
client = yes
connect = ws.fedex.com:443
;connect = gateway.fedex.com:443
;connect = wssha1ends12172016.fedex.com:443
sslVersion = TLSv1.2
options = NO_SSLv3
sslVersionMin = TLSv1.2
CAfile = /usr/local/ssl/certs/cacert.pem
It is a very old version of stunnel but I cannot upgrade as this is a 15 year old AIX (IBM) computer
stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform
Compiled/running with OpenSSL 1.0.2 22 Jan 2015
Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Invalid configuration file name "--version"
realpath: No such file or directory (2)
Yet the log implies I am still trying SSLv3.
Any ideas? Thanks in advance.
Eric
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
___http://www.vicsmba.com_http://www.vicsmba.com/
___https://www.facebook.com/groups/286143052248115_https://www.facebook.com/groups/286143052248115
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
-
Christopher Schultz -
Eberhard