Hi all,
We need use of sslv3 but with debian Jessie package version 5.06 this is not working.
I have add options -NO_SSLv3 still same.
Can you check if my configuration is good and if you have any idea to have sslv3 working with this verison.
# stunnel.conf
syslog = no
cert = /etc/ssl/certs/test.crt.pem key = /etc/ssl/private/test.key.pem CAfile = /etc/ssl/certs/test.ca-bundle
# Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all options = -NO_SSLv3 ciphers = AES256-SHA #ciphers = ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
# Some debugging stuff useful for troubleshooting debug = 7 output = /stunnel.log
# Debian and Ubuntu chroot config chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid
# Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1
[test] accept = 11443 connect = 127.0.0.1:11444
# stunnel log with openssl test SSL_accept: 14076102: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol
openssl s_client -connect 127.0.0.1:11443 -ssl3 CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1462525363 Timeout : 7200 (sec) Verify return code: 0 (ok)
Maybe Debian removed support for SSLv3 in it's OpenSSL libraries. This protocol is now obsolete and should not be used. Is that is the case, you will need to compile your own OpenSSL with SSLv3 enabled.
Anyway, you should ask in a Debian forum.
Regards, Jose
El 6 may 2016, a las 4:16, Francois Pires francois.pires@dalenys.com escribió:
Hi all,
We need use of sslv3 but with debian Jessie package version 5.06 this is not working.
I have add options -NO_SSLv3 still same.
Can you check if my configuration is good and if you have any idea to have sslv3 working with this verison.
# stunnel.conf
syslog = no
cert = /etc/ssl/certs/test.crt.pem key = /etc/ssl/private/test.key.pem CAfile = /etc/ssl/certs/test.ca-bundle
# Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all options = -NO_SSLv3 ciphers = AES256-SHA #ciphers = ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
# Some debugging stuff useful for troubleshooting debug = 7 output = /stunnel.log
# Debian and Ubuntu chroot config chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid
# Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1
[test] accept = 11443 connect = 127.0.0.1:11444
# stunnel log with openssl test SSL_accept: 14076102: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol
openssl s_client -connect 127.0.0.1:11443 -ssl3 CONNECTED(00000003) write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1462525363 Timeout : 7200 (sec) Verify return code: 0 (ok)
-- Cordialement,
François PIRES SysAdmin
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Francois Pires -
Josealf.rm