-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Stephen Hogan wrote:
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client hello A
[cut]
I have a basic (shaky) understanding that the "handshake" for TLS does downgrade to SSLv3 if newer versions of TLS fail, but I am wondering if I apply the update recommended on the firewall, will this cut the communication for the SMTP relay, the way I am using it?
The debug messages produced by stunnel can sometimes be confusing. They are intended to be helpful to developers, and not end-users.
OpenSSL implements the SSL/TLS/DTLS protocols with three separate finite state machines: SSLv2, SSLv3, and DTLS1. http://en.wikipedia.org/wiki/Automata-based_programming All TLS protocols use the SSLv3 state machine, thus the state name does not reflect the actual protocol being negotiated.
See the source for details: https://github.com/openssl/openssl/blob/master/ssl/ssl_stat.c
Best regards, Mike
Hi Michal,
Thanks for making that a lot clearer!
You remind me of my college days (and nights!) when referring to finite state machines - I have a very good working knowledge of these as well! ;)
That's very good news... so I presume the line:
2014.10.28 14:35??:55 LOG6[4156]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption)
... is the confirmation that the TLS protocol is being used?
(Apologies for my delayed response - I was out of the office yesterday.)
Regards, Stephen
________________________________________ From: stunnel-users stunnel-users-bounces@stunnel.org on behalf of Michal Trojnara Michal.Trojnara@mirt.net Sent: 29 October 2014 16:14 To: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Exchange Online - SSLv3 and Sophos UTM 120 firewall update
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Stephen Hogan wrote:
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client hello A
[cut]
I have a basic (shaky) understanding that the "handshake" for TLS does downgrade to SSLv3 if newer versions of TLS fail, but I am wondering if I apply the update recommended on the firewall, will this cut the communication for the SMTP relay, the way I am using it?
The debug messages produced by stunnel can sometimes be confusing. They are intended to be helpful to developers, and not end-users.
OpenSSL implements the SSL/TLS/DTLS protocols with three separate finite state machines: SSLv2, SSLv3, and DTLS1. http://en.wikipedia.org/wiki/Automata-based_programming All TLS protocols use the SSLv3 state machine, thus the state name does not reflect the actual protocol being negotiated.
See the source for details: https://github.com/openssl/openssl/blob/master/ssl/ssl_stat.c
Best regards, Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
________________________________
[Mila Logo] Stephen Hogan | System Administrator | Mila Limited Kilbarrack Industrial Estate, Kilbarrack, Dublin 5, IRELAND Tel: +353 (0)1 839 0402 | Fax: +353 (0)1 839 0589 Email: shogan@mila.ie | Web: www.mila.ie
Company Reg. No. 143406. Registered address: 24/26 City Quay, Dublin 2, Ireland.
DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the attention and use of the individual or entity to whom they are addressed. No copyright or other intellectual rights to any material attached to this email, either inline or as an attachment are transferred to the recipient unless explicitly stated. If you have received this email in error please reply to inform us accordingly, prior to deleting the message.
-
Michal Trojnara -
Stephen Hogan