I am running an stunnel in chroot setup on a Red Hat Enterprise Linux Server (v3) : stunnel 4.27 on x86_64-unknown-linux-gnu with OpenSSL 0.9.7a Feb 19 2003 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
And i want to connect from a Windows 2003 system (als version 4.27)
When i try to do a basic connect from the Windows stunnel to the Linux stunnel, the connection gets reset each time, ssldump shows:
New TCP connection #1: hans13(1363) <-> nada(25000) 1 1 0.0000 (0.0000) C>S Handshake ClientHello Version 3.0 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 compression methods unknown value NULL 1 2 0.0000 (0.0000) S>C Alert level fatal value handshake_failure 1 0.0000 (0.0000) S>C TCP RST
Stunnel logging shows: 2009.10.26 10:37:25 LOG7[29959:1073879408]: xxx started 2009.10.26 10:37:25 LOG7[29959:1073879408]: FD 7 in non-blocking mode 2009.10.26 10:37:25 LOG5[29959:1073879408]: tfe accepted connection from 10.10.10.10:1250 2009.10.26 10:37:25 LOG7[29959:1073879408]: SSL state (accept): before/accept initialization 2009.10.26 10:37:25 LOG7[29959:1073879408]: SSL alert (write): fatal: handshake failure 2009.10.26 10:37:25 LOG3[29959:1073879408]: SSL_accept: 1408A09F: error:1408A09F:SSL routines:SSL3_GET_CLIENT_HELLO:length mismatch 2009.10.26 10:37:25 LOG5[29959:1073879408]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2009.10.26 10:37:25 LOG7[29959:1073879408]: xxx finished (-1 left)
When i explicitly configure the Windows stunnel to use: sslVersion = SSLv2 or sslVersion = TLSv1 (see ssldump logging below)
everything works fine. Is this a known bug or an undocumented feature?
Ewald...
New TCP connection #3: hans13.amc.nl(1367) <-> nada.amc.nl(25000) 3 1 0.0000 (0.0000) C>S Handshake ClientHello Version 3.1 resume [32]= b8 a1 d2 93 6a ae 4a 0d 49 04 cd 88 92 75 f1 6d d7 65 88 c3 01 51 bf eb d4 44 ce b7 fd 75 32 64 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 compression methods unknown value NULL 3 2 0.0000 (0.0000) S>C Handshake ServerHello Version 3.1 session_id[32]= b8 a1 d2 93 6a ae 4a 0d 49 04 cd 88 92 75 f1 6d d7 65 88 c3 01 51 bf eb d4 44 ce b7 fd 75 32 64 cipherSuite Unknown value 0x35 compressionMethod NULL
etc...
On Mon, 26 Oct 2009 18:06:14 +0100, Ewald wrote:
I am running an stunnel in chroot setup on a Red Hat Enterprise Linux Server (v3) : stunnel 4.27 on x86_64-unknown-linux-gnu with OpenSSL 0.9.7a Feb 19 2003 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
You may want want to upgrade your OpenSSL library. It's almost 7 years old. Quite a lot of critical bugs were fixed in the mean time.
Best regards, Mike
-
Ewald -
Michal Trojnara