Hi Laurent, Good to see you figured out the issue. I also learned more things myself. Thanks Jose ! To my knowledge cipher suites that use SHA2 are part of the TLS 1.2 specification but I don't think OpenSSL has that implemented. Cheers ---------------- Leandro Avila ________________________________ From: "laurent.uk@bnpparibas.com" <laurent.uk@bnpparibas.com> To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wednesday, May 4, 2011 11:02 AM Subject: [stunnel-users] Réf. :  Re: Réf. :  Re: Réf. :  Re: Réf. :  Re:  need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Hi everyone, It's ok now i have found the solution i add the root and intermediate certificate of verisign in my Capath and i use in s_client the option -CApath and now it's ok : New, TLSv1/SSLv3, Cipher is DES-CBC-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session:     Protocol  : SSLv3     Cipher    : DES-CBC-SHA     Session-ID: XXXXXXXXXXX     Session-ID-ctx:     Master-Key: XXXXXXXXXXXXXXXXXXXX     Key-Arg   : None     Start Time: 1304524805     Timeout   : 7200 (sec)     Verify return code: 0 (ok) but i have another question: How can i test the SHA-2? i search the cipher corresponding in SHA-2 but i didn't found it. Thanks for your help. Regards, Laurent UK Laurent UK Analyste PROTOCOLES RBIS - DBF PBMF2 DOMAINE PMF202 ELECTRONIC FILES 41, rue de Valmy - 93100 Montreuil - ACI CME04B1 Bureau 4226 Tel: 01.58.16.86.45 (68645) 04/05/2011 15:36  Pour josealf@rocketmail.com   cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org   Objet Réf. :  Re: Réf. :  Re: Réf. :  Re: Réf. :  Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHALien Jose, thanks you, i use my client certificate but have another error now : 1028202:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1028202:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Enter pass phrase for /opt/freeware/etc/stunnel/keystore/crl-3skey.pem: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain  0 s:/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3  1 s:/C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts    i:/O=SWIFT --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- subject=/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 2633 bytes and written 1732 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session:     Protocol  : SSLv3     Cipher    : AES256-SHA     Session-ID: XXXXXXXXXXXXXXXXXX     Session-ID-ctx:     Master-Key: XXXXXXXXXXXXXXXXXX     Key-Arg   : None     Start Time: 1304515751     Timeout   : 7200 (sec)     Verify return code: 21 (unable to verify the first certificate) --- Do you know the reason of this error? Maybe i have to add the first certificate file to a specific folder ? Regards, Laurent UK Internet   josealf@rocketmail.com 04/05/2011 15:09  Pour Laurent UK   cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org   Objet Re: Réf. :  Re: Réf. :  Re: Réf. :  Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, We need to present a client certificate to the server. That's the important part missing. Do that by adding  -cert your_cert_filename to the command, like: openssl s_client -ssl3 -state -cert your_client_cert_filename -connect your-stunnel-ip:10443   See http://www.openssl.org/docs/apps/s_client.html Regards, Jose ________________________________ From: "laurent.uk@bnpparibas.com" <laurent.uk@bnpparibas.com> To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wed, May 4, 2011 6:55:19 AM Subject: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, thanks you for your response, i use the openssl s_client command but i have the following error : 1499296:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1499296:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL3 alert write:warning:no certificate SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 1499296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40 1499296:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: is it normal? Thanks. Regards. Laurent UK Internet   josealf@rocketmail.com 04/05/2011 13:38   Pour Laurent UK   cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org   Objet Re: Réf. :  Re: Réf. :  Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Ideally, you should terminate the SSL connection on your final server. But that's not the problem here. It should work as is. Mosty likely the problem is on the client SSL software you are using to connect to stunnel. The cipher you are trying to use DESC-CBC-SHA works with SSLv3 and TLSv1. Can you force your client to use those protocols? Maybe it is trying to negotiate SSLv2. Also are you sure it is speaking SSL instead of plain text? You can test your connection to stunnel server with openssl s_client command. Example openssl s_client -ssl3 -state -connect your-stunnel-ip:10443 openssl s_client -tls1 -state -connect your-stunnel-ip:10443 if this works, we found the culprit. Regards Jose ________________________________ From: "laurent.uk@bnpparibas.com" <laurent.uk@bnpparibas.com> To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wed, May 4, 2011 2:05:07 AM Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Jose, I use 2 servers in my configuration: the first one who listenning on the port 10443 (where we receive encrypted traffic from software using ssl) and the second one who listenning the port 10016 (where we receive decrypted traffic). The first one receive the encrypted traffic, it decrypted it and send it to the second server that's why i only use the server mode on my fist server. Do you think that i also need to change this configuration? Cordialement, Laurent UK Internet   josealf@rocketmail.com 03/05/2011 19:18   Pour Laurent UK   cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org   Objet Re: Réf. :  Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, I'm not sure you are connecting the dots right. I see an stunnel server configuration. In this case, your stunnel is a front-end to a service you run on host XXXX port 10016. What is that service? Is stunnel running on the same host? Note that If stunnel is not running on the same host with IP XXXX, then you may have some traffic in clear text in your network (from the device running stunnel to the device hosting the service on port 10016). You need a client to connect to the stunnel server. Unless your client support SSL natively, you also should have an stunnel running on your client device with entries like these: client=yes [pestip] accept = 10443 connect = Your-Stunnel-server-IP:10443 In this case your client apps connects locally to port 10443, traffic is encrypted and sent to your server listening on port 10443, where it is decripted and send to IP XXXX port 10016. Regards, Jose ________________________________ From: "laurent.uk@bnpparibas.com" <laurent.uk@bnpparibas.com> To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Tue, May 3, 2011 10:48:11 AM Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Dear Jose, here is the configuration file of my stunnel : ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv2 sslVersion = all ;ciphers = DES-CBC-SHA ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting debug = 7 ; Use it for client mode client = no ; Service-level configuration [pesitip] accept = 10443 connect = XXXXXXX:10016 Thanks for your help. Regards. Laurent UK Internet   josealf@rocketmail.com 03/05/2011 14:52 Veuillez répondre à josealf@rocketmail.com   Pour Laurent UK, stunnel-users-bounces@stunnel.org, stunnel-users@stunnel.org   cc   Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA Laurent, Can you post your configuration? For security, You should change the real IPs (but not the ports) before posting. You can check: 1. Does your stunnel client config has client=yes? 2. Does your stunnel server config has client=no 3. Check your packet flow, that is: your accept/connect settings. Regards Jose -----Original Message----- From: laurent.uk@bnpparibas.com Sender: stunnel-users-bounces@stunnel.org Date: Tue, 3 May 2011 14:16:09 To: <stunnel-users@stunnel.org> Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version              number with cipher DES-CBC-SHA _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment.              --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement.   _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users