Re: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Hi Laurent,
Good to see you figured out the issue. I also learned more things myself. Thanks Jose !
To my knowledge cipher suites that use SHA2 are part of the TLS 1.2 specification but I don't think OpenSSL has that implemented.
Cheers
---------------- Leandro Avila
________________________________ From: "laurent.uk@bnpparibas.com" laurent.uk@bnpparibas.com To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wednesday, May 4, 2011 11:02 AM Subject: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Hi everyone, It's ok now i have found the solution i add the root and intermediate certificate of verisign in my Capath
and i use in s_client the option -CApath
and now it's ok :
New, TLSv1/SSLv3, Cipher is DES-CBC-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : DES-CBC-SHA Session-ID: XXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1304524805 Timeout : 7200 (sec) Verify return code: 0 (ok)
but i have another question:
How can i test the SHA-2? i search the cipher corresponding in SHA-2 but i didn't found it.
Thanks for your help.
Regards,
Laurent UK
Laurent UK Analyste PROTOCOLES RBIS - DBF PBMF2 DOMAINE PMF202 ELECTRONIC FILES 41, rue de Valmy - 93100 Montreuil - ACI CME04B1 Bureau 4226 Tel: 01.58.16.86.45 (68645) 04/05/2011 15:36 Pour josealf@rocketmail.com cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org Objet Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHALien
Jose, thanks you, i use my client certificate but have another error now :
1028202:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1028202:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: Enter pass phrase for /opt/freeware/etc/stunnel/keystore/crl-3skey.pem: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts i:/O=SWIFT --- Server certificate -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- subject=/C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 2633 bytes and written 1732 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : AES256-SHA Session-ID: XXXXXXXXXXXXXXXXXX Session-ID-ctx: Master-Key: XXXXXXXXXXXXXXXXXX Key-Arg : None Start Time: 1304515751 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) ---
Do you know the reason of this error?
Maybe i have to add the first certificate file to a specific folder ?
Regards,
Laurent UK
Internet josealf@rocketmail.com 04/05/2011 15:09 Pour Laurent UK cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org Objet Re: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
We need to present a client certificate to the server. That's the important part missing. Do that by adding -cert your_cert_filename to the command, like:
openssl s_client -ssl3 -state -cert your_client_cert_filename -connect your-stunnel-ip:10443 See http://www.openssl.org/docs/apps/s_client.html
Regards, Jose
________________________________ From: "laurent.uk@bnpparibas.com" laurent.uk@bnpparibas.com To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wed, May 4, 2011 6:55:19 AM Subject: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Jose, thanks you for your response, i use the openssl s_client command but i have the following error : 1499296:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so): Could not load module . System error: No such file or directory 1499296:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL3 alert write:warning:no certificate SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:handshake failure SSL_connect:failed in SSLv3 read finished A 1499296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1060:SSL alert number 40 1499296:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
is it normal?
Thanks.
Regards.
Laurent UK
Internet josealf@rocketmail.com 04/05/2011 13:38
Pour Laurent UK cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org Objet Re: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
Ideally, you should terminate the SSL connection on your final server. But that's not the problem here. It should work as is. Mosty likely the problem is on the client SSL software you are using to connect to stunnel. The cipher you are trying to use DESC-CBC-SHA works with SSLv3 and TLSv1. Can you force your client to use those protocols? Maybe it is trying to negotiate SSLv2. Also are you sure it is speaking SSL instead of plain text?
You can test your connection to stunnel server with openssl s_client command. Example
openssl s_client -ssl3 -state -connect your-stunnel-ip:10443 openssl s_client -tls1 -state -connect your-stunnel-ip:10443
if this works, we found the culprit.
Regards
Jose
________________________________ From: "laurent.uk@bnpparibas.com" laurent.uk@bnpparibas.com To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Wed, May 4, 2011 2:05:07 AM Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Jose,
I use 2 servers in my configuration:
the first one who listenning on the port 10443 (where we receive encrypted traffic from software using ssl)
and the second one who listenning the port 10016 (where we receive decrypted traffic).
The first one receive the encrypted traffic, it decrypted it and send it to the second server that's why i only use the server mode on my fist server.
Do you think that i also need to change this configuration?
Cordialement,
Laurent UK
Internet josealf@rocketmail.com 03/05/2011 19:18
Pour Laurent UK cc stunnel-users@stunnel.org, stunnel-users-bounces@stunnel.org Objet Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
I'm not sure you are connecting the dots right.
I see an stunnel server configuration. In this case, your stunnel is a front-end to a service you run on host XXXX port 10016. What is that service? Is stunnel running on the same host? Note that If stunnel is not running on the same host with IP XXXX, then you may have some traffic in clear text in your network (from the device running stunnel to the device hosting the service on port 10016).
You need a client to connect to the stunnel server. Unless your client support SSL natively, you also should have an stunnel running on your client device with entries like these:
client=yes [pestip] accept = 10443 connect = Your-Stunnel-server-IP:10443
In this case your client apps connects locally to port 10443, traffic is encrypted and sent to your server listening on port 10443, where it is decripted and send to IP XXXX port 10016.
Regards,
Jose
________________________________ From: "laurent.uk@bnpparibas.com" laurent.uk@bnpparibas.com To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Tue, May 3, 2011 10:48:11 AM Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Dear Jose,
here is the configuration file of my stunnel : ; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail)
; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv2 sslVersion = all ;ciphers = DES-CBC-SHA ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7
; Use it for client mode client = no ; Service-level configuration
[pesitip] accept = 10443 connect = XXXXXXX:10016
Thanks for your help.
Regards.
Laurent UK
Internet josealf@rocketmail.com 03/05/2011 14:52
Veuillez répondre à josealf@rocketmail.com
Pour Laurent UK, stunnel-users-bounces@stunnel.org, stunnel-users@stunnel.org cc Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
Can you post your configuration? For security, You should change the real IPs (but not the ports) before posting.
You can check:
1. Does your stunnel client config has client=yes? 2. Does your stunnel server config has client=no 3. Check your packet flow, that is: your accept/connect settings.
Regards Jose -----Original Message----- From: laurent.uk@bnpparibas.com Sender: stunnel-users-bounces@stunnel.org Date: Tue, 3 May 2011 14:16:09 To: stunnel-users@stunnel.org Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version number with cipher DES-CBC-SHA
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment.
---------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
See below:
________________________________
Leandro Avila leandro.avila@ymail.com Wrote:
Good to see you figured out the issue. I also learned more things myself. Thanks Jose !
A/ You're Welcome Leandro! Thanks is OK with me, but I also take wire transfers or preloaded ATM cards from banks ;-) I promise to share with list members.
Regards Jose
-
Jose Alf. -
Leandro Avila