I'm running stunnel in server-mode with options "NO_SSLV2" and "NO_SSLV3" and sslVersion=all. My client also explicitly disables SSLv2 and SSLv3.
My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used.
How come, stunnel log still shows "SSLv3" ?
2015.02.03 14:42:46 LOG5[8415:140561397376768]: ldaps-in accepted connection from X.X.X.X:65158 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): before/accept initialization 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read client hello A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write server hello A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write certificate A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write server done A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 flush data 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read client key exchange A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 read finished A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write change cipher spec A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 write finished A 2015.02.03 14:42:46 LOG7[8415:140561397376768]: SSL state (accept): SSLv3 flush data 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 9 items in the session cache 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client connects (SSL_connect()) 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client connects that finished 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 client renegotiations requested 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 12 server connects (SSL_accept()) 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 9 server connects that finished 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 server renegotiations requested 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache hits 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 external session cache hits 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache misses 2015.02.03 14:42:46 LOG7[8415:140561397376768]: 0 session cache timeouts 2015.02.03 14:42:46 LOG6[8415:140561397376768]: SSL accepted: new session negotiated 2015.02.03 14:42:46 LOG6[8415:140561397376768]: Negotiated ciphers: AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
Is my client's ssl-log wrong? Or stunnel's?
Kind regards, Christian Tenvenne
On 02/03/2015 04:00 PM, christian.tenvenne@lhsystems.com wrote:
My client's ssl-log (-Djavax.net.debug=ssl) confirms that, during handshake and for application data, the highest TLS protocol version is being used.
How come, stunnel log still shows "SSLv3" ?
The protocols etc. that happen "under the hood" haven't been redefined *completely from scratch* for TLS, so "old" names reappear when you dig into the details. OpenSSL talks about "SSLv3" when making a TLS 1.2 connection, too:
$ ( sleep 1 ; echo "HEAD / HTTP/1.0" ; echo "" ; sleep 2 ) | \
openssl s_client -connect www.nec-store.de:443 -tls1_2 -state 2>&1 \ | egrep '(SSL|TLS)v'
SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Protocol : TLSv1.2
Regards, J. Bern
-
christian.tenvenne@lhsystems.com -
Jochen Bern