Hello all,

For a remote tls1 web service :

$ # openssl s_client -connect myremote:7002 -tls1 CONNECTED(00000004) depth=0 CN = xxx, OU = xxx, O = xxx, C = xxx verify error:num=18:self signed certificate verify return:1 depth=0 CN = xxx, OU = xxx, O = xxx, C = xxx verify return:1 --- Certificate chain ... --- Server certificate -----BEGIN CERTIFICATE----- MIIC8zCCAdsCBGCvjhEwDQYJKoZIhvcNAQEFBQAwPjEOMAwGA1UEAxMFRUZXRUIx ... QG9sNNhQW65rRVmdqy/g0cBbLKRKhmRCS+ajRIzBcO9ZmMe42TES -----END CERTIFICATE----- subject=XXX issuer=XXX --- No client certificate CA names sent --- SSL handshake has read 889 bytes and written 509 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 2D9F8D8833A459C16C1D01F0C92F8EB7 Session-ID-ctx: Master-Key: 1BF68D1AAEEC291A60252ECD63C374661FBBE028FB39A75DDA29E4E3FB6FE34CFC80F875F9E16F9D7C840F185757F583 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1625842735 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- closed $

I can test it alright with an "old" curl $ curl --version curl 7.15.4 (sparc-sun-solaris2.9) libcurl/7.15.4 OpenSSL/0.9.7g zlib/1.2.3 Protocols: tftp ftp telnet dict ldap http file https ftps Features: IPv6 Largefile NTLM SSL libz

...like this $ curl -skL https://myremote:7002/MyWebService?WSDL <?xml version="1.0" encoding="UTF-8"?> ... </soap:address> </port> </service> </definitions>

I want to tls1.2-enable myremote:7002 with stunnel, and run a tls1.2 curl instead.

My stunnel installation $ /opt/csw/bin/stunnel -version Initializing inetd mode configuration stunnel 5.59 on sparc-sun-solaris2.10 platform Compiled with OpenSSL 1.0.2u 20 Dec 2019 Running with OpenSSL 1.0.2o 27 Mar 2018 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI Auth:LIBWRAP

Global options: RNDbytes = 1024 RNDfile = /dev/urandom RNDoverwrite = yes

Service-level options: ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK curves = prime256v1 debug = daemon.notice logId = sequential options = NO_SSLv2

I start it with this service config: [my12] client = no accept = 7002 connect = myremote:7002 cert = /etc/opt/csw/stunnel/stunnel.crt key = /etc/opt/csw/stunnel/stunnel.key sslVersion = TLSv1.2 debug = 7

and test it with a fairly recent curl $ /opt/csw/bin/curl --version curl 7.61.0 (sparc-sun-solaris2.10) libcurl/7.61.0 OpenSSL/1.0.2o zlib/1.2.8 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) Release-Date: 2018-07-11 Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets HTTPS-proxy PSL Metalink

Alas, the recent curl call $ /opt/csw/bin/curl -skL https://myremote:7002/MyWebService?WSDL

...fails with exit status 23

In verbose mode we get

* Trying 127.0.0.1... * TCP_NODELAY set * Failed to set TCP_KEEPALIVE on fd 4 * Connected to localhost (127.0.0.1) port 7002 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: none CApath: /etc/opt/csw/ssl/certs * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=TS; ST=Westfarthing; L=Hobbiton; O=Thorin and Company; OU=Burglars; CN=ahost.theshire.net; emailAddress=bilbo@theshire.net * start date: Jun 30 09:24:25 2021 GMT * expire date: Jun 30 09:24:25 2022 GMT * issuer: C=TS; ST=Westfarthing; L=Hobbiton; O=Thorin and Company; OU=Burglars; CN=ahost.theshire.net; emailAddress=bilbo@theshire.net * SSL certificate verify result: self signed certificate (18), continuing anyway.

GET /MyWebService?WSDL HTTP/1.1 Host: localhost:7002 User-Agent: curl/7.61.0 Accept: */*

Warning: Binary output can mess up your terminal. Use "--output -" to tell Warning: curl to output it to your terminal anyway, or consider "--output Warning: <FILE>" to save to a file. * Failed writing body (0 != 7) * Closing connection 0 * TLSv1.2 (OUT), TLS alert, Client hello (1): $

I tried various curl flags - nothing works.

In the meantime stunnel logs no errors Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: Service [my12] accepted connection from 127.0.0.1:39165 Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: s_connect: connected 10.240.28.69:7002 Jul 9 16:16:45 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: Service [my12] connected remote server from xxx.yyy.zzz.www:39166 Jul 9 16:17:10 acuapd30 stunnel: [ID 801593 daemon.notice] LOG5[18]: Connection closed: 7 byte(s) sent to TLS, 116 byte(s) sent to socket

What am i doing wrong!?

Thanks in advance!