Hi,

If you have control of both ends of the connection make sure your SSL version is consistent on both sides. I would not recomend using sslVersion = all

Either set it to SSLv3 or TLSv1 DES-CBC-SHA is supported under those

However, judging for the cipher you are choosing I assume you might be dealing with a legacy application and you might not have access to both ends of the connection.

I would try setting only one version at the time and moving down from TLSv1, SSLv3 and SSLv2

sslVersion =

ciphers = DES-CBC-SHA

Cheers   ----------------- Leandro Avila

________________________________ From: "laurent.uk@bnpparibas.com" laurent.uk@bnpparibas.com To: josealf@rocketmail.com Cc: stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org Sent: Tuesday, May 3, 2011 10:48 AM Subject: [stunnel-users] Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA

Dear Jose,

here is the configuration file of my stunnel :

; Sample stunnel configuration file by Michal Trojnara 2002-2006 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode cert = /opt/freeware/etc/stunnel/ca_nopass.pem foreground = yes syslog = yes ; Protocol version (all, SSLv2, SSLv3, TLSv1) ;sslVersion = SSLv2 sslVersion = all ;ciphers = DES-CBC-SHA ;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 ; Some security enhancements for UNIX systems - comment them out on Win32 ;chroot = /usr/local/stunnel/var/lib/stunnel ;chroot = /tmp/ ;setuid = root ;setgid = other ; PID is created inside chroot jail pid = /var/adm/stunnel_server_level1.pid

; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = rle

; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ;options = Options_SSL ; Authentication stuff verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail CApath = /opt/freeware/etc/stunnel/CA_files/ ; It's often easier to use CAfile ;CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting debug = 7

; Use it for client mode client = no ; Service-level configuration

[pesitip] accept = 10443 connect = XXXXXXX:10016

Thanks for your help.

Regards.

Laurent UK

Internet   josealf@rocketmail.com 03/05/2011 14:52 Veuillez répondre à josealf@rocketmail.com Pour Laurent UK, stunnel-users-bounces@stunnel.org, stunnel-users@stunnel.org cc Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA

Laurent,

Can you post your configuration? For security, You should change the real IPs (but not the ports) before posting.

You can check:

1. Does your stunnel client config has client=yes? 2. Does your stunnel server config has client=no 3. Check your packet flow, that is: your accept/connect settings.

Regards Jose -----Original Message----- From: laurent.uk@bnpparibas.com Sender: stunnel-users-bounces@stunnel.org Date: Tue, 3 May 2011 14:16:09 To: stunnel-users@stunnel.org Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version                 number with cipher DES-CBC-SHA

_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users

This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internet can not guarantee the integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) not therefore be liable for the message if modified. Do not print this message unless it is necessary, consider the environment.

---------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, BNP PARIBAS (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. N'imprimez ce message que si necessaire, pensez a l'environnement. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users