Hello
I realized that the latest RHEL6 updates including stunnel-4.29-3.el6_6.1 break our Stunnel connections!
We are forced to go back to previous version stunnel-4.29-3.el6_4 in order to have the systems running again, and blocking Stunnel updates in /etc/yum.conf for the moment.
Our typical client config and server configs are as follows:
Client (5.08): ********** client = yes compression = zlib sslversion = TLSv1 delay = yes debug = 7 taskbar = yes
cert = my.pem
[abas_ssh] accept = 127.0.30.10:5303 connect = firewall.client.dom:5303
Server, xinetd.d: ************* service stunnel_ssh { disable = no socket_type = stream instances = UNLIMITED per_source = UNLIMITED wait = no user = root server = /usr/bin/stunnel server_args = /etc/stunnel/stunnel_ssh.conf log_on_success += HOST DURATION log_on_failure += HOST }
Server, stunnel_ssh.conf **************** cert = /support/stunnel/cert/server.pem CApath = / support /stunnel/hash/ verify = 3 debug = 7 connect = 192.168.1.100:22
The error thrown is something like: Dec 17 17:30:23 srvabas stunnel: LOG3[3385:140171595282368]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
What are we missing? Do we need to change the configuration?
Any help is highly appreciated.
Kind regards H.U.Flueck
What did Redhat changed?
I would start there. See if any of their changes would affect your setup.
You can also check that both sides of the connection are using the same TLS version
Powered by iOS
On Dec 18, 2014, at 08:27, H.U.Flück huf@inomatix.com wrote:
Hello
I realized that the latest RHEL6 updates including stunnel-4.29-3.el6_6.1 break our Stunnel connections!
We are forced to go back to previous version stunnel-4.29-3.el6_4 in order to have the systems running again, and blocking Stunnel updates in /etc/yum.conf for the moment.
Our typical client config and server configs are as follows:
Client (5.08):
client = yes compression = zlib sslversion = TLSv1 delay = yes debug = 7 taskbar = yes
cert = my.pem
[abas_ssh] accept = 127.0.30.10:5303 connect = firewall.client.dom:5303
Server, xinetd.d:
service stunnel_ssh { disable = no socket_type = stream instances = UNLIMITED per_source = UNLIMITED wait = no user = root server = /usr/bin/stunnel server_args = /etc/stunnel/stunnel_ssh.conf log_on_success += HOST DURATION log_on_failure += HOST }
Server, stunnel_ssh.conf
cert = /support/stunnel/cert/server.pem CApath = / support /stunnel/hash/ verify = 3 debug = 7 connect = 192.168.1.100:22
The error thrown is something like: Dec 17 17:30:23 srvabas stunnel: LOG3[3385:140171595282368]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
What are we missing? Do we need to change the configuration?
Any help is highly appreciated.
Kind regards H.U.Flueck
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Dec 18, 2014, at 08:27, H.U.Flück huf@inomatix.com wrote: The error thrown is something like: Dec 17 17:30:23 srvabas stunnel: LOG3[3385:140171595282368]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
What are we missing? Do we need to change the configuration?
I downloaded the source packages to identify the exact change they made. The only difference between the previous and the updated version is that the new one configures stunnel with:
configure --enable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
rather than:
configure --disable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
The update doesn't change anything in the source code of stunnel.
In stunnel 4.x FIPS mode is enabled by default. You may disable it with "fips = no". In order to get your configuration working without disabling FIPS mode you may also try "sslVersion = TLSv1".
Mike
On Sun, Dec 21, 2014 at 10:26 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Dec 18, 2014, at 08:27, H.U.Flück huf@inomatix.com wrote: The error thrown is something like: Dec 17 17:30:23 srvabas stunnel: LOG3[3385:140171595282368]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
What are we missing? Do we need to change the configuration?
I downloaded the source packages to identify the exact change they made. The only difference between the previous and the updated version is that the new one configures stunnel with:
configure --enable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
rather than:
configure --disable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
The update doesn't change anything in the source code of stunnel.
In stunnel 4.x FIPS mode is enabled by default. You may disable it with "fips = no". In order to get your configuration working without disabling FIPS mode you may also try "sslVersion = TLSv1".
Unfortunately, AFAICT there is no way to write a conf file that will reliably disable fips on the stunnel 4.x series. This issue is fixed in 5.0.
--Andy
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlSXEOoACgkQ/NU+nXTHMtFBIgCaAth7QWGcFm4kaCNtqW70mQcC RKEAoN8i3Eb+bf9Qy0zWiITVX2hGYY/z =5kyW -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Andy Lutomirski -
H.U.Flück -
Leandro Avila -
Michal Trojnara