[stunnel-users] exclusively TLS

Jesse Small jesse.small at hxti.com
Tue Jan 24 16:44:14 CET 2006 

I've been working through the same problem as John, but I tried using Jan's
solution by setting the options and still haven't been able to get it to
work.

On server1 I am running openssl s_server with tls-only specified:
openssl s_server -accept 8443 -cert XDS_REG_HXTI.cer -key hxti1.key -tls1

On the client side (server2), I have stunnel set up as a client listening on
localhost port 8100, and forwarding over to server1, port 8443.  Then to
test I run 'telnet localhost 8100' and see the error message from s_server:
ACCEPT
ERROR
16656:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
number:s3_srvr.c:683:
shutting down SSL
CONNECTION CLOSED

In my stunnel.log file I can see this error message:
SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure

So to me it still seems to be sending out a client hello in sslv3, despite
my efforts to the contrary.  Below are the pertinent parts of my
stunnel_client.conf file.  Any help you could give would be greatly
appreciated.

Thanks,
Jesse

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3

[toOtherServer]
accept  = 8100
connect = devapp:8443 

-----Original Message-----
From: Jan Meijer [mailto:jan.meijer at surfnet.nl] 
Sent: Friday, January 20, 2006 5:20 PM
To: Moehrke, John (GE Healthcare)
Cc: stunnel-users at mirt.net
Subject: RE: [stunnel-users] exclusively TLS

On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:

> It is not the list of ciphers that I want to choose from. We are
indeed
> using a select set of ciphers and that seems to be working fine. My
> problem is that when stunnel connects to the server it is trying
sslv3,
> and this causes an error as the server is only supporting TLS. I could
> easily be wrong...

Ah, that way.

options = SSL_options
     OpenSSL library options

     The parameter is the OpenSSL option name as described in the 
SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several 
options can be used to specify multiple options.

     For example for compatibility with erroneous Eudora SSL
implementation 
the following option can be used:

     options = DONT_INSERT_EMPTY_FRAGMENTS

Check the SSL_CTX_set_options manpage, it says -amongst other things-:

        SSL_OP_NO_SSLv2
            Do not use the SSLv2 protocol.

        SSL_OP_NO_SSLv3
            Do not use the SSLv3 protocol.

        SSL_OP_NO_TLSv1
            Do not use the TLSv1 protocol.


That ought to do the trick I'd say.

Let us know if it did :)


Jan

-- 
http://www.surfnet.nl/organisatie/jame

More information about the stunnel-users mailing list