[stunnel-users] exclusively TLS
Jesse Small
jesse.small at hxti.com
Tue Jan 24 16:44:14 CET 2006
I've been working through the same problem as John, but I tried using Jan's
solution by setting the options and still haven't been able to get it to
work.
On server1 I am running openssl s_server with tls-only specified:
openssl s_server -accept 8443 -cert XDS_REG_HXTI.cer -key hxti1.key -tls1
On the client side (server2), I have stunnel set up as a client listening on
localhost port 8100, and forwarding over to server1, port 8443. Then to
test I run 'telnet localhost 8100' and see the error message from s_server:
ACCEPT
ERROR
16656:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
number:s3_srvr.c:683:
shutting down SSL
CONNECTION CLOSED
In my stunnel.log file I can see this error message:
SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure
So to me it still seems to be sending out a client hello in sslv3, despite
my efforts to the contrary. Below are the pertinent parts of my
stunnel_client.conf file. Any help you could give would be greatly
appreciated.
Thanks,
Jesse
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3
[toOtherServer]
accept = 8100
connect = devapp:8443
-----Original Message-----
From: Jan Meijer [mailto:jan.meijer at surfnet.nl]
Sent: Friday, January 20, 2006 5:20 PM
To: Moehrke, John (GE Healthcare)
Cc: stunnel-users at mirt.net
Subject: RE: [stunnel-users] exclusively TLS
On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:
> It is not the list of ciphers that I want to choose from. We are
indeed
> using a select set of ciphers and that seems to be working fine. My
> problem is that when stunnel connects to the server it is trying
sslv3,
> and this causes an error as the server is only supporting TLS. I could
> easily be wrong...
Ah, that way.
options = SSL_options
OpenSSL library options
The parameter is the OpenSSL option name as described in the
SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several
options can be used to specify multiple options.
For example for compatibility with erroneous Eudora SSL
implementation
the following option can be used:
options = DONT_INSERT_EMPTY_FRAGMENTS
Check the SSL_CTX_set_options manpage, it says -amongst other things-:
SSL_OP_NO_SSLv2
Do not use the SSLv2 protocol.
SSL_OP_NO_SSLv3
Do not use the SSLv3 protocol.
SSL_OP_NO_TLSv1
Do not use the TLSv1 protocol.
That ought to do the trick I'd say.
Let us know if it did :)
Jan
--
http://www.surfnet.nl/organisatie/jame
More information about the stunnel-users
mailing list