[stunnel-users] What is the difference between "all" and "SSLv3" for sslVersion?

Christopher Hunt huntc at internode.on.net
Sun Sep 14 08:12:51 CEST 2008


Hi there,

I would like to understand the difference between specifying an  
sslVersion of "all" vs "SSLv3" when I see that the client is  
attempting SSLv3.

I have a Java 1.5 ssl client connecting to an stunnel endpoint. If I  
specify an sslVersion of "all" in my stunnel configuration then the  
client is able to connect. When I see it connect, it appears to have  
connected as SSLv3 i.e.:

2008.09.14 15:59:20 LOG7[98326:2690846624]: https accepted FD=12 from  
127.0.0.1:59812
2008.09.14 15:59:20 LOG7[98326:2952859648]: https started
2008.09.14 15:59:20 LOG7[98326:2952859648]: FD 12 in non-blocking mode
2008.09.14 15:59:20 LOG7[98326:2952859648]: TCP_NODELAY option set on  
local socket
2008.09.14 15:59:20 LOG7[98326:2952859648]: Waiting for a libwrap  
process
2008.09.14 15:59:20 LOG7[98326:2952859648]: Acquired libwrap process #0
2008.09.14 15:59:20 LOG7[98326:2952859648]: Releasing libwrap process #0
2008.09.14 15:59:20 LOG7[98326:2952859648]: Released libwrap process #0
2008.09.14 15:59:20 LOG7[98326:2952859648]: https permitted by libwrap  
from 127.0.0.1:59812
2008.09.14 15:59:20 LOG5[98326:2952859648]: https accepted connection  
from 127.0.0.1:59812
2008.09.14 15:59:20 LOG7[98326:2952859648]: SSL state (accept): before/ 
accept initialization
2008.09.14 15:59:21 LOG7[98326:2952859648]: SSL state (accept): SSLv3  
read client hello A

etc.

If I substitute "SSLv3" for the value of sslVersion then I get:

2008.09.14 15:56:26 LOG7[98297:2690846624]: https accepted FD=12 from  
127.0.0.1:59795
2008.09.14 15:56:26 LOG7[98297:2952859648]: https started
2008.09.14 15:56:26 LOG7[98297:2952859648]: FD 12 in non-blocking mode
2008.09.14 15:56:26 LOG7[98297:2952859648]: TCP_NODELAY option set on  
local socket
2008.09.14 15:56:26 LOG7[98297:2952859648]: Waiting for a libwrap  
process
2008.09.14 15:56:26 LOG7[98297:2952859648]: Acquired libwrap process #0
2008.09.14 15:56:26 LOG7[98297:2952859648]: Releasing libwrap process #0
2008.09.14 15:56:26 LOG7[98297:2952859648]: Released libwrap process #0
2008.09.14 15:56:26 LOG7[98297:2952859648]: https permitted by libwrap  
from 127.0.0.1:59795
2008.09.14 15:56:26 LOG5[98297:2952859648]: https accepted connection  
from 127.0.0.1:59795
2008.09.14 15:56:26 LOG7[98297:2952859648]: SSL state (accept): before/ 
accept initialization
2008.09.14 15:56:27 LOG3[98297:2952859648]: SSL_accept: 1408F10B:  
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

I have also tried specifying "SSLv2" (client disconnected complaining  
that v2 was not supported) and "TLSv1" (yields the same error as  
"SSLv3".

My version of stunnel is:

stunnel 4.25 on i686-apple-darwin9.4.0 with OpenSSL 0.9.7l 28 Sep 2006

Thank you in advance for any explanation on the difference between  
"all" and "SSLv3".

Kind regards,
Christopher



More information about the stunnel-users mailing list