[stunnel-users] Problem with sslv2 clients
Ludovic LEVET
llevet at ludosoft.org
Fri Dec 9 19:14:53 CET 2011
Hi,
Normal, SSLv2 is disable by default since version 4.40.
(http://www.stunnel.org/?page=sdf_ChangeLog)
To re-enable it add in your config file :
ciphers = ALL:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (or other)
and
sslVersion = all
Ludovic.
>
>
>
> Le 09/12/2011 15:37, Markus Borst a écrit :
>> Hi,
>>
>> we have a strange problem with newer stunnel versions (4.50 on
>> windows), compared to older ones (known to work is version 4.35). The
>> problem seems to be, that if a client sends a SSLv2 Helo message, the
>> stunnel server simply resets the TCP connection, without trying to
>> negotioate anything.
>>
>> Setup: Stunnel is used top provide ssl/tls for imap, Hobbit is used
>> to monitor service availability. The Hobbit module to monitor imaps
>> seems to try SSLv2 first, but also supports newer versions (SSLv3 and
>> TLSv1). The ssl connection never gets established, stunnel sends a
>> tcp RST, hobbit never retries. We can force some hobbit modules to
>> use TLSv1 exclusively, but not all of them. We fear that some older
>> mailclients will also have problems initiating a connection, so we
>> keep stunnel 4.35 running for now.
>>
>> stunnel.conf:
>>
>> fips = no
>> debug = 7
>> output = stunnel.log
>>
>> [imaps]
>> accept = 130.83.174.1:993
>> connect = 127.0.0.1:143
>> cert = imap.xxx.company.yy.pem
>>
>>
>> stunnel.log:
>>
>> 2011.12.09 14:55:12 LOG5[6820:2144]: Service imaps accepted
>> connection from xxx.yyy.zzz.105:45294
>> 2011.12.09 14:55:12 LOG3[6820:2144]: SSL_accept: 1408F10B:
>> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>> 2011.12.09 14:55:12 LOG5[6820:2144]: Connection reset: 0 bytes sent
>> to SSL, 0 bytes sent to socket
>> 2011.12.09 14:55:12 LOG7[6820:2144]: Service imaps finished (0 left)
>> 2011.12.09 14:55:12 LOG7[6820:2144]: str_stats: 0 block(s), 0 data
>> byte(s), 0 control byte(s)
>>
>>
>>
>> Wireshark Packet Trace (see attached image).
>>
>>
>> What's wrong here? Shouldn't client and server negotiate the methods
>> used? The client seems to offer TLS ("Version: TLS 1.0 ..."), but
>> instead of negotiating, the server simply closes the connection.
>>
>>
>> Greetings
>> Markus Borst
>>
>
More information about the stunnel-users
mailing list