[stunnel-users] Disable support for insecure SSLv2 protocol but allow for ONE service

Janusz Dziemidowicz rraptorr at nails.eu.org
Tue Oct 15 22:42:13 CEST 2013


2013/10/15 Ben Stover <bxstover at yahoo.co.uk>:
> When I try to connect to one of my mailboxes I get a return:
>
> SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
>
> What does that mean?
>
> in stunnel.conf I set the global parameter:
>
> options = NO_SSLv2
>
> This works in general. But for the mentioned email provider it could mean that he allows only SSLv2.
> Is this the reason?
>
> Where is described what is inscure at SSLv2?
>
> How can I allow for that particular email provider SSLv2 but disallow for all others?

It is extremely unlikely that this has anything to do with SSLv2.
SSLv2 is so old that there are practically no services in the Internet
that support only it (however some do allow SSLv2 in addition to newer
ones). Some of the most important SSLv2 flaws are explained on
Wikipedia: http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_2.0

What stopped you from temporarily removing the global option and
verifying if this has anything to do with SSLv2? Most probably it
still will not work (the "SSL3_GET_RECORD:wrong version number"
message is misleading usually).

-- 
Janusz Dziemidowicz



More information about the stunnel-users mailing list