Re: [stunnel-users] exclusively TLS

I've been working through the same problem as John, but I tried using Jan's
solution by setting the options and still haven't been able to get it to
work.

On server1 I am running openssl s_server with tls-only specified:
openssl s_server -accept 8443 -cert XDS_REG_HXTI.cer -key hxti1.key -tls1

On the client side (server2), I have stunnel set up as a client listening on
localhost port 8100, and forwarding over to server1, port 8443. Then to
test I run 'telnet localhost 8100' and see the error message from s_server:
ACCEPT
ERROR
16656:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
number:s3_srvr.c:683:
shutting down SSL
CONNECTION CLOSED

In my stunnel.log file I can see this error message:
SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure

So to me it still seems to be sending out a client hello in sslv3, despite
my efforts to the contrary. Below are the pertinent parts of my
stunnel_client.conf file. Any help you could give would be greatly
appreciated.

Thanks,
Jesse

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3

[toOtherServer]
accept = 8100
connect = devapp:8443

-----Original Message-----
From: Jan Meijer [mailto:jan.meijer@surfnet.nl]
Sent: Friday, January 20, 2006 5:20 PM
To: Moehrke, John (GE Healthcare)
Cc: stunnel-users@mirt.net
Subject: RE: [stunnel-users] exclusively TLS

On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:

> It is not the list of ciphers that I want to choose from. We are
indeed
> using a select set of ciphers and that seems to be working fine. My
> problem is that when stunnel connects to the server it is trying
sslv3,
> and this causes an error as the server is only supporting TLS. I could
> easily be wrong...

Ah, that way.

options = SSL_options
OpenSSL library options

The parameter is the OpenSSL option name as described in the
SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several
options can be used to specify multiple options.

For example for compatibility with erroneous Eudora SSL
implementation
the following option can be used:

options = DONT_INSERT_EMPTY_FRAGMENTS

Check the SSL_CTX_set_options manpage, it says -amongst other things-:

SSL_OP_NO_SSLv2
Do not use the SSLv2 protocol.

SSL_OP_NO_SSLv3
Do not use the SSLv3 protocol.

SSL_OP_NO_TLSv1
Do not use the TLSv1 protocol.


That ought to do the trick I'd say.

Let us know if it did :)


Jan

--
http://www.surfnet.nl/organisatie/jame


_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users