[stunnel-users] Problem with sslv2 clients
Ludovic LEVET
llevet at ludosoft.org
Sun Dec 11 15:03:23 CET 2011
Try this conf :
stunnel.conf:
fips = no
sslVersion = all
ciphers = ALL
[imaps]
accept = 130.83.174.1:993
connect = 127.0.0.1:143
protocol = imap
cert = imap.xxx.company.yy.pem
Ludo.
Le 10/12/2011 14:26, Markus Borst a écrit :
> Sorry, my mistake for not being clearer: I do not want to use SSLv2, I
> want the automatic negotiation to work. The client does not get any
> kind of response from stunnel, instead, the TCP connection is closed!
> (RST packet)
>
> I'm no expert for ssl, but it looks to me, like the client tried SSLv2
> first, but offered TLSv1 also (please see screenshot of packet trace
> in my first mail). The server did not answer with it's capabilities,
> but simply closed the connection.
>
> Is this really normal? Shouldn't stunnel answer, in protocol, that it
> only supports certain other encryption methods?
>
> Greetings
> Markus Borst
>
>
> Am 09.12.2011 19:14, schrieb Ludovic LEVET:
>> Hi,
>>
>> Normal, SSLv2 is disable by default since version 4.40.
>> (http://www.stunnel.org/?page=sdf_ChangeLog)
>> To re-enable it add in your config file :
>>
>> ciphers = ALL:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (or other)
>> and
>> sslVersion = all
>>
>>
>> Ludovic.
>>
>>
>>
>>>
>>>
>>>
>>> Le 09/12/2011 15:37, Markus Borst a écrit :
>>>> Hi,
>>>>
>>>> we have a strange problem with newer stunnel versions (4.50 on
>>>> windows), compared to older ones (known to work is version 4.35).
>>>> The problem seems to be, that if a client sends a SSLv2 Helo
>>>> message, the stunnel server simply resets the TCP connection,
>>>> without trying to negotioate anything.
>>>>
>>>> Setup: Stunnel is used top provide ssl/tls for imap, Hobbit is used
>>>> to monitor service availability. The Hobbit module to monitor imaps
>>>> seems to try SSLv2 first, but also supports newer versions (SSLv3
>>>> and TLSv1). The ssl connection never gets established, stunnel
>>>> sends a tcp RST, hobbit never retries. We can force some hobbit
>>>> modules to use TLSv1 exclusively, but not all of them. We fear that
>>>> some older mailclients will also have problems initiating a
>>>> connection, so we keep stunnel 4.35 running for now.
>>>>
>>>> stunnel.conf:
>>>>
>>>> fips = no
>>>> debug = 7
>>>> output = stunnel.log
>>>>
>>>> [imaps]
>>>> accept = 130.83.174.1:993
>>>> connect = 127.0.0.1:143
>>>> cert = imap.xxx.company.yy.pem
>>>>
>>>>
>>>> stunnel.log:
>>>>
>>>> 2011.12.09 14:55:12 LOG5[6820:2144]: Service imaps accepted
>>>> connection from xxx.yyy.zzz.105:45294
>>>> 2011.12.09 14:55:12 LOG3[6820:2144]: SSL_accept: 1408F10B:
>>>> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>>>> 2011.12.09 14:55:12 LOG5[6820:2144]: Connection reset: 0 bytes sent
>>>> to SSL, 0 bytes sent to socket
>>>> 2011.12.09 14:55:12 LOG7[6820:2144]: Service imaps finished (0 left)
>>>> 2011.12.09 14:55:12 LOG7[6820:2144]: str_stats: 0 block(s), 0 data
>>>> byte(s), 0 control byte(s)
>>>>
>>>>
>>>>
>>>> Wireshark Packet Trace (see attached image).
>>>>
>>>>
>>>> What's wrong here? Shouldn't client and server negotiate the
>>>> methods used? The client seems to offer TLS ("Version: TLS 1.0
>>>> ..."), but instead of negotiating, the server simply closes the
>>>> connection.
>>>>
>>>>
>>>> Greetings
>>>> Markus Borst
>>>>
>>>
More information about the stunnel-users
mailing list