[stunnel-users] Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA

• Previous message (by thread): [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Next message (by thread): [stunnel-users] Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

If you have control of both ends of the connection make sure your SSL version is consistent on
both sides.
I would not recomend using sslVersion = all

Either set it to SSLv3 or TLSv1
DES-CBC-SHA is supported under those 


However, judging for the cipher you are choosing I assume you might be dealing with a legacy
application and you might not have access to both ends of the connection.

I would try setting only one version at the time and moving down from TLSv1, SSLv3 and SSLv2 

sslVersion = 

ciphers = DES-CBC-SHA

Cheers
 
-----------------
Leandro Avila


________________________________
From: "laurent.uk at bnpparibas.com" <laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Tuesday, May 3, 2011 10:48 AM
Subject: [stunnel-users] Réf. :  Re:  need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA



Dear Jose, 

here is the configuration file of my
stunnel : 

; Sample stunnel configuration
file by Michal Trojnara 2002-2006 
; Some options used here may not be
adequate for your particular configuration 
; Please make sure you understand them
(especially the effect of chroot jail) 

; Certificate/key is needed in server
mode and optional in client mode 
cert = /opt/freeware/etc/stunnel/ca_nopass.pem 
foreground = yes 
syslog = yes 
; Protocol version (all, SSLv2, SSLv3,
TLSv1) 
;sslVersion = SSLv2 
sslVersion = all 
;ciphers = DES-CBC-SHA 
;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5 
; Some security enhancements for UNIX
systems - comment them out on Win32 
;chroot = /usr/local/stunnel/var/lib/stunnel 
;chroot = /tmp/ 
;setuid = root 
;setgid = other 
; PID is created inside chroot jail 
pid = /var/adm/stunnel_server_level1.pid 

; Some performance tunings 
socket = l:TCP_NODELAY=1 
socket = r:TCP_NODELAY=1 
;compression = rle 

; Workaround for Eudora bug 
;options = DONT_INSERT_EMPTY_FRAGMENTS 
;options = Options_SSL 
; Authentication stuff 
verify = 3 
; Don't forget to c_rehash CApath 
; CApath is located inside chroot jail 
CApath = /opt/freeware/etc/stunnel/CA_files/ 
; It's often easier to use CAfile 
;CAfile = /opt/freeware/etc/stunnel/ca.pem 
; Don't forget to c_rehash CRLpath 
; CRLpath is located inside chroot jail 
;CRLpath = /crls 
; Alternatively you can use CRLfile 
;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem 

; Some debugging stuff useful for troubleshooting 
debug = 7 

; Use it for client mode 
client = no 
; Service-level configuration 

[pesitip] 
accept = 10443 
connect = XXXXXXX:10016 

Thanks for your help. 

Regards.

Laurent UK

 



Internet   
josealf at rocketmail.com 
03/05/2011 14:52 
Veuillez répondre à
josealf at rocketmail.com 
 Pour Laurent UK, stunnel-users-bounces at stunnel.org,
stunnel-users at stunnel.org  
cc  
Objet Re: [stunnel-users] need help error
:SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA 
  
 


Laurent,

Can you post your configuration? For security, You should change the real
IPs (but not the ports) before posting.

You can check:

1. Does your stunnel client config has client=yes?
2. Does your stunnel server config has client=no
3. Check your packet flow, that is: your accept/connect settings.

Regards
Jose
-----Original Message-----
From: laurent.uk at bnpparibas.com
Sender: stunnel-users-bounces at stunnel.org
Date: Tue, 3 May 2011 14:16:09 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version
               
number with cipher DES-CBC-SHA

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users



 




This message and any attachments (the "message") is
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with 
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 
Do not print this message unless it is necessary,
consider the environment.

                ---------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le 
"message") sont etablis a l'intention exclusive de ses 
destinataires et sont confidentiels. Si vous recevez ce 
message par erreur, merci de le detruire et d'en avertir 
immediatement l'expediteur. Toute utilisation de ce 
message non conforme a sa destination, toute diffusion 
ou toute publication, totale ou partielle, est interdite, sauf 
autorisation expresse. L'internet ne permettant pas 
d'assurer l'integrite de ce message, BNP PARIBAS (et ses
filiales) decline(nt) toute responsabilite au titre de ce 
message, dans l'hypothese ou il aurait ete modifie.
N'imprimez ce message que si necessaire,
pensez a l'environnement.
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110503/a46196b9/attachment.html>

• Previous message (by thread): [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Next message (by thread): [stunnel-users] Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]