[stunnel-users] Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA

• Previous message (by thread): [stunnel-users] stunnel 4.36 execution problem on Solaris 10
• Next message (by thread): [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Laurent,

Ideally, you should terminate the SSL connection on your final server. But 
that's not the problem here. It should work as is. 


Mosty likely the problem is on the client SSL software you are using to connect 
to stunnel. The cipher you are trying to use DESC-CBC-SHA works with SSLv3 and 
TLSv1. Can you force your client to use those protocols? Maybe it is trying to 
negotiate SSLv2. Also are you sure it is speaking SSL instead of plain text?

You can test your connection to stunnel server with openssl s_client command. 
Example

openssl s_client -ssl3 -state -connect your-stunnel-ip:10443
openssl s_client -tls1 -state -connect your-stunnel-ip:10443

if this works, we found the culprit.

Regards

Jose


________________________________
From: "laurent.uk at bnpparibas.com" <laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Wed, May 4, 2011 2:05:07 AM
Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error 
:SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA


Jose, 

I use 2 servers in my configuration: 

the first one who listenning on the port 10443 (where we receive encrypted 
traffic from software using ssl) 


and the second one who listenning the port 10016 (where we receive decrypted 
traffic). 


The first one receive the encrypted traffic, it decrypted it and send it to the 
second server that's why i only use the server mode on my fist server. 


Do you think that i also need to change this configuration? 

Cordialement,

Laurent UK





Internet   
josealf at rocketmail.com 
03/05/2011 19:18  Pour Laurent UK  
cc stunnel-users at stunnel.org, stunnel-users-bounces at stunnel.org  
Objet Re: Réf. :  Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong 
versionnumber with cipher DES-CBC-SHA 

  
 


Laurent, 
  
I'm not sure you are connecting the dots right. 
  
I see an stunnel server configuration. In this case, your stunnel is a front-end 
to a service you run on host XXXX port 10016. What is that service? Is stunnel 
running on the same host? Note that If stunnel is not running on the same host 
with IP XXXX, then you may have some traffic in clear text in your network (from 
the device running stunnel to the device hosting the service on port 10016). 

  
You need a client to connect to the stunnel server. Unless your client support 
SSL natively, you also should have an stunnel running on your client device with 
entries like these: 

  
client=yes 
[pestip] 
accept = 10443
connect = Your-Stunnel-server-IP:10443 
  
In this case your client apps connects locally to port 10443, traffic is 
encrypted and sent to your server listening on port 10443, where it is decripted 
and send to IP XXXX port 10016. 

  

Regards, 
  
Jose 
  

________________________________
From: "laurent.uk at bnpparibas.com" <laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Tue, May 3, 2011 10:48:11 AM
Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong 
versionnumber with cipher DES-CBC-SHA


Dear Jose,

here is the configuration file of my stunnel :
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /opt/freeware/etc/stunnel/ca_nopass.pem
foreground = yes
syslog = yes
; Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = SSLv2
sslVersion = all
;ciphers = DES-CBC-SHA
;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5
; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /usr/local/stunnel/var/lib/stunnel
;chroot = /tmp/
;setuid = root
;setgid = other
; PID is created inside chroot jail
pid = /var/adm/stunnel_server_level1.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
;options = Options_SSL
; Authentication stuff
verify = 3
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /opt/freeware/etc/stunnel/CA_files/
; It's often easier to use CAfile
;CAfile = /opt/freeware/etc/stunnel/ca.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7

; Use it for client mode
client = no
; Service-level configuration

[pesitip]
accept = 10443
connect = XXXXXXX:10016 


Thanks for your help.

Regards.

Laurent UK




Internet  
josealf at rocketmail.com
03/05/2011 14:52

Veuillez répondre à
josealf at rocketmail.com  

Pour Laurent UK, stunnel-users-bounces at stunnel.org, stunnel-users at stunnel.org 
cc  
Objet Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber 
with cipher DES-CBC-SHA 


  
 



Laurent,

Can you post your configuration? For security, You should change the real IPs 
(but not the ports) before posting.

You can check:

1. Does your stunnel client config has client=yes?
2. Does your stunnel server config has client=no
3. Check your packet flow, that is: your accept/connect settings.

Regards
Jose
-----Original Message-----
From: laurent.uk at bnpparibas.com
Sender: stunnel-users-bounces at stunnel.org
Date: Tue, 3 May 2011 14:16:09 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version
               number with cipher DES-CBC-SHA

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users








This message and any attachments (the "message") is
intended solely for the addressees and is confidential. 
If you receive this message in error, please delete it and 
immediately notify the sender. Any use not in accord with 
its purpose, any dissemination or disclosure, either whole 
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message. 
BNP PARIBAS (and its subsidiaries) shall (will) not 
therefore be liable for the message if modified. 
Do not print this message unless it is necessary,
consider the environment.

               ---------------------------------------------

Ce message et toutes les pieces jointes (ci-apres le 
"message") sont etablis a l'intention exclusive de ses 
destinataires et sont confidentiels. Si vous recevez ce 
message par erreur, merci de le detruire et d'en avertir 
immediatement l'expediteur. Toute utilisation de ce 
message non conforme a sa destination, toute diffusion 
ou toute publication, totale ou partielle, est interdite, sauf 
autorisation expresse. L'internet ne permettant pas 
d'assurer l'integrite de ce message, BNP PARIBAS (et ses
filiales) decline(nt) toute responsabilite au titre de ce 
message, dans l'hypothese ou il aurait ete modifie.
N'imprimez ce message que si necessaire,
pensez a l'environnement. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110504/5ea2ae6a/attachment.html>

• Previous message (by thread): [stunnel-users] stunnel 4.36 execution problem on Solaris 10
• Next message (by thread): [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]