<html>

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman";}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {font-family:Arial;
        color:windowtext;}
span.EmailStyle18
        {font-family:Arial;
        color:navy;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>

</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hi again,</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I have resolved the issue stated here
below, and thus reply to my request for wisdom.</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>After many hours of reading on ssl and
stunnel, understanding how the ssl handshake works and should take place, after
reading more posts on ‘bugs’ and features, I was confronted to two
possibilities that could explain why the handshake was not succeeding;</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'>1)<font size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>      
</span></font></span></font><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>There were too many root
CA’s on the server (AD)</span></font></p>

<p class=MsoNormal style='margin-left:.5in;text-indent:-.25in'><font size=2
color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'>2)<font size=1 face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>      
</span></font></span></font><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>The certs on the server
(AD) used keys longer than 3500 bits</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>The fact is someone administering the
win2k server had installed a new root CA, for another project…and no one was
aware of this change. I removed all root CAs that would be useless to the
server (there are lots ;-)) and tried the connection again. Tada, it worked
great.</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Cheers everyone,</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Olivier</span></font></p>

<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'> </span></font></p>

<div>

<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>

<hr size=2 width="100%" align=center tabindex=-1>

</span></font></div>

<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Olivier Rademakers<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, September 02, 2004
12:48 AM<br>
<b><span style='font-weight:bold'>To:</span></b> stunnel-users@mirt.net;
openssl-users@openssl.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> ssl - excessive message
size</span></font></p>

</div>

<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi All,</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am having trouble with a secure connection that used to
work until now. I am using an stunnel connection to transfer data from an ldap
server(127.0.0.1) to Win Active Directory server (machineB.domain.com) in order
to update AD with updated ldap data.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have run stunnel in high verbosity manually so I could
extract a log of a connection attempt. Here it is below:</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'># stunnel -c -f -D 7 -P /var/ldapad/ -d 127.0.0.1:6360 -r
machineB.domain.com:636</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG5[9318:1]: Using 'machineB.domain.com.636' as tcpwrapper
service name</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:1]: RAND_status claims sufficient entropy for the
PRNG</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG6[9318:1]: PRNG seeded successfully</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG5[9318:1]: stunnel 3.14 on sparc-sun-solaris2.7 PTHREAD</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:1]: Created pid file
/var/ldapad/stunnel.machineB.domain.com.636.pid</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:1]: machineB.domain.com.636 bound to
127.0.0.1:6360</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: machineB.domain.com.636 started</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG5[9318:4]: machineB.domain.com.636 connected from
127.0.0.1:55001</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: machineB.domain.com.636 connecting
172.27.24.4:636</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: Remote host connected</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: before/connect initialization</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: before/connect initialization</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: SSLv3 write client hello A</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: SSLv3 read server hello A</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: SSLv3 read server certificate A</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: SSLv3 read server key exchange A</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: SSLv3 read server key exchange A</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG3[9318:4]: SSL_connect: error:1408E098:SSL
routines:SSL3_GET_MESSAGE:excessive message size</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>LOG7[9318:4]: machineB.domain.com.636 finished (0 left)</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have searched for this error but to no avail and am
wondering if any of you have already come across such, and if so would have the
beginning of a solution, and why not The Solution ;-)</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>NB: When running stunnel with the “-c” operand
(client mode), it is said the certificates are optional. I have captured the
dialogue between the two machines, and apparently, the problem would be coming
from the AD server as the DN (Distinguished Name) in the cert is ~8000 bytes
long… The capture reveals other errors, checksum and more, so if needed I
could append those to the problem stated here.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Again, unix-ldap side has not changed to my knowledge. The
script has always been the same, and it worked until now.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The ldap server is SUN Solaris 2.8 with ssl 0.9.7b</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Version of stunnel: stunnel 3.21 on sparc-sun-solaris2.8
PTHREAD</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The AD server is a Windows 2000 machine.</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Please enlighten me,</span></font></p>

<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Olivier</span></font></p>

</div>

</body>

</html>