<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><font face="sans-serif" size="2"><br></font></div><div>Hi,</div><div><br></div><div>If you have control of both ends of the connection make sure your SSL version is consistent on</div><div>both sides.</div><div>I would not recomend using sslVersion = all</div><div><br></div><div>Either set it to SSLv3 or TLSv1</div><div><font face="Arial" size="2">DES-CBC-SHA is supported under those <br></font></div><div><br></div><div><font face="Arial" size="2">However, judging for the cipher you are choosing I assume you might be dealing with a legacy</font></div><div><font face="Arial" size="2">application and you might not have access to both ends of the connection.<br></font></div><div>I would try setting only one version at the time and moving down from TLSv1, SSLv3 and SSLv2 <br></div><div>sslVersion = <br></div><div>ciphers = <font
face="Arial" size="2">DES-CBC-SHA</font></div><div><br>Cheers<br> </div><div>-----------------<br>Leandro Avila<br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><font face="Arial" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> "laurent.uk@bnpparibas.com" <laurent.uk@bnpparibas.com><br><b><span style="font-weight: bold;">To:</span></b> josealf@rocketmail.com<br><b><span style="font-weight: bold;">Cc:</span></b> stunnel-users@stunnel.org; stunnel-users-bounces@stunnel.org<br><b><span style="font-weight: bold;">Sent:</span></b> Tuesday, May 3, 2011 10:48 AM<br><b><span style="font-weight: bold;">Subject:</span></b> [stunnel-users] R�f. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA<br></font><br>
<meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv1717033046">
<br><font face="sans-serif" size="2">Dear Jose,</font>
<br>
<br><font face="sans-serif" size="2">here is the configuration file of my
stunnel :</font>
<br>
<table width="100%" border="1">
<tbody><tr valign="top">
<td width="100%"><font face="sans-serif" size="2">; Sample stunnel configuration
file by Michal Trojnara 2002-2006</font>
<br><font face="sans-serif" size="2">; Some options used here may not be
adequate for your particular configuration</font>
<br><font face="sans-serif" size="2">; Please make sure you understand them
(especially the effect of chroot jail)</font>
<br>
<br><font face="sans-serif" size="2">; Certificate/key is needed in server
mode and optional in client mode</font>
<br><font face="sans-serif" size="2">cert = /opt/freeware/etc/stunnel/ca_nopass.pem</font>
<br><font face="sans-serif" size="2">foreground = yes</font>
<br><font face="sans-serif" size="2">syslog = yes</font>
<br><font face="sans-serif" size="2">; Protocol version (all, SSLv2, SSLv3,
TLSv1)</font>
<br><font face="sans-serif" size="2">;sslVersion = SSLv2</font>
<br><font face="sans-serif" size="2">sslVersion = all</font>
<br><font face="sans-serif" size="2">;ciphers = DES-CBC-SHA</font>
<br><font face="sans-serif" size="2">;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5</font>
<br><font face="sans-serif" size="2">; Some security enhancements for UNIX
systems - comment them out on Win32</font>
<br><font face="sans-serif" size="2">;chroot = /usr/local/stunnel/var/lib/stunnel</font>
<br><font face="sans-serif" size="2">;chroot = /tmp/</font>
<br><font face="sans-serif" size="2">;setuid = root</font>
<br><font face="sans-serif" size="2">;setgid = other</font>
<br><font face="sans-serif" size="2">; PID is created inside chroot jail</font>
<br><font face="sans-serif" size="2">pid = /var/adm/stunnel_server_level1.pid</font>
<br>
<br><font face="sans-serif" size="2">; Some performance tunings</font>
<br><font face="sans-serif" size="2">socket = l:TCP_NODELAY=1</font>
<br><font face="sans-serif" size="2">socket = r:TCP_NODELAY=1</font>
<br><font face="sans-serif" size="2">;compression = rle</font>
<br>
<br><font face="sans-serif" size="2">; Workaround for Eudora bug</font>
<br><font face="sans-serif" size="2">;options = DONT_INSERT_EMPTY_FRAGMENTS</font>
<br><font face="sans-serif" size="2">;options = Options_SSL</font>
<br><font face="sans-serif" size="2">; Authentication stuff</font>
<br><font face="sans-serif" size="2">verify = 3</font>
<br><font face="sans-serif" size="2">; Don't forget to c_rehash CApath</font>
<br><font face="sans-serif" size="2">; CApath is located inside chroot jail</font>
<br><font face="sans-serif" size="2">CApath = /opt/freeware/etc/stunnel/CA_files/</font>
<br><font face="sans-serif" size="2">; It's often easier to use CAfile</font>
<br><font face="sans-serif" size="2">;CAfile = /opt/freeware/etc/stunnel/ca.pem</font>
<br><font face="sans-serif" size="2">; Don't forget to c_rehash CRLpath</font>
<br><font face="sans-serif" size="2">; CRLpath is located inside chroot jail</font>
<br><font face="sans-serif" size="2">;CRLpath = /crls</font>
<br><font face="sans-serif" size="2">; Alternatively you can use CRLfile</font>
<br><font face="sans-serif" size="2">;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem</font>
<br>
<br><font face="sans-serif" size="2">; Some debugging stuff useful for troubleshooting</font>
<br><font face="sans-serif" size="2">debug = 7</font>
<br>
<br><font face="sans-serif" size="2">; Use it for client mode</font>
<br><font face="sans-serif" size="2">client = no</font>
<br><font face="sans-serif" size="2">; Service-level configuration</font>
<br>
<br><font face="sans-serif" size="2">[pesitip]</font>
<br><font face="sans-serif" size="2">accept = 10443</font>
<br><font face="sans-serif" size="2">connect = XXXXXXX:10016</font></td></tr></tbody></table>
<br>
<br><font face="sans-serif" size="2">Thanks for your help.</font>
<br>
<br><font face="sans-serif" size="2">Regards.<br>
<br>
Laurent UK<br>
<br>
</font>
<br>
<br>
<br>
<table width="100%">
<tbody><tr valign="top">
<td width="39%"><font face="helv" size="4"><b>Internet </b></font>
<br><font face="sans-serif" size="1"><b>josealf@rocketmail.com</b></font>
<div><font face="sans-serif" size="1">03/05/2011 14:52</font>
</div><table border="1">
<tbody><tr valign="top">
<td bgcolor="white">
<div align="center"><font face="sans-serif" size="1">Veuillez r�pondre �<br>
josealf@rocketmail.com</font></div></td></tr></tbody></table>
<br>
</td><td width="60%">
<table width="100%">
<tbody><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Pour</font></div>
</td><td><font face="sans-serif" size="1">Laurent UK, stunnel-users-bounces@stunnel.org,
stunnel-users@stunnel.org</font>
</td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">cc</font></div>
</td><td>
</td></tr><tr valign="top">
<td>
<div align="right"><font face="sans-serif" size="1">Objet</font></div>
</td><td><font face="sans-serif" size="1">Re: [stunnel-users] need help error
:SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA</font></td></tr></tbody></table>
<br>
<table>
<tbody><tr valign="top">
<td>
</td><td></td></tr></tbody></table>
<br></td></tr></tbody></table>
<br>
<br>
<br><font size="2"><tt>Laurent,<br>
<br>
Can you post your configuration? For security, You should change the real
IPs (but not the ports) before posting.<br>
<br>
You can check:<br>
<br>
1. Does your stunnel client config has client=yes?<br>
2. Does your stunnel server config has client=no<br>
3. Check your packet flow, that is: your accept/connect settings.<br>
<br>
Regards<br>
Jose<br>
-----Original Message-----<br>
From: laurent.uk@bnpparibas.com<br>
Sender: stunnel-users-bounces@stunnel.org<br>
Date: Tue, 3 May 2011 14:16:09 <br>
To: <stunnel-users@stunnel.org><br>
Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version<br>
number with cipher DES-CBC-SHA<br>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
stunnel-users@stunnel.org<br>
http://stunnel.mirt.net/mailman/listinfo/stunnel-users<br>
<br>
<br>
<br>
</tt></font>
<br><font face="monospace"><br>
<br>
<br>
<br>
This message and any attachments (the "message") is<br>
intended solely for the addressees and is confidential. <br>
If you receive this message in error, please delete it and <br>
immediately notify the sender. Any use not in accord with <br>
its purpose, any dissemination or disclosure, either whole <br>
or partial, is prohibited except formal approval. The internet<br>
can not guarantee the integrity of this message. <br>
BNP PARIBAS (and its subsidiaries) shall (will) not <br>
therefore be liable for the message if modified. <br>
Do not print this message unless it is necessary,<br>
consider the environment.<br>
<br>
---------------------------------------------<br>
<br>
Ce message et toutes les pieces jointes (ci-apres le <br>
"message") sont etablis a l'intention exclusive de ses <br>
destinataires et sont confidentiels. Si vous recevez ce <br>
message par erreur, merci de le detruire et d'en avertir <br>
immediatement l'expediteur. Toute utilisation de ce <br>
message non conforme a sa destination, toute diffusion <br>
ou toute publication, totale ou partielle, est interdite, sauf <br>
autorisation expresse. L'internet ne permettant pas <br>
d'assurer l'integrite de ce message, BNP PARIBAS (et ses<br>
filiales) decline(nt) toute responsabilite au titre de ce <br>
message, dans l'hypothese ou il aurait ete modifie.<br>
N'imprimez ce message que si necessaire,<br>
pensez a l'environnement.</font></div><meta http-equiv="x-dns-prefetch-control" content="on"><br>_______________________________________________<br>stunnel-users mailing list<br><a ymailto="mailto:stunnel-users@stunnel.org" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br><a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br><br><br></div></div></div></body></html>