<html><head></head><body><div class="ydpa467bdbdyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">Chris.</div><div dir="ltr" data-setdir="false">Does this help? </div><div dir="ltr" data-setdir="false"><span><a href="https://stackoverflow.com/questions/40454338/no-shared-cipher-at-ssl-accept-why" rel="nofollow" target="_blank" class="">https://stackoverflow.com/questions/40454338/no-shared-cipher-at-ssl-accept-why</a></span><div><br></div><div dir="ltr" data-setdir="false"><span><span style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;">If you can rule out libraries like OpenSSL, then look at your config + initial setup <span><span style="color: rgb(0, 0, 0); font-family: Helvetica Neue, Helvetica, Arial, sans-serif; font-size: 16px;">exchange</span></span>.</span></span><br></div><div><br></div></div></div><div id="ydp95ea77b3yahoo_quoted_2546740161" class="ydp95ea77b3yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div><div dir="ltr">Date: Fri, 25 Oct 2019 11:11:54 -0400<br></div><div dir="ltr">From: Christopher Schultz <<a href="mailto:chris@christopherschultz.net" rel="nofollow" target="_blank">chris@christopherschultz.net</a>><br></div><div dir="ltr">Subject: Re: [stunnel-users] Strange connection failure in one environment</div><div dir="ltr">On 10/25/19 10:09, Christopher Schultz wrote:<br></div><div dir="ltr">> All,<br></div><div dir="ltr">> <br></div><div dir="ltr">> I've been using stunnel in two environments (dev, prod) for a long time<br></div><div dir="ltr">> without any problems. Recently, my dev environment started acting funny<br></div><div dir="ltr">> and I can't connect to it from outside the box.<br></div><div dir="ltr">> <br></div><div dir="ltr">> Can someone take a look and let me know if you have any suggestions for<br></div><div dir="ltr">> where to look for a problem?<br></div><div dir="ltr">> <br></div><div dir="ltr">> Both environments have the following things in common:<br></div><div dir="ltr">> <br></div><div dir="ltr">> 1. Hosted in Amazon EC2, no load-balancer in the way<br></div><div dir="ltr">> 2. Configuration requires client-certificate to connect<br></div><div dir="ltr">> 3. All certificates are valid, self-signed, and properly-trusted by both<br></div><div dir="ltr">> sides<br></div><div dir="ltr">> 4. TLS configuration has been locked-down to TLSv1.2, selected cipher<br></div><div dir="ltr">> suites, FIPS mode=off<br></div><div dir="ltr">> 5. All versions are the same: stunnel 4.56 w/OpenSSL 1.0.2k-fips<br></div><div dir="ltr">> <br></div><div dir="ltr">> The production (working) environment happens to be i686 and the<br></div><div dir="ltr">> development environment happens to be x86-86, but I don't believe that<br></div><div dir="ltr">> is relevant.<br></div><div dir="ltr">> <br></div><div dir="ltr">> When I use e.g. "openssl s_client" to connect to the production<br></div><div dir="ltr">> environment and I *do not* provide a client certificate, I am able to<br></div><div dir="ltr">> perform the initial TLS handshake, get a cipher suite negotiated, etc.<br></div><div dir="ltr">> and then the connection fails because I didn't provide the client<br></div><div dir="ltr">> certificate, of course. I *can* see in the handshake the list of allowed<br></div><div dir="ltr">> client certificates.<br></div><div dir="ltr">> <br></div><div dir="ltr">> When I do the same in development, I get a handshake failure. No allowed<br></div><div dir="ltr">> client certificates are shown. No nothing.<br></div><div dir="ltr">> <br></div><div dir="ltr">> If I connect on localhost to the dev server, I get what I'm expecting:<br></div><div dir="ltr">> allowed client certificates are listed, connection is closed because I'm<br></div><div dir="ltr">> not using the client certificate. Connecting from another host gets my a<br></div><div dir="ltr">> handshake failure.<br></div><div dir="ltr">> <br></div><div dir="ltr">> Again, there are no load-balancers or anything between the outside and<br></div><div dir="ltr">> the EC2 instance. I'm connecting as directly as it's possible to<br></div><div dir="ltr">> connect. The box definitely allows incoming connections on the port I'm<br></div><div dir="ltr">> trying to use; the AWS security group is configured correctly.<br></div><div dir="ltr">> <br></div><div dir="ltr">> I have tried dropping ALL security configuration on the dev server's<br></div><div dir="ltr">> stunnel.conf such as client-cert requirements, TLS protocols, cipher<br></div><div dir="ltr">> suites, etc. and I get the same behavior every time. I'm starting to<br></div><div dir="ltr">> think that it has nothing to do with my stunnel.conf configuration at<br></div><div dir="ltr">> all, but I'm at a loss as to where to look, next.<br></div><div dir="ltr">> <br></div><div dir="ltr">> Any ideas?<br></div><div dir="ltr"><br></div><div dir="ltr">Some more information:<br></div><div dir="ltr"><br></div><div dir="ltr">0. The error I get on the client is "handshake failure" and the stunnel<br></div><div dir="ltr">server drops this log message:<br></div><div dir="ltr"><br></div><div dir="ltr">SSL_accept: 1408A0C1: error:1408A0C1:SSL<br></div><div dir="ltr">routines:ssl3_get_client_hello:no shared cipher<br></div><div dir="ltr"><br></div><div dir="ltr">Note that I have disabled all but TLSv1.2 on the server. Removing this<br></div><div dir="ltr">restriction does not change the behavior.<br></div><div dir="ltr"><br></div><div dir="ltr">1. I have multiple stunnel configuration files on this server. Actually,<br></div><div dir="ltr">I have 4 of them. Connections to ports defined in 2 of these files are<br></div><div dir="ltr">not connecting successfully. Connections to ports defined in the OTHER<br></div><div dir="ltr">two files *are* connecting successfully.<br></div><div dir="ltr"><br></div><div dir="ltr">The configurations seem to follow a pattern: those using RSA<br></div><div dir="ltr">certificates as the server-certificate are working as expected, while<br></div><div dir="ltr">those with EC server-certificate are failing.<br></div><div dir="ltr"><br></div><div dir="ltr">When I say "working" versus "failing", I mean that this command will<br></div><div dir="ltr">give me a cipher suite and master key, but still drop the connection<br></div><div dir="ltr">because I'm not providing a client-certificate for these tests:<br></div><div dir="ltr"><br></div><div dir="ltr">$ openssl s_client -connect host:port<br></div><div dir="ltr"><br></div><div dir="ltr">2. I have a Java-based service that *is* able to connect through this<br></div><div dir="ltr">stunnel instance just fine. It's running on a recent version of Java 8.<br></div><div dir="ltr">My CLI client (not OpenSSL) is also running the same version. My CLI<br></div><div dir="ltr">client cannot connect. *weird* In both cases, I am using EC client<br></div><div dir="ltr">certificates, but the certificates are different from each other. Both<br></div><div dir="ltr">of these certificates are trusted by the server.<br></div><div dir="ltr"><br></div><div dir="ltr">3. When using OpenSSL 1.0.2t, I *can* connect, get the list of<br></div><div dir="ltr">acceptable client certificates, etc. even without providing a client<br></div><div dir="ltr">certificate.<br></div><div dir="ltr"><br></div><div dir="ltr">When using OpenSSL 1.1.1d, I can *not* connect.<br></div><div dir="ltr"><br></div><div dir="ltr">So perhaps the inside/outside networking thing I was thinking the<br></div><div dir="ltr">problem might be is incorrect.<br></div><div dir="ltr"><br></div><div dir="ltr">AFAIK, both versions of OpenSSL should be able to use EC certificates<br></div><div dir="ltr">and cipher suites.<br></div><div dir="ltr"><br></div><div dir="ltr">Thanks,<br></div><div dir="ltr">-chris<br></div><div dir="ltr"><br></div></div>
</div>
</div></body></html>