Hi Michal,

Thanks for making that a lot clearer!

You remind me of my college days (and nights!) when referring to finite state machines - I have a very good working knowledge of these as well! ;)

That's very good news... so I presume the line:

2014.10.28 14:35​​:55 LOG6[4156]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption)

... is the confirmation that the TLS protocol is being used?


(Apologies for my delayed response - I was out of the office yesterday.)


Regards,
Stephen

________________________________________
From: stunnel-users <[email protected]> on behalf of Michal Trojnara <[email protected]>
Sent: 29 October 2014 16:14
To: [email protected]
Subject: Re: [stunnel-users] Exchange Online - SSLv3 and Sophos UTM 120 firewall update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Hogan wrote:
> 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write
> client hello A
[cut]
> I have a basic (shaky) understanding that the "handshake" for TLS
> does downgrade to SSLv3 if newer versions of TLS fail, but I am
> wondering if I apply the update recommended on the firewall, will
> this cut the communication for the SMTP relay, the way I am using
> it?

The debug messages produced by stunnel can sometimes be confusing.
They are intended to be helpful to developers, and not end-users.

OpenSSL implements the SSL/TLS/DTLS protocols with three separate
finite state machines: SSLv2, SSLv3, and DTLS1.
http://en.wikipedia.org/wiki/Automata-based_programming
All TLS protocols use the SSLv3 state machine, thus the state name
does not reflect the actual protocol being negotiated.

See the source for details:
https://github.com/openssl/openssl/blob/master/ssl/ssl_stat.c

Best regards,
        Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRREk8ACgkQ/NU+nXTHMtGLPwCgiA1tfq7LhNC600d5eVbWugLk
coUAn1mGA4mWBAchUu5+d6nYfxe0isgr
=p4hH
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________



Mila Logo Stephen Hogan   |   System Administrator   |   Mila Limited
Kilbarrack Industrial Estate, Kilbarrack, Dublin 5, IRELAND
Tel: +353 (0)1 839 0402   |   Fax: +353 (0)1 839 0589
Email: [email protected]   |   Web: www.mila.ie

Company Reg. No. 143406. Registered address: 24/26 City Quay, Dublin 2, Ireland.


DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the attention and use of the individual or entity to whom they are addressed.  No copyright or other intellectual rights to any material attached to this email, either inline or as an attachment are transferred to the recipient unless explicitly stated. If you have received this email in error please reply to inform us accordingly, prior to deleting the message.