[stunnel-users] exclusively TLS
jesse.small at hxti.com
Tue Jan 24 16:44:14 CET 2006
I've been working through the same problem as John, but I tried using Jan's
solution by setting the options and still haven't been able to get it to
On server1 I am running openssl s_server with tls-only specified:
openssl s_server -accept 8443 -cert XDS_REG_HXTI.cer -key hxti1.key -tls1
On the client side (server2), I have stunnel set up as a client listening on
localhost port 8100, and forwarding over to server1, port 8443. Then to
test I run 'telnet localhost 8100' and see the error message from s_server:
16656:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version
shutting down SSL
In my stunnel.log file I can see this error message:
SSL_connect: 14094410: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure
So to me it still seems to be sending out a client hello in sslv3, despite
my efforts to the contrary. Below are the pertinent parts of my
stunnel_client.conf file. Any help you could give would be greatly
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
options = NO_SSLv2
options = NO_SSLv3
accept = 8100
connect = devapp:8443
From: Jan Meijer [mailto:jan.meijer at surfnet.nl]
Sent: Friday, January 20, 2006 5:20 PM
To: Moehrke, John (GE Healthcare)
Cc: stunnel-users at mirt.net
Subject: RE: [stunnel-users] exclusively TLS
On Fri, 20 Jan 2006, Moehrke, John (GE Healthcare) wrote:
> It is not the list of ciphers that I want to choose from. We are
> using a select set of ciphers and that seems to be working fine. My
> problem is that when stunnel connects to the server it is trying
> and this causes an error as the server is only supporting TLS. I could
> easily be wrong...
Ah, that way.
options = SSL_options
OpenSSL library options
The parameter is the OpenSSL option name as described in the
SSL_CTX_set_options(3ssl) manual, but without SSL_OP_ prefix. Several
options can be used to specify multiple options.
For example for compatibility with erroneous Eudora SSL
the following option can be used:
options = DONT_INSERT_EMPTY_FRAGMENTS
Check the SSL_CTX_set_options manpage, it says -amongst other things-:
Do not use the SSLv2 protocol.
Do not use the SSLv3 protocol.
Do not use the TLSv1 protocol.
That ought to do the trick I'd say.
Let us know if it did :)
More information about the stunnel-users