[stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Leandro Avila
leandro.avila at ymail.com
Wed May 4 18:58:51 CEST 2011
Hi Laurent,
Good to see you figured out the issue. I also learned more things myself.
Thanks Jose !
To my knowledge cipher suites that use SHA2 are part of the TLS 1.2 specification
but I don't think OpenSSL has that implemented.
Cheers
----------------
Leandro Avila
________________________________
From: "laurent.uk at bnpparibas.com" <laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Wednesday, May 4, 2011 11:02 AM
Subject: [stunnel-users] Réf. : Re: Réf. : Re: Réf. : Re: Réf. : Re: need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Hi everyone, It's ok now i have found
the solution i add the root and intermediate certificate of verisign in
my Capath
and i use in s_client the option -CApath
and now it's ok :
New, TLSv1/SSLv3, Cipher
is DES-CBC-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher :
DES-CBC-SHA
Session-ID: XXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXXXX
Key-Arg : None
Start Time: 1304524805
Timeout : 7200
(sec)
Verify return code: 0
(ok)
but i have another question:
How can i test the SHA-2? i search the
cipher corresponding in SHA-2 but i didn't found it.
Thanks for your help.
Regards,
Laurent UK
Laurent UK
Analyste PROTOCOLES
RBIS - DBF PBMF2
DOMAINE PMF202 ELECTRONIC FILES
41, rue de Valmy - 93100 Montreuil - ACI CME04B1 Bureau 4226
Tel: 01.58.16.86.45 (68645)
04/05/2011 15:36 Pour josealf at rocketmail.com
cc stunnel-users at stunnel.org, stunnel-users-bounces at stunnel.org
Objet Réf. : Re: Réf. : Re: Réf.
: Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong
versionnumber with cipher DES-CBC-SHALien
Jose, thanks you, i use my client certificate
but have another error now :
1028202:error:25066067:DSO
support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so):
Could not load module .
System error: No such file or directory
1028202:error:25070067:DSO support
routines:DSO_load:could not load the shared library:dso_lib.c:244:
Enter pass phrase for /opt/freeware/etc/stunnel/keystore/crl-3skey.pem:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client
hello A
SSL_connect:SSLv3 read server hello
A
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP
PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=20:unable to get
local issuer certificate
verify return:1
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP
PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=27:certificate
not trusted
verify return:1
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP
PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=21:unable to verify
the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate
A
SSL_connect:SSLv3 read server certificate
request A
SSL_connect:SSLv3 read server done
A
SSL_connect:SSLv3 write client
certificate A
SSL_connect:SSLv3 write client
key exchange A
SSL_connect:SSLv3 write certificate
verify A
SSL_connect:SSLv3 write change
cipher spec A
SSL_connect:SSLv3 write finished
A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished
A
---
Certificate chain
0 s:/C=FR/ST=PARIS/L=PARIS/O=BNP
PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
i:/C=US/O=VeriSign,
Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa
(c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts
i:/O=SWIFT
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=FR/ST=PARIS/L=PARIS/O=BNP
PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign
Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign
Class 3 Secure Server CA - G3
---
No client certificate CA names
sent
---
SSL handshake has read 2633 bytes
and written 1732 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol :
SSLv3
Cipher :
AES256-SHA
Session-ID: XXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: XXXXXXXXXXXXXXXXXX
Key-Arg :
None
Start Time: 1304515751
Timeout :
7200 (sec)
Verify return code:
21 (unable to verify the first certificate)
---
Do you know the reason of this error?
Maybe i have to add the first certificate
file to a specific folder ?
Regards,
Laurent UK
Internet
josealf at rocketmail.com
04/05/2011 15:09 Pour Laurent UK
cc stunnel-users at stunnel.org, stunnel-users-bounces at stunnel.org
Objet Re: Réf. : Re: Réf. : Re:
Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong
versionnumber with cipher DES-CBC-SHA
Laurent,
We need to present a client certificate to
the server. That's the important part missing. Do that by adding -cert
your_cert_filename to the command, like:
openssl s_client -ssl3 -state -cert your_client_cert_filename
-connect your-stunnel-ip:10443
See http://www.openssl.org/docs/apps/s_client.html
Regards,
Jose
________________________________
From: "laurent.uk at bnpparibas.com"
<laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Wed, May 4, 2011 6:55:19 AM
Subject: Réf. : Re: Réf. : Re: Réf. : Re: [stunnel-users] need help
error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Jose, thanks you for your response, i use the openssl s_client command
but i have the following error :
1499296:error:25066067:DSO
support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libz.so):
Could not load module .
System error: No such file or directory
1499296:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FR/ST=PARIS/L=PARIS/O=BNP PARIBAS/OU=RBIS_PMF202/CN=psp-exp.bnpparibas.com
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL3 alert write:warning:no certificate
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
1499296:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1060:SSL alert number 40
1499296:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
is it normal?
Thanks.
Regards.
Laurent UK
Internet
josealf at rocketmail.com
04/05/2011 13:38
Pour Laurent UK
cc stunnel-users at stunnel.org, stunnel-users-bounces at stunnel.org
Objet Re: Réf. : Re: Réf. : Re:
[stunnel-users] need help error :SSL3_GET_RECORD:wrong versionnumber with
cipher DES-CBC-SHA
Laurent,
Ideally, you should terminate the SSL connection on your final server.
But that's not the problem here. It should work as is.
Mosty likely the problem is on the client SSL software you are using to
connect to stunnel. The cipher you are trying to use DESC-CBC-SHA works
with SSLv3 and TLSv1. Can you force your client to use those protocols?
Maybe it is trying to negotiate SSLv2. Also are you sure it is speaking
SSL instead of plain text?
You can test your connection to stunnel server with openssl s_client command. Example
openssl s_client -ssl3 -state -connect your-stunnel-ip:10443
openssl s_client -tls1 -state -connect your-stunnel-ip:10443
if this works, we found the culprit.
Regards
Jose
________________________________
From: "laurent.uk at bnpparibas.com"
<laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Wed, May 4, 2011 2:05:07 AM
Subject: Réf. : Re: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong
versionnumber with cipher DES-CBC-SHA
Jose,
I use 2 servers in my configuration:
the first one who listenning on the port 10443 (where we receive encrypted
traffic from software using ssl)
and the second one who listenning the port 10016 (where we receive decrypted
traffic).
The first one receive the encrypted traffic, it decrypted it and send it
to the second server that's why i only use the server mode on my fist server.
Do you think that i also need to change this configuration?
Cordialement,
Laurent UK
Internet
josealf at rocketmail.com
03/05/2011 19:18
Pour Laurent UK
cc stunnel-users at stunnel.org, stunnel-users-bounces at stunnel.org
Objet Re: Réf. : Re: [stunnel-users]
need help error :SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
I'm not sure you are connecting the dots right.
I see an stunnel server configuration. In this case, your stunnel
is a front-end to a service you run on host XXXX port 10016. What is that
service? Is stunnel running on the same host? Note that If stunnel is not
running on the same host with IP XXXX, then you may have some traffic in
clear text in your network (from the device running stunnel to the device
hosting the service on port 10016).
You need a client to connect to the stunnel server. Unless your client
support SSL natively, you also should have an stunnel running on your client
device with entries like these:
client=yes
[pestip]
accept = 10443
connect = Your-Stunnel-server-IP:10443
In this case your client apps connects locally to port 10443, traffic is
encrypted and sent to your server listening on port 10443, where it is
decripted and send to IP XXXX port 10016.
Regards,
Jose
________________________________
From: "laurent.uk at bnpparibas.com"
<laurent.uk at bnpparibas.com>
To: josealf at rocketmail.com
Cc: stunnel-users at stunnel.org; stunnel-users-bounces at stunnel.org
Sent: Tue, May 3, 2011 10:48:11 AM
Subject: Réf. : Re: [stunnel-users] need help error :SSL3_GET_RECORD:wrong
versionnumber with cipher DES-CBC-SHA
Dear Jose,
here is the configuration file of my stunnel :
; Sample stunnel configuration
file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot
jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /opt/freeware/etc/stunnel/ca_nopass.pem
foreground = yes
syslog = yes
; Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = SSLv2
sslVersion = all
;ciphers = DES-CBC-SHA
;ciphers = DES-CBC3-SHA:IDEA-CBC-MD5
; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /usr/local/stunnel/var/lib/stunnel
;chroot = /tmp/
;setuid = root
;setgid = other
; PID is created inside chroot jail
pid = /var/adm/stunnel_server_level1.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
;options = Options_SSL
; Authentication stuff
verify = 3
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /opt/freeware/etc/stunnel/CA_files/
; It's often easier to use CAfile
;CAfile = /opt/freeware/etc/stunnel/ca.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/stunnel/etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
; Use it for client mode
client = no
; Service-level configuration
[pesitip]
accept = 10443
connect = XXXXXXX:10016
Thanks for your help.
Regards.
Laurent UK
Internet
josealf at rocketmail.com
03/05/2011 14:52
Veuillez répondre à
josealf at rocketmail.com
Pour Laurent UK, stunnel-users-bounces at stunnel.org,
stunnel-users at stunnel.org
cc
Objet Re: [stunnel-users] need help error
:SSL3_GET_RECORD:wrong versionnumber with cipher DES-CBC-SHA
Laurent,
Can you post your configuration? For security, You should change the real
IPs (but not the ports) before posting.
You can check:
1. Does your stunnel client config has client=yes?
2. Does your stunnel server config has client=no
3. Check your packet flow, that is: your accept/connect settings.
Regards
Jose
-----Original Message-----
From: laurent.uk at bnpparibas.com
Sender: stunnel-users-bounces at stunnel.org
Date: Tue, 3 May 2011 14:16:09
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] need help error :SSL3_GET_RECORD:wrong version
number with cipher DES-CBC-SHA
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
This message and any attachments (the "message") is
intended solely for the addressees and is confidential.
If you receive this message in error, please delete it and
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message.
BNP PARIBAS (and its subsidiaries) shall (will) not
therefore be liable for the message if modified.
Do not print this message unless it is necessary,
consider the environment.
---------------------------------------------
Ce message et toutes les pieces jointes (ci-apres le
"message") sont etablis a l'intention exclusive de ses
destinataires et sont confidentiels. Si vous recevez ce
message par erreur, merci de le detruire et d'en avertir
immediatement l'expediteur. Toute utilisation de ce
message non conforme a sa destination, toute diffusion
ou toute publication, totale ou partielle, est interdite, sauf
autorisation expresse. L'internet ne permettant pas
d'assurer l'integrite de ce message, BNP PARIBAS (et ses
filiales) decline(nt) toute responsabilite au titre de ce
message, dans l'hypothese ou il aurait ete modifie.
N'imprimez ce message que si necessaire,
pensez a l'environnement.
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list