[stunnel-users] Trouble after disabling SSLv3 (another one)

Koenraad Lelong stunnel at ace-electronics.be
Tue Oct 21 09:13:34 CEST 2014


Hi,

Last week I disabled SSLv3 on my stunnel-server. I thought I tested it, 
but this morning I had to use it and I couldn't get access.
Now at the office I tried again, with the same result. After enabling 
SSLv3 again I could get access. So my configuration seems wrong.
My server runs Ubuntu 12.04 LTS, stunnel is 4.42-1ubuntu (stock ubuntu).
This is my stunnel.conf (tunnels removed/edited) :
client = no
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
debug = debug
output = /var/log/stunnel4/stunnel.log

options = NO_SSLv2
options = NO_SSLv3

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CApath = /etc/stunnel-certs
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/lace3.keycrt

[tunnel vnc]
accept = 12345
connect = remotehost:5901


The log on the server :
2014.10.21 08:32:15 LOG7[28587:140281088546560]: Service tunnel vnc 
accepted FD=0 from 192.168.1.14:55708
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc started
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Option TCP_NODELAY set 
on local socket
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Waiting for a libwrap 
process
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Acquired libwrap process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Releasing libwrap 
process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Released libwrap process #0
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc 
permitted by libwrap from 192.168.1.14:55708
2014.10.21 08:32:15 LOG5[28587:140281088538368]: Service tunnel vnc 
accepted connection from 192.168.1.14:55708
2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL state (accept): 
before/accept initialization
2014.10.21 08:32:15 LOG7[28587:140281088538368]: SSL alert (write): 
fatal: handshake failure
2014.10.21 08:32:15 LOG3[28587:140281088538368]: SSL_accept: 1408A10B: 
error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2014.10.21 08:32:15 LOG5[28587:140281088538368]: Connection reset: 0 
bytes sent to SSL, 0 bytes sent to socket
2014.10.21 08:32:15 LOG7[28587:140281088538368]: Service tunnel vnc 
finished (0 left)
2014.10.21 08:32:15 LOG7[28587:140281088538368]: str_stats: 0 block(s), 
0 byte(s)

The log on the client (opensuse 13.1) :
2014.10.21 08:47:47 LOG7[978:140089725433664]: local socket: FD=0 
allocated (non-blocking mode)
2014.10.21 08:47:47 LOG7[978:140089725433664]: Service tunnel vnc 
accepted FD=0 from 127.0.0.1:39609
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc started
2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on 
local socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: Waiting for a libwrap process
2014.10.21 08:47:47 LOG7[978:140089725630208]: Acquired libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Releasing libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Released libwrap process #0
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc 
permitted by libwrap from 127.0.0.1:39609
2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc 
accepted connection from 127.0.0.1:39609
2014.10.21 08:47:47 LOG7[978:140089725630208]: remote socket: FD=1 
allocated (non-blocking mode)
2014.10.21 08:47:47 LOG6[978:140089725630208]: connect_blocking: 
connecting 192.168.0.30:12345
2014.10.21 08:47:47 LOG7[978:140089725630208]: connect_blocking: 
s_poll_wait 192.168.0.30:13001: waiting 10 seconds
2014.10.21 08:47:47 LOG5[978:140089725630208]: connect_blocking: 
connected 192.168.0.30:12345
2014.10.21 08:47:47 LOG5[978:140089725630208]: Service tunnel vnc 
connected remote server from 192.168.1.14:55770
2014.10.21 08:47:47 LOG7[978:140089725630208]: Remote FD=1 initialized
2014.10.21 08:47:47 LOG7[978:140089725630208]: Option TCP_NODELAY set on 
remote socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect): 
before/connect initialization
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL state (connect): 
SSLv3 write client hello A
2014.10.21 08:47:47 LOG7[978:140089725630208]: SSL alert (read): fatal: 
handshake failure
2014.10.21 08:47:47 LOG3[978:140089725630208]: SSL_connect: 14094410: 
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2014.10.21 08:47:47 LOG5[978:140089725630208]: Connection reset: 0 bytes 
sent to SSL, 0 bytes sent to socket
2014.10.21 08:47:47 LOG7[978:140089725630208]: Service tunnel vnc 
finished (0 left)
2014.10.21 08:47:47 LOG7[978:140089725630208]: str_stats: 0 blocks, 0 bytes

Am I missing something ?
I would like to stay with Ubuntu's standard packages.

Thanks for any advice.

Koenraad Lelong.


More information about the stunnel-users mailing list