[stunnel-users] Exchange Online - SSLv3 and Sophos UTM 120 firewall update

Stephen Hogan shogan at mila.ie
Fri Oct 31 11:56:43 CET 2014


Hi Michal,

Thanks for making that a lot clearer!

You remind me of my college days (and nights!) when referring to finite state machines - I have a very good working knowledge of these as well! ;)

That's very good news... so I presume the line:

2014.10.28 14:35??:55 LOG6[4156]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption)

... is the confirmation that the TLS protocol is being used?


(Apologies for my delayed response - I was out of the office yesterday.)


Regards,
Stephen

________________________________________
From: stunnel-users <stunnel-users-bounces at stunnel.org> on behalf of Michal Trojnara <Michal.Trojnara at mirt.net>
Sent: 29 October 2014 16:14
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Exchange Online - SSLv3 and Sophos UTM 120 firewall update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen Hogan wrote:
> 2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write
> client hello A
[cut]
> I have a basic (shaky) understanding that the "handshake" for TLS
> does downgrade to SSLv3 if newer versions of TLS fail, but I am
> wondering if I apply the update recommended on the firewall, will
> this cut the communication for the SMTP relay, the way I am using
> it?

The debug messages produced by stunnel can sometimes be confusing.
They are intended to be helpful to developers, and not end-users.

OpenSSL implements the SSL/TLS/DTLS protocols with three separate
finite state machines: SSLv2, SSLv3, and DTLS1.
http://en.wikipedia.org/wiki/Automata-based_programming
All TLS protocols use the SSLv3 state machine, thus the state name
does not reflect the actual protocol being negotiated.

See the source for details:
https://github.com/openssl/openssl/blob/master/ssl/ssl_stat.c

Best regards,
        Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRREk8ACgkQ/NU+nXTHMtGLPwCgiA1tfq7LhNC600d5eVbWugLk
coUAn1mGA4mWBAchUu5+d6nYfxe0isgr
=p4hH
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________


________________________________

[Mila Logo] Stephen Hogan   |   System Administrator   |   Mila Limited
Kilbarrack Industrial Estate, Kilbarrack, Dublin 5, IRELAND
Tel: +353 (0)1 839 0402   |   Fax: +353 (0)1 839 0589
Email: shogan at mila.ie   |   Web: www.mila.ie

Company Reg. No. 143406. Registered address: 24/26 City Quay, Dublin 2, Ireland.


DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the attention and use of the individual or entity to whom they are addressed.  No copyright or other intellectual rights to any material attached to this email, either inline or as an attachment are transferred to the recipient unless explicitly stated. If you have received this email in error please reply to inform us accordingly, prior to deleting the message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141031/6aca6d05/attachment.html>


More information about the stunnel-users mailing list