[stunnel-users] ssl3_get_record:wrong version number

Peter Pentchev roam at ringlet.net
Mon Jan 7 17:28:31 CET 2019

On Mon, Jan 07, 2019 at 02:53:24PM +0100, Moellers wrote:
> Hello,
> what I´m trying to accomplish is to build a secure RDP Connection between my
> Laptop and a Server, which are in the same Network but as RDP in itself is
> not secure enough I need the stunnel encryption. 

So let's make sure that we are on the same page here.

RDP is an unencrypted protocol (though it does have some TLS extensions,
so maybe stunnel is not needed at all if your client can negotiate that,
although I've had some problems with xfreerdp in that regard), so in
order to connect from your laptop to an RDP server you will need two
stunnel instances:
- one in your laptop running in client mode ("client = yes"), accepting
  unencrypted connections on, say, port 3389, and connecting to the
  other stunnel instance
- one on the RDP server running in server mode (no "client = yes" line),
  accepting connections on the same port the other stunnel instance is
  configured to connect to and connecting to port 3389 of its local

Is this how you have them configured?  Pay particular attention to
the "client = yes/no" setting and the port numbers for each stunnel instance.

Once you have that, you should be able to establish an unencrypted
connection to the stunnel instance running on your laptop and listening
on port 3389, then it should establish an encrypted connection to
the other stunnel instance, then the latter should establish an unencrypted
connection to the actual RDP server.

> As of now I can establish a connection but as soon as I try to start an RDP
> Connection I get the following message:
> SSL_accept: 1408F10B: error:1408F10B:SSL routines:ssl3_get_record:wrong
> version number

This may sometimes indicate stunnel trying to establish an encrypted
connection or to listen for an encrypted connection, and somebody else
sending unencrypted data to it.  Can you double-check your configuration
as per my notes above?

Hope that helps at least a bit!


Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190107/191223ef/attachment.sig>

More information about the stunnel-users mailing list