RE: "SSL3_GET_RECORD:wrong version number"
Hello,
> Thanks for the info. Is it possible that the client is using version 3
> while the server is using some other version? I'm seeing this
> error("error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number") in my client and I'm pretty sure that I'm setting the client's
> version to 3. However I have no control/visibility to the server to
> confirm what version they're running. Does the "3" in the
> "SSL3_GET_RECORD" confirm that I'm using version 3? I'll do an iptrace
> next to see if I can confirm my version. Thanks again!
No, this "3" means that this is error from routines which are capable
of getting SSL3 and TLS1 records but real protocol version is not
visible in this message.
You may try to experiment with openssl s_client command.
For example, I have web server which only uses SSL3 version
(but as we will see - understands SSL2 client_hello packet)
when connecting with openssl s_client I have:
(no protocol option, SSL2 client_hello sent to begin handshake)
$ openssl s_client -connect noded:443
SSL-Session:
Protocol : SSLv3
Cipher: RC4-MD5
(only SSL2 enabled, SSL2 client_hello sent to begin handshake)
$ openssl s_client -connect noded:443 -ssl2
CONNECTED(0003)
17362:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake
failure:s2_pkt.c:428:
(only SSL3 enabled, SSL3 client_hello sent to begin handshake)
$ openssl s_client -connect noded:443 -ssl3
SSL-Session:
Protocol : SSLv3
Cipher: RC4-MD5
(only TLS1 enabled, TLS1 client_hello sent to begin handshake)
$ openssl s_client -connect noded:443 -tls1
CONNECTED(0003)
17373:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:288:
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing [email protected]
Automated List Manager [EMAIL PROTECTED]
RE: "SSL3_GET_RECORD:wrong version number"
Marek,
Thanks for the info. Is it possible that the client is using version 3
while the server is using some other version? I'm seeing this
error("error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number") in my client and I'm pretty sure that I'm setting the client's
version to 3. However I have no control/visibility to the server to
confirm what version they're running. Does the "3" in the
"SSL3_GET_RECORD" confirm that I'm using version 3? I'll do an iptrace
next to see if I can confirm my version. Thanks again!
.
Carlo Agopian
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Saturday, October 14, 2006 10:58 AM
To: [email protected]
Subject: Re: "SSL3_GET_RECORD:wrong version number"
Hello,
> Yesterday I finally upgraded to openssl 0.9.8d. But in my stunnel
> process (using the Openssl libraries), indicating SSLv3, I now get
errors, like:
>
> "error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"
>
> A most elusive error, it seems. Google mentions it a couple of times,
> but nothing relevant.
>
> What could cause this error? "wrong version number" where? In the
> cert/key?
No.
> Between the client/server?
Yes.
> I do not understand.
Versions in client/server SSL records do not agree.
Probably your client sends SSL2 client_hello handshake message and
server is configured only for SSL3/TLS1.
In this situation server does not accept SSL2 client_hello what is being
manifested by "wrong version number" error.
To resolve this error you may disable SSL2 on client or enable SSL2
handshake on server.
tcpdump output from wrong session handshake may be helpful too.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing [email protected]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing [email protected]
Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
A quick update on this issue. After digging through some untouched code, I discovered that the server was writing data directly to the port instead of the SSL_SOCK_Stream. Problem solved. Thanks for all of your help. On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: Hello, > Hrm... ssldump fails during the handshake with a 'Length Mismatch" > error with the xX options. Here is the output; > > New TCP connection #5: localhost.localdomain(53503) <-> > localhost.localdomain(5758) > 5 1 0.0024 (0.0024) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > Unknown value 0x39 > Unknown value 0x38 > Unknown value 0x35 > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > SSL2_CK_3DES > Unknown value 0x33 > Unknown value 0x32 > Unknown value 0x2f > TLS_RSA_WITH_IDEA_CBC_SHA > SSL2_CK_IDEA > SSL2_CK_RC2 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_RC4_128_MD5 > SSL2_CK_RC4 > TLS_DHE_RSA_WITH_DES_CBC_SHA > TLS_DHE_DSS_WITH_DES_CBC_SHA > TLS_RSA_WITH_DES_CBC_SHA > SSL2_CK_DES > TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > SSL2_CK_RC2_EXPORT40 > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > SSL2_CK_RC4_EXPORT40 > Packet data[108]= > 80 6a 01 03 01 00 51 00 00 00 10 00 00 39 00 00 > 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 > 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 > 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 > 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 > 00 00 06 04 00 80 00 00 03 02 00 80 91 55 24 ce > 72 4d 72 01 68 d9 56 6c 86 9c 59 f6 > > 5 2 0.0053 (0.0029) S>CV3.1(74) Handshake > ServerHello > Version 3.1 > random[32]= > 45 7d b0 b3 87 26 d8 05 b8 27 68 85 01 f5 5e 59 > 8a 67 d1 ac 3d 94 bc d6 45 c4 f0 42 7a a1 60 ec > session_id[32]= > 2e ab ad 61 fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 > d1 4f 24 e4 5f f3 89 ea 25 8c 90 2d ea b7 fa aa > cipherSuite Unknown value 0x35 > compressionMethod NULL > Packet data[79]= > 16 03 01 00 4a 02 00 00 46 03 01 45 7d b0 b3 87 > 26 d8 05 b8 27 68 85 01 f5 5e 59 8a 67 d1 ac 3d > 94 bc d6 45 c4 f0 42 7a a1 60 ec 20 2e ab ad 61 > fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 d1 4f 24 e4 > 5f f3 89 ea 25 8c 90 2d ea b7 fa aa 00 35 00 > > > 5 3 0.0053 (0.) S>CV3.1(889) Handshake > Certificate > Subject > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Issuer > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Serial 00 > Extensions > Extension: X509v3 Subject Key Identifier > Extension: X509v3 Authority Key Identifier > Extension: X509v3 Basic Constraints > Packet data[894]= > 16 03 01 03 79 0b 00 03 75 00 03 72 00 03 6f 30 > 82 03 6b 30 82 02 d4 a0 03 02 01 02 02 01 00 30 > 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 > 86 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 > 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f 69 > 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69 63 > 61 67 6f 31 12 30 10 06 03 55 04 0a 13 09 43 6f > 6e 6e 61 6d 61 72 61 31 18 30 16 06 03 55 04 03 > 13 0f 43 48 49 2d 53 52 56 2d 4f 50 50 44 45 56 > 31 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 > 16 15 63 62 75 73 62 65 79 40 63 6f 6e 6e 61 6d > 61 72 61 2e 63 6f 6d 30 1e 17 0d 30 36 31 32 30 > 34 32 33 30 32 35 33 5a 17 0d 30 39 30 38 33 30 > 32 33 30 32 35 33 5a 30 81 86 31 0b 30 09 06 03 > 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 > 13 08 49 6c 6c 69 6e 6f 69 73 31 10 30 0e 06 03 > 55 04 07 13 07 43 68 69 63 61 67 6f 31 12 30 10 > 06 03 55 04 0a 13 09 43 6f 6e 6e 61 6d 61 72 61 > 31 18 30 16 06 03 55 04 03 13 0f 43 48 49 2d 53 > 52 56 2d 4f 50 50 44 45 56 31 31 24 30 22 06 09 > 2a 86 48 86 f7 0d 01 09 01 16 15 63 62 75 73 62 > 65 79 40 63 6f 6e 6e 61 6d 61 72 61 2e 63 6f 6d > 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 > 05 00 03 81 8d 00 30 81 89 02 81 81 00 a1 17 50 > 53 10 ef 67 24 62 b5 6a 76 9d dd c5 32 61 9d 9d > b4 59 43 a2 a8 9a 72 11 7d c0 36 4d 9f 1e ae 25 > 30 01 97 3d 90 54 bd b1 1a 3e 65 ec 3f 56 1b 79 > 39 03 57 08 74 29 6f 0b 19 e1 ca 5d 3b 8e 25 de > 54 28 15 d0 f0 8c c2 0f 41 5a db ba e8 67 8a e1 > af 93 0f f9 11 d4 8f e7 6c 6a 2a d9 8d 1f 9a df > 46 0b 61 3b 17 75 00 08 fd 5d f5 b8 57 00 90 4d > 83 25 bf 47 22 ab b2 d7 0e 83 9a 28 c3 02 03 01 > 00 01 a3 81 e6 30 81 e3 30 1d 06 03 55 1d 0e 04 > 16 04 14 23 cf 32 38 42 52 75 4f 8f 4d ae d5 05 > b5 68 76 30 a0 18 01 30 81 b3 06 03 55 1d 23 04 > 81 ab 30 81 a8 80 14 23 cf 32 38 42 52 75 4f 8f > 4d ae d5 05 b5 68 76 3
Re: SSL3_GET_RECORD:wrong version number
Hello, > Hrm... ssldump fails during the handshake with a 'Length Mismatch" > error with the xX options. Here is the output; > > New TCP connection #5: localhost.localdomain(53503) <-> > localhost.localdomain(5758) > 5 1 0.0024 (0.0024) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > Unknown value 0x39 > Unknown value 0x38 > Unknown value 0x35 > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > SSL2_CK_3DES > Unknown value 0x33 > Unknown value 0x32 > Unknown value 0x2f > TLS_RSA_WITH_IDEA_CBC_SHA > SSL2_CK_IDEA > SSL2_CK_RC2 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_RC4_128_MD5 > SSL2_CK_RC4 > TLS_DHE_RSA_WITH_DES_CBC_SHA > TLS_DHE_DSS_WITH_DES_CBC_SHA > TLS_RSA_WITH_DES_CBC_SHA > SSL2_CK_DES > TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > SSL2_CK_RC2_EXPORT40 > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > SSL2_CK_RC4_EXPORT40 > Packet data[108]= > 80 6a 01 03 01 00 51 00 00 00 10 00 00 39 00 00 > 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 > 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 > 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 > 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 > 00 00 06 04 00 80 00 00 03 02 00 80 91 55 24 ce > 72 4d 72 01 68 d9 56 6c 86 9c 59 f6 > > 5 2 0.0053 (0.0029) S>CV3.1(74) Handshake > ServerHello > Version 3.1 > random[32]= > 45 7d b0 b3 87 26 d8 05 b8 27 68 85 01 f5 5e 59 > 8a 67 d1 ac 3d 94 bc d6 45 c4 f0 42 7a a1 60 ec > session_id[32]= > 2e ab ad 61 fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 > d1 4f 24 e4 5f f3 89 ea 25 8c 90 2d ea b7 fa aa > cipherSuite Unknown value 0x35 > compressionMethod NULL > Packet data[79]= > 16 03 01 00 4a 02 00 00 46 03 01 45 7d b0 b3 87 > 26 d8 05 b8 27 68 85 01 f5 5e 59 8a 67 d1 ac 3d > 94 bc d6 45 c4 f0 42 7a a1 60 ec 20 2e ab ad 61 > fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 d1 4f 24 e4 > 5f f3 89 ea 25 8c 90 2d ea b7 fa aa 00 35 00 > > > 5 3 0.0053 (0.) S>CV3.1(889) Handshake > Certificate > Subject > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Issuer > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Serial 00 > Extensions > Extension: X509v3 Subject Key Identifier > Extension: X509v3 Authority Key Identifier > Extension: X509v3 Basic Constraints > Packet data[894]= > 16 03 01 03 79 0b 00 03 75 00 03 72 00 03 6f 30 > 82 03 6b 30 82 02 d4 a0 03 02 01 02 02 01 00 30 > 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 > 86 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 > 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f 69 > 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69 63 > 61 67 6f 31 12 30 10 06 03 55 04 0a 13 09 43 6f > 6e 6e 61 6d 61 72 61 31 18 30 16 06 03 55 04 03 > 13 0f 43 48 49 2d 53 52 56 2d 4f 50 50 44 45 56 > 31 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 > 16 15 63 62 75 73 62 65 79 40 63 6f 6e 6e 61 6d > 61 72 61 2e 63 6f 6d 30 1e 17 0d 30 36 31 32 30 > 34 32 33 30 32 35 33 5a 17 0d 30 39 30 38 33 30 > 32 33 30 32 35 33 5a 30 81 86 31 0b 30 09 06 03 > 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 > 13 08 49 6c 6c 69 6e 6f 69 73 31 10 30 0e 06 03 > 55 04 07 13 07 43 68 69 63 61 67 6f 31 12 30 10 > 06 03 55 04 0a 13 09 43 6f 6e 6e 61 6d 61 72 61 > 31 18 30 16 06 03 55 04 03 13 0f 43 48 49 2d 53 > 52 56 2d 4f 50 50 44 45 56 31 31 24 30 22 06 09 > 2a 86 48 86 f7 0d 01 09 01 16 15 63 62 75 73 62 > 65 79 40 63 6f 6e 6e 61 6d 61 72 61 2e 63 6f 6d > 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 > 05 00 03 81 8d 00 30 81 89 02 81 81 00 a1 17 50 > 53 10 ef 67 24 62 b5 6a 76 9d dd c5 32 61 9d 9d > b4 59 43 a2 a8 9a 72 11 7d c0 36 4d 9f 1e ae 25 > 30 01 97 3d 90 54 bd b1 1a 3e 65 ec 3f 56 1b 79 > 39 03 57 08 74 29 6f 0b 19 e1 ca 5d 3b 8e 25 de > 54 28 15 d0 f0 8c c2 0f 41 5a db ba e8 67 8a e1 > af 93 0f f9 11 d4 8f e7 6c 6a 2a d9 8d 1f 9a df > 46 0b 61 3b 17 75 00 08 fd 5d f5 b8 57 00 90 4d > 83 25 bf 47 22 ab b2 d7 0e 83 9a 28 c3 02 03 01 > 00 01 a3 81 e6 30 81 e3 30 1d 06 03 55 1d 0e 04 > 16 04 14 23 cf 32 38 42 52 75 4f 8f 4d ae d5 05 > b5 68 76 30 a0 18 01 30 81 b3 06 03 55 1d 23 04 > 81 ab 30 81 a8 80 14 23 cf 32 38 42 52 75 4f 8f > 4d ae d5 05 b5 68 76 30 a0 18 01 a1 81 8c a4 81 > 89 30 81 86 31 0b 30 09 06 03 55 04 06 13 02 55 > 53 31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 > 6e 6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 > 68 69 63 61 67 6f 31 12 30 10 06 03 55 04 0a 13 > 09 43 6f 6e 6e 61 6d 61 72 61 31 18
Re: SSL3_GET_RECORD:wrong version number
On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: This TLS1 looks good, but sorry I've forget xX options, so output from "ssldump -aAdNxX" should give more information (SSL packet dump) with ending error. Hrm... ssldump fails during the handshake with a 'Length Mismatch" error with the xX options. Here is the output; New TCP connection #5: localhost.localdomain(53503) <-> localhost.localdomain(5758) 5 1 0.0024 (0.0024) C>S SSLv2 compatible client hello Version 3.1 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_3DES Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_RSA_WITH_IDEA_CBC_SHA SSL2_CK_IDEA SSL2_CK_RC2 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 SSL2_CK_RC4 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC2_EXPORT40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC4_EXPORT40 Packet data[108]= 80 6a 01 03 01 00 51 00 00 00 10 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 91 55 24 ce 72 4d 72 01 68 d9 56 6c 86 9c 59 f6 5 2 0.0053 (0.0029) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 45 7d b0 b3 87 26 d8 05 b8 27 68 85 01 f5 5e 59 8a 67 d1 ac 3d 94 bc d6 45 c4 f0 42 7a a1 60 ec session_id[32]= 2e ab ad 61 fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 d1 4f 24 e4 5f f3 89 ea 25 8c 90 2d ea b7 fa aa cipherSuite Unknown value 0x35 compressionMethod NULL Packet data[79]= 16 03 01 00 4a 02 00 00 46 03 01 45 7d b0 b3 87 26 d8 05 b8 27 68 85 01 f5 5e 59 8a 67 d1 ac 3d 94 bc d6 45 c4 f0 42 7a a1 60 ec 20 2e ab ad 61 fe 1e 47 6a f2 a2 0f 06 c9 61 23 13 d1 4f 24 e4 5f f3 89 ea 25 8c 90 2d ea b7 fa aa 00 35 00 5 3 0.0053 (0.) S>CV3.1(889) Handshake Certificate Subject C=US ST=Illinois L=Chicago O=Blah CN=BLAH-SRV-BLAH [EMAIL PROTECTED] Issuer C=US ST=Illinois L=Chicago O=Blah CN=BLAH-SRV-BLAH [EMAIL PROTECTED] Serial 00 Extensions Extension: X509v3 Subject Key Identifier Extension: X509v3 Authority Key Identifier Extension: X509v3 Basic Constraints Packet data[894]= 16 03 01 03 79 0b 00 03 75 00 03 72 00 03 6f 30 82 03 6b 30 82 02 d4 a0 03 02 01 02 02 01 00 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 86 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69 63 61 67 6f 31 12 30 10 06 03 55 04 0a 13 09 43 6f 6e 6e 61 6d 61 72 61 31 18 30 16 06 03 55 04 03 13 0f 43 48 49 2d 53 52 56 2d 4f 50 50 44 45 56 31 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 62 75 73 62 65 79 40 63 6f 6e 6e 61 6d 61 72 61 2e 63 6f 6d 30 1e 17 0d 30 36 31 32 30 34 32 33 30 32 35 33 5a 17 0d 30 39 30 38 33 30 32 33 30 32 35 33 5a 30 81 86 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69 63 61 67 6f 31 12 30 10 06 03 55 04 0a 13 09 43 6f 6e 6e 61 6d 61 72 61 31 18 30 16 06 03 55 04 03 13 0f 43 48 49 2d 53 52 56 2d 4f 50 50 44 45 56 31 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 62 75 73 62 65 79 40 63 6f 6e 6e 61 6d 61 72 61 2e 63 6f 6d 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 a1 17 50 53 10 ef 67 24 62 b5 6a 76 9d dd c5 32 61 9d 9d b4 59 43 a2 a8 9a 72 11 7d c0 36 4d 9f 1e ae 25 30 01 97 3d 90 54 bd b1 1a 3e 65 ec 3f 56 1b 79 39 03 57 08 74 29 6f 0b 19 e1 ca 5d 3b 8e 25 de 54 28 15 d0 f0 8c c2 0f 41 5a db ba e8 67 8a e1 af 93 0f f9 11 d4 8f e7 6c 6a 2a d9 8d 1f 9a df 46 0b 61 3b 17 75 00 08 fd 5d f5 b8 57 00 90 4d 83 25 bf 47 22 ab b2 d7 0e 83 9a 28 c3 02 03 01 00 01 a3 81 e6 30 81 e3 30 1d 06 03 55 1d 0e 04 16 04 14 23 cf 32 38 42 52 75 4f 8f 4d ae d5 05 b5 68 76 30 a0 18 01 30 81 b3 06 03 55 1d 23 04 81 ab 30 81 a8 80 14 23 cf 32 38 42 52 75 4f 8f 4d ae d5 05 b5 68 76 30 a0 18 01 a1 81 8c a4 81 89 30 81 86 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 11 30 0f 06 03 55 04 08 13 08 49 6c 6c 69 6e 6f 69 73 31 10 30 0e 06 03 55 04 07 13 07 43 68 69 63 61 67 6f 31 12 30 10 06 03 55 04 0a 13 09 43 6f 6e 6e 61 6d 61 72 61 31 18 30 16 06 03 55 04 03 13 0f 43 48 49 2d 53 52 56 2d 4f 50 50 44 45 56 31 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 63 62 75 73 62 65 79 40 63 6f 6e
Re: SSL3_GET_RECORD:wrong version number
Hello, > On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > > Can you send ssldump with -aAdN options ? > > Certainly. (Certificate details have been obfuscated) > > New TCP connection #8: localhost.localdomain(48429) <-> > localhost.localdomain(5758) > 8 1 0.0028 (0.0028) C>S SSLv2 compatible client hello > Version 3.1 > cipher suites > Unknown value 0x39 > Unknown value 0x38 > Unknown value 0x35 > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > SSL2_CK_3DES > Unknown value 0x33 > Unknown value 0x32 > Unknown value 0x2f > TLS_RSA_WITH_IDEA_CBC_SHA > SSL2_CK_IDEA > SSL2_CK_RC2 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_RC4_128_MD5 > SSL2_CK_RC4 > TLS_DHE_RSA_WITH_DES_CBC_SHA > TLS_DHE_DSS_WITH_DES_CBC_SHA > TLS_RSA_WITH_DES_CBC_SHA > SSL2_CK_DES > TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_DES40_CBC_SHA > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > SSL2_CK_RC2_EXPORT40 > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > SSL2_CK_RC4_EXPORT40 > 8 2 0.0053 (0.0025) S>CV3.1(74) Handshake > ServerHello > Version 3.1 > random[32]= > 45 7d a0 8b 4b e8 ae 91 c7 13 a2 53 cd 21 70 02 > e6 61 f7 ef 52 12 14 c5 ab 0f 1c b7 59 b3 46 28 > session_id[32]= > c8 c6 12 12 89 c2 01 42 63 24 db e6 83 5f 98 ac > 23 f6 80 92 ec d0 5d d4 23 6a 47 e7 dc b9 21 4b > cipherSuite Unknown value 0x35 > compressionMethod NULL > 8 3 0.0053 (0.) S>CV3.1(889) Handshake > Certificate > Subject > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Issuer > C=US > ST=Illinois > L=Chicago > O=Blah > CN=BLAH-SRV-BLAH > [EMAIL PROTECTED] > Serial 00 > Extensions > Extension: X509v3 Subject Key Identifier > Extension: X509v3 Authority Key Identifier > Extension: X509v3 Basic Constraints > 8 4 0.0053 (0.) S>CV3.1(4) Handshake > ServerHelloDone > 8 5 0.0217 (0.0163) C>SV3.1(134) Handshake > ClientKeyExchange > 8 6 0.0611 (0.0393) C>SV3.1(1) ChangeCipherSpec > 8 7 0.0611 (0.) C>SV3.1(48) Handshake > 8 8 0.0615 (0.0004) S>CV3.1(1) ChangeCipherSpec > 8 9 0.0615 (0.) S>CV3.1(48) Handshake This TLS1 looks good, but sorry I've forget xX options, so output from "ssldump -aAdNxX" should give more information (SSL packet dump) with ending error. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: Can you send ssldump with -aAdN options ? Certainly. (Certificate details have been obfuscated) New TCP connection #8: localhost.localdomain(48429) <-> localhost.localdomain(5758) 8 1 0.0028 (0.0028) C>S SSLv2 compatible client hello Version 3.1 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_3DES Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_RSA_WITH_IDEA_CBC_SHA SSL2_CK_IDEA SSL2_CK_RC2 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 SSL2_CK_RC4 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC2_EXPORT40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC4_EXPORT40 8 2 0.0053 (0.0025) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 45 7d a0 8b 4b e8 ae 91 c7 13 a2 53 cd 21 70 02 e6 61 f7 ef 52 12 14 c5 ab 0f 1c b7 59 b3 46 28 session_id[32]= c8 c6 12 12 89 c2 01 42 63 24 db e6 83 5f 98 ac 23 f6 80 92 ec d0 5d d4 23 6a 47 e7 dc b9 21 4b cipherSuite Unknown value 0x35 compressionMethod NULL 8 3 0.0053 (0.) S>CV3.1(889) Handshake Certificate Subject C=US ST=Illinois L=Chicago O=Blah CN=BLAH-SRV-BLAH [EMAIL PROTECTED] Issuer C=US ST=Illinois L=Chicago O=Blah CN=BLAH-SRV-BLAH [EMAIL PROTECTED] Serial 00 Extensions Extension: X509v3 Subject Key Identifier Extension: X509v3 Authority Key Identifier Extension: X509v3 Basic Constraints 8 4 0.0053 (0.) S>CV3.1(4) Handshake ServerHelloDone 8 5 0.0217 (0.0163) C>SV3.1(134) Handshake ClientKeyExchange 8 6 0.0611 (0.0393) C>SV3.1(1) ChangeCipherSpec 8 7 0.0611 (0.) C>SV3.1(48) Handshake 8 8 0.0615 (0.0004) S>CV3.1(1) ChangeCipherSpec 8 9 0.0615 (0.) S>CV3.1(48) Handshake __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
Hello, Can you send ssldump with -aAdN options ? Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
Hello, > On Mon, Dec 11, 2006 at 10:48:34AM -0600, chris busbey wrote: > > > On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > > >> It almost seems like the server is accepted SSL3 msgs, but sending out > > >> another protocol type. Any suggestions? > > >If you using Linux, can you send ssldump or wireshark dump > > >of this session. > > > > Here is an ssldump of s_client connecting to my server. I am getting > > a "Length mismatch" error following the client key exchange. In this > > run, the server ctx is set to receive SSLv23, the ssl on s_client was > > not specified. Would the Length Mismatch indicate a bad key? > > > > Is either the server or the client using OpenSSL 0.9.8a or 0.9.8b, if > compiled with zlib support, and all bug work-arounds are enabled via > SSL_OP_ALL, you will run into problems, this is fixed in 0.9.8c and > later. This bug was for TLS1 and here we have SSL3 established. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
> Another trial forcing tls1 on both sides of the connection did not > result in the above "Length Mismatch" error. Here is the output of > that trial's ssl dump. Any thoughts? > > New TCP connection #67: localhost.localdomain(42489) <-> > localhost.localdomain(5758) > 67 1 0.0032 (0.0032) C>SV3.1(95) Handshake > ClientHello >Version 3.1 >random[32]= > 45 7d 8d 96 89 31 b1 d3 cf 44 80 ae 06 eb 1d ac > 48 d0 8e bd 96 b5 b8 da c9 cc c0 0c e5 6a ec d7 >cipher suites >Unknown value 0x39 >Unknown value 0x38 >Unknown value 0x35 >TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >TLS_RSA_WITH_3DES_EDE_CBC_SHA >Unknown value 0x33 >Unknown value 0x32 >Unknown value 0x2f >TLS_DHE_DSS_WITH_RC4_128_SHA >TLS_RSA_WITH_RC4_128_SHA >TLS_RSA_WITH_RC4_128_MD5 >TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 >TLS_DHE_RSA_WITH_DES_CBC_SHA >TLS_DHE_DSS_WITH_DES_CBC_SHA >TLS_RSA_WITH_DES_CBC_SHA >TLS_DHE_DSS_WITH_RC2_56_CBC_SHA >TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 >TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA >TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA >TLS_RSA_EXPORT_WITH_DES40_CBC_SHA >TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >TLS_RSA_EXPORT_WITH_RC4_40_MD5 >compression methods > NULL This one did not offer the extra "unknown" (presumably "zlib") compression. Ah, yes. It seems that I was using the s_client 0.9.7a in the last trial regardless, the same "wrong version number" error was produced when using s_client 0.9.8d. Here is the trial using 0.9.8d. Still getting the unknown SSL content type, followed by alert. New TCP connection #1333: localhost.localdomain(46983) <-> localhost.localdomain(5758) 1333 1 0.0024 (0.0024) C>SV3.1(84) Handshake ClientHello Version 3.1 random[32]= 45 7d 9b e3 b9 fb bb 4d 4b d0 1c d8 51 0b 1c 3e 50 5c 3a cc f9 8b e9 96 b9 0a 7e 6a 22 43 32 b3 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 compression methods unknown value NULL 1333 2 0.0073 (0.0048) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 45 7d 9b e3 24 39 a3 fd e2 24 33 9a 47 31 72 82 ad 34 e0 53 b2 a1 97 4f 45 51 a5 43 66 8e 43 81 session_id[32]= 33 7f 47 05 02 24 a8 10 20 df 51 69 0b 0f 05 3d 06 73 37 0e 77 1a 06 bc 40 65 f8 f7 06 f8 8d d6 cipherSuite Unknown value 0x35 compressionMethod unknown value 1333 3 0.0073 (0.) S>CV3.1(889) Handshake Certificate 1333 4 0.0073 (0.) S>CV3.1(4) Handshake ServerHelloDone 1333 5 0.0140 (0.0066) C>SV3.1(134) Handshake ClientKeyExchange 1333 6 0.0539 (0.0399) C>SV3.1(1) ChangeCipherSpec 1333 7 0.0539 (0.) C>SV3.1(48) Handshake 1333 8 0.0561 (0.0022) S>CV3.1(1) ChangeCipherSpec 1333 9 0.0561 (0.) S>CV3.1(48) Handshake 1333 10 3.1262 (3.0700) C>SV3.1(32) application_data Unknown SSL content type 0 1333 11 3.1289 (0.0027) C>SV44.0(32) Alert 13333.1294 (0.0005) C>S TCP RST __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
On Mon, Dec 11, 2006 at 11:01:22AM -0600, chris busbey wrote: > On 12/11/06, chris busbey <[EMAIL PROTECTED]> wrote: > >On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > >> > It almost seems like the server is accepted SSL3 msgs, but sending out > >> > another protocol type. Any suggestions? > >> If you using Linux, can you send ssldump or wireshark dump > >> of this session. > > > >Here is an ssldump of s_client connecting to my server. I am getting > >a "Length mismatch" error following the client key exchange. In this > >run, the server ctx is set to receive SSLv23, the ssl on s_client was > >not specified. Would the Length Mismatch indicate a bad key? > > Another trial forcing tls1 on both sides of the connection did not > result in the above "Length Mismatch" error. Here is the output of > that trial's ssl dump. Any thoughts? > > New TCP connection #67: localhost.localdomain(42489) <-> > localhost.localdomain(5758) > 67 1 0.0032 (0.0032) C>SV3.1(95) Handshake > ClientHello >Version 3.1 >random[32]= > 45 7d 8d 96 89 31 b1 d3 cf 44 80 ae 06 eb 1d ac > 48 d0 8e bd 96 b5 b8 da c9 cc c0 0c e5 6a ec d7 >cipher suites >Unknown value 0x39 >Unknown value 0x38 >Unknown value 0x35 >TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA >TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA >TLS_RSA_WITH_3DES_EDE_CBC_SHA >Unknown value 0x33 >Unknown value 0x32 >Unknown value 0x2f >TLS_DHE_DSS_WITH_RC4_128_SHA >TLS_RSA_WITH_RC4_128_SHA >TLS_RSA_WITH_RC4_128_MD5 >TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA >TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA >TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 >TLS_DHE_RSA_WITH_DES_CBC_SHA >TLS_DHE_DSS_WITH_DES_CBC_SHA >TLS_RSA_WITH_DES_CBC_SHA >TLS_DHE_DSS_WITH_RC2_56_CBC_SHA >TLS_RSA_EXPORT1024_WITH_RC4_56_SHA >TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 >TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA >TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA >TLS_RSA_EXPORT_WITH_DES40_CBC_SHA >TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >TLS_RSA_EXPORT_WITH_RC4_40_MD5 >compression methods > NULL This one did not offer the extra "unknown" (presumably "zlib") compression. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
On Mon, Dec 11, 2006 at 10:48:34AM -0600, chris busbey wrote: > On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > >> It almost seems like the server is accepted SSL3 msgs, but sending out > >> another protocol type. Any suggestions? > >If you using Linux, can you send ssldump or wireshark dump > >of this session. > > Here is an ssldump of s_client connecting to my server. I am getting > a "Length mismatch" error following the client key exchange. In this > run, the server ctx is set to receive SSLv23, the ssl on s_client was > not specified. Would the Length Mismatch indicate a bad key? > Is either the server or the client using OpenSSL 0.9.8a or 0.9.8b, if compiled with zlib support, and all bug work-arounds are enabled via SSL_OP_ALL, you will run into problems, this is fixed in 0.9.8c and later. > New TCP connection #5: localhost.localdomain(41722) <-> > localhost.localdomain(5758) > 5 1 0.0025 (0.0025) C>SV3.0(84) Handshake > ClientHello >Version 3.0 >random[32]= > 45 7d 8b 12 f3 38 eb 69 fe 5c 7d 3e eb b8 02 0d > 32 0a ef 70 d8 30 b2 ab 41 e3 47 5a fd 0b 61 80 >cipher suites >Unknown value 0x39 >Unknown value 0x38 >Unknown value 0x35 >SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA >SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA >SSL_RSA_WITH_3DES_EDE_CBC_SHA >Unknown value 0x33 >Unknown value 0x32 >Unknown value 0x2f >SSL_RSA_WITH_IDEA_CBC_SHA >SSL_RSA_WITH_RC4_128_SHA >SSL_RSA_WITH_RC4_128_MD5 >SSL_DHE_RSA_WITH_DES_CBC_SHA >SSL_DHE_DSS_WITH_DES_CBC_SHA >SSL_RSA_WITH_DES_CBC_SHA >SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA >SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA >SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 >SSL_RSA_EXPORT_WITH_RC4_40_MD5 >compression methods >unknown value > NULL > 5 2 0.0050 (0.0024) S>CV3.0(74) Handshake > ServerHello >Version 3.0 >random[32]= > 45 7d 8b 12 f4 42 79 fe bd e5 34 59 e7 02 aa 8e > c9 d6 b3 9d c5 23 cd 1e a3 76 de 5d 3f 69 0b a6 >session_id[32]= > 20 3e 42 dc 97 0b f5 73 ac a0 b5 50 01 e5 1c a9 > 0f 74 71 06 55 87 9f 55 3d a9 e5 1c d2 a1 13 9a >cipherSuite Unknown value 0x35 >compressionMethod unknown value > 5 3 0.0050 (0.) S>CV3.0(889) Handshake > Certificate > 5 4 0.0050 (0.) S>CV3.0(4) Handshake > ServerHelloDone > 5 5 0.0198 (0.0148) C>SV3.0(132) Handshake > ClientKeyExchange > ERROR: Length mismatch -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
On 12/11/06, chris busbey <[EMAIL PROTECTED]> wrote: On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > > It almost seems like the server is accepted SSL3 msgs, but sending out > > another protocol type. Any suggestions? > If you using Linux, can you send ssldump or wireshark dump > of this session. Here is an ssldump of s_client connecting to my server. I am getting a "Length mismatch" error following the client key exchange. In this run, the server ctx is set to receive SSLv23, the ssl on s_client was not specified. Would the Length Mismatch indicate a bad key? Another trial forcing tls1 on both sides of the connection did not result in the above "Length Mismatch" error. Here is the output of that trial's ssl dump. Any thoughts? New TCP connection #67: localhost.localdomain(42489) <-> localhost.localdomain(5758) 67 1 0.0032 (0.0032) C>SV3.1(95) Handshake ClientHello Version 3.1 random[32]= 45 7d 8d 96 89 31 b1 d3 cf 44 80 ae 06 eb 1d ac 48 d0 8e bd 96 b5 b8 da c9 cc c0 0c e5 6a ec d7 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_DHE_DSS_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_RC2_56_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 compression methods NULL 67 2 0.0083 (0.0050) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 45 7d 8d 96 f6 1e ca 93 7f 6d f7 31 69 33 c9 e2 6e 9e bf 5c d3 e8 fd e3 66 0f 5e 81 8d f9 ab f3 session_id[32]= 36 22 f7 71 b0 84 9e 23 03 0c 1e ac 88 dd 36 67 24 75 08 ea b3 9d de 70 87 56 40 dc 45 fc 33 28 cipherSuite Unknown value 0x35 compressionMethod NULL 67 3 0.0083 (0.) S>CV3.1(889) Handshake Certificate 67 4 0.0083 (0.) S>CV3.1(4) Handshake ServerHelloDone 67 5 0.0244 (0.0160) C>SV3.1(134) Handshake ClientKeyExchange 67 6 0.0657 (0.0413) C>SV3.1(1) ChangeCipherSpec 67 7 0.0657 (0.) C>SV3.1(48) Handshake 67 8 0.0666 (0.0008) S>CV3.1(1) ChangeCipherSpec 67 9 0.0666 (0.) S>CV3.1(48) Handshake 67 10 14.4262 (14.3595) C>SV3.1(32) application_data Unknown SSL content type 0 67 11 14.4282 (0.0020) C>SV44.0(32) Alert 6714.4285 (0.0003) C>S TCP RST __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
On 12/11/06, Marek Marcola <[EMAIL PROTECTED]> wrote: > It almost seems like the server is accepted SSL3 msgs, but sending out > another protocol type. Any suggestions? If you using Linux, can you send ssldump or wireshark dump of this session. Here is an ssldump of s_client connecting to my server. I am getting a "Length mismatch" error following the client key exchange. In this run, the server ctx is set to receive SSLv23, the ssl on s_client was not specified. Would the Length Mismatch indicate a bad key? Thanks, Chris. New TCP connection #5: localhost.localdomain(41722) <-> localhost.localdomain(5758) 5 1 0.0025 (0.0025) C>SV3.0(84) Handshake ClientHello Version 3.0 random[32]= 45 7d 8b 12 f3 38 eb 69 fe 5c 7d 3e eb b8 02 0d 32 0a ef 70 d8 30 b2 ab 41 e3 47 5a fd 0b 61 80 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f SSL_RSA_WITH_IDEA_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 compression methods unknown value NULL 5 2 0.0050 (0.0024) S>CV3.0(74) Handshake ServerHello Version 3.0 random[32]= 45 7d 8b 12 f4 42 79 fe bd e5 34 59 e7 02 aa 8e c9 d6 b3 9d c5 23 cd 1e a3 76 de 5d 3f 69 0b a6 session_id[32]= 20 3e 42 dc 97 0b f5 73 ac a0 b5 50 01 e5 1c a9 0f 74 71 06 55 87 9f 55 3d a9 e5 1c d2 a1 13 9a cipherSuite Unknown value 0x35 compressionMethod unknown value 5 3 0.0050 (0.) S>CV3.0(889) Handshake Certificate 5 4 0.0050 (0.) S>CV3.0(4) Handshake ServerHelloDone 5 5 0.0198 (0.0148) C>SV3.0(132) Handshake ClientKeyExchange ERROR: Length mismatch __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:wrong version number
Hello, > The output on the s_client side is as follows; > > > SSL3 alert write:fatal:handshake failure > 6389:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:288: This means that client don't want to support received from server SSL version. > I am using the -ssl3 flag on the s_client side. The SSL_Context on > the client side is configured as follows; And this means that client want to support ONLY SSL3 which means that client sends to server SSL3 proposition and server should accept this version and send back ServerHello handshake packet with SSL3 version accepted. > I have tried setting the context mode to SSLv23, TSLv1 (as well as > *_server) and found the same results. When client context is set for SSLv23 then client sends SSL2 ClientHello packet with SSL3 (or even TLS1) proposition. If server understands SSL3/TLS1 then this protocol is selected, if not SSL2 may be selected (or not). > Interestingly enough, I can set > the context and s_client to SSLv2, and this appears to work. However, > the client app I am developing (.net 2.0) chokes on receiving messages > with a System32 exception- "The message or signature supplied for > verification has been altered". TSL or SSL3 would be preferred. > > It almost seems like the server is accepted SSL3 msgs, but sending out > another protocol type. Any suggestions? If you using Linux, can you send ssldump or wireshark dump of this session. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: "SSL3_GET_RECORD:wrong version number"
Hello, > Yesterday I finally upgraded to openssl 0.9.8d. But in my stunnel process > (using the Openssl libraries), indicating SSLv3, I now get errors, like: > > "error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number" > > A most elusive error, it seems. Google mentions it a couple of times, but > nothing relevant. > > What could cause this error? "wrong version number" where? In the > cert/key? No. > Between the client/server? Yes. > I do not understand. Versions in client/server SSL records do not agree. Probably your client sends SSL2 client_hello handshake message and server is configured only for SSL3/TLS1. In this situation server does not accept SSL2 client_hello what is being manifested by "wrong version number" error. To resolve this error you may disable SSL2 on client or enable SSL2 handshake on server. tcpdump output from wrong session handshake may be helpful too. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: "SSL3_GET_RECORD:wrong version number" error
On 04/10/2006, at 9:39 PM, Michal Trojnara wrote: James Brown wrote: [ssmtp] client = yes accept = 465 connect = 192.168.1.31:25 Port numbers suggest you're going to setup SSL server instead of SSL client. Just remove "client = yes" line. Best regards, Mike Thanks Mike. I think I want it acting as an SSL server. My mail client (Apple's Mail) can send using SSL. I want stunnel accept this encrypted message on port 465 and forward the decrypted email to port 25 of my mail server. In the above example I actually had stunnel running on the machine that was running the mail client, as I was just trying to test it. Sorry if I was a bit misleading there. If I remove the line I get: $ sudo stunnel /sw/etc/stunnel/stunnel.conf 2006.10.04 22:13:59 LOG5[6142:2684415368]: stunnel 4.04 on powerpc- apple-darwin8.7.0 PTHREAD+LIBWRAP with OpenSSL 0.9.7d 17 Mar 2004 2006.10.04 22:13:59 LOG7[6142:2684415368]: Snagged 64 random bytes from /Users/jlbrown/.rnd 2006.10.04 22:13:59 LOG7[6142:2684415368]: Wrote 1024 new random bytes to /Users/jlbrown/.rnd 2006.10.04 22:13:59 LOG7[6142:2684415368]: RAND_status claims sufficient entropy for the PRNG 2006.10.04 22:13:59 LOG6[6142:2684415368]: PRNG seeded successfully 2006.10.04 22:13:59 LOG7[6142:2684415368]: Certificate: /%1.pem 2006.10.04 22:13:59 LOG7[6142:2684415368]: Key file: /%1.pem 2006.10.04 22:13:59 LOG5[6142:2684415368]: FD_SETSIZE=1024, file ulimit=256 -> 125 clients allowed 2006.10.04 22:13:59 LOG7[6142:2684415368]: FD 6 in non-blocking mode 2006.10.04 22:13:59 LOG7[6142:2684415368]: SO_REUSEADDR option set on accept socket 2006.10.04 22:13:59 LOG7[6142:2684415368]: secure_mail bound to 0.0.0.0:2525 2006.10.04 22:13:59 LOG7[6142:2684415368]: FD 7 in non-blocking mode 2006.10.04 22:13:59 LOG7[6142:2684415368]: FD 8 in non-blocking mode mail1-bordo-com-au:/ jlbrown$ 2006.10.04 22:13:59 LOG7 [6143:2684415368]: Created pid file /sw/var/run/stunnel.pid 2006.10.04 22:14:11 LOG7[6143:2684415368]: secure_mail accepted FD=9 from 127.0.0.1:50407 2006.10.04 22:14:11 LOG7[6143:2684415368]: FD 9 in non-blocking mode 2006.10.04 22:14:11 LOG7[6143:25183744]: secure_mail started 2006.10.04 22:14:11 LOG7[6143:25183744]: TCP_NODELAY option set on local socket 2006.10.04 22:14:11 LOG5[6143:25183744]: secure_mail connected from 127.0.0.1:50407 2006.10.04 22:14:11 LOG7[6143:25183744]: SSL state (accept): before/ accept initialization 2006.10.04 22:14:11 LOG7[6143:25183744]: waitforsocket: FD=9, DIR=read 2006.10.04 22:19:11 LOG7[6143:25183744]: waitforsocket: timeout 2006.10.04 22:19:11 LOG7[6143:25183744]: secure_mail finished (0 left) With the line in I get the "wrong version number" error, but it seems to get further. Thanks, James. __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: "SSL3_GET_RECORD:wrong version number" error
James Brown wrote: [ssmtp] client = yes accept = 465 connect = 192.168.1.31:25 Port numbers suggest you're going to setup SSL server instead of SSL client. Just remove "client = yes" line. Best regards, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
