[stunnel-users] FW: Help with disabling SSLv3

[Eberhard]

Actually I think the SSLv3 in the log is a lie - as this is also in the log
just before the below:

TLS state (connect): before/connect initialization      
 TLS state (connect): SSLv3 write client hello A         
 TLS state (connect): SSLv3 read server hello A          

So I am thinking the eliptic curve stuff is more likely the issue?

Eric



VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ  86322

928-567-3727            (land line)
928-301-7537            (cell phone)

http://www.vicsmba.com <http://www.vicsmba.com/> 
https://www.facebook.com/groups/286143052248115



_____________________________________________
From: Eberhard <fl...@vicsmba.com> 
Sent: Tuesday, March 14, 2023 9:15 AM
To: 'stunnel-users@stunnel.org' <stunnel-users@stunnel.org>
Subject: Help with disabling SSLv3
Importance: High


I am suddenly getting errors from Fedex:

TLS state (connect): SSLv3 read server certificate A

 error queue: 1408D010: error:1408D010:SSL routines:ssl3_get_key_exchange:EC
lib                        
 error queue: 100AE081: error:100AE081:elliptic curve
routines:EC_GROUP_new_by_curve_name:unknown group 
 error queue: 100AF003: error:100AF003:elliptic curve
routines:EC_GROUP_NEW_FROM_DATA:BN lib            
 SSL_connect: 3078072: error:03078072:bignum
routines:BN_EXPAND_INTERNAL:bignum too long                

My .conf file says:

output = /tmp/fedex.log                     
debug = 7                                   
RNDfile = /visanet/ssl/stunnel.rnd          
RNDoverwrite = yes                          
client = yes                                
connect = ws.fedex.com:443                  
;connect = gateway.fedex.com:443            
;connect = wssha1ends12172016.fedex.com:443 
sslVersion = TLSv1.2                        
options = NO_SSLv3                          
sslVersionMin = TLSv1.2                     
CAfile = /usr/local/ssl/certs/cacert.pem

It is a very old version of stunnel but I cannot upgrade as this is a 15
year old AIX (IBM) computer

stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform                
 Compiled/running with OpenSSL 1.0.2 22 Jan 2015                
 Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI  
 Invalid configuration file name "--version"                    
 realpath: No such file or directory (2)                        

Yet the log implies I am still trying SSLv3.

Any ideas?  Thanks in advance.

Eric
  
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ  86322

928-567-3727            (land line)
928-301-7537            (cell phone)

http://www.vicsmba.com <http://www.vicsmba.com/> 
https://www.facebook.com/groups/286143052248115




_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org