On 3/14/23 13:20, Eberhard wrote:
Actually I think the SSLv3 in the log is a lie–as this is also in the
log just before the below:
TLS state (connect): before/connect initialization
TLS state (connect): SSLv3 write client hello A
TLS state (connect): SSLv3 read server hello A
So I am thinking the elipticcurve stuff is more likely the issue?
It's common to see an SSLv3 "hello" to be as compatible as possible.
It's possible that common code paths that existed back to SSLv3 still
log that way even when being used in a TLSvx.y handshake.
https://www.ssllabs.com/ssltest/analyze.html?d=ws.fedex.com
They only support a small set of cipher suites, which is good.
Qualys says you should be able to connect with TLSv1.2 with cipher suite
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 which is supported by OpenSSL
1.0.2.
Are you able to connect with:
$ openssl s_client -connect ws.fedex.com:443
You may be required to provide a client-cert in order to connect. See
the usage information for "s_client" to see how to do that.
-chris
_____________________________________________
*From:*Eberhard <fl...@vicsmba.com>
*Sent:*Tuesday, March 14, 2023 9:15 AM
*To:*'stunnel-users@stunnel.org' <stunnel-users@stunnel.org>
*Subject:*Help with disabling SSLv3
*Importance:*High
I am suddenly getting errors from Fedex:
TLS state (connect): SSLv3 read server certificate A
error queue: 1408D010: error:1408D010:SSL
routines:ssl3_get_key_exchange:EC lib
error queue: 100AE081: error:100AE081:elliptic curve
routines:EC_GROUP_new_by_curve_name:unknown group
error queue: 100AF003: error:100AF003:elliptic curve
routines:EC_GROUP_NEW_FROM_DATA:BN lib
SSL_connect: 3078072: error:03078072:bignum
routines:BN_EXPAND_INTERNAL:bignum too long
My .conf file says:
output = /tmp/fedex.log
debug = 7
RNDfile = /visanet/ssl/stunnel.rnd
RNDoverwrite = yes
client = yes
connect = ws.fedex.com:443
;connect = gateway.fedex.com:443
;connect = wssha1ends12172016.fedex.com:443
sslVersion = TLSv1.2
options = NO_SSLv3
sslVersionMin = TLSv1.2
CAfile = /usr/local/ssl/certs/cacert.pem
It is a very old version of stunnel but I cannot upgrade as this is a 15
year old AIX (IBM) computer
stunnel 5.44 on powerpc-ibm-aix4.3.3.0 platform
Compiled/running with OpenSSL 1.0.2 22 Jan 2015
Threading:FORK Sockets:POLL,IPv4 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Invalid configuration file name "--version"
realpath: No such file or directory (2)
Yet the log implies I am still trying SSLv3.
Any ideas? Thanks in advance.
Eric
VICS, LLC
Eric S Eberhard
2933 W Middle Verde Rd
Camp Verde, AZ 86322
928-567-3727 (land line)
928-301-7537 (cell phone)
___http://www.vicsmba.com_<http://www.vicsmba.com/>
___https://www.facebook.com/groups/286143052248115_<https://www.facebook.com/groups/286143052248115>
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-le...@stunnel.org
