Bug setting up stunnel server: `SSL3_GET_CLIENT_HELLO:wrong version number`

windows ssl https stunnel
23,737

You should make a network capture and see why it was rejected. Also check the logs on both end points. Increase the debug level in the stunnel conf.

You need to make a network trace to figure out which version of the SSL protocol the client is supporting. Then make sure the your server supports that version too.

A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested CipherSuites and suggested compression methods.

Source

Please note that the SSL protocol was changed a few years ago because of a security bug in the renegotiation. See CVE-2009-3555 and this page on SSL Renegotiation

The server is responding with:

Secure Sockets Layer
    SSLv3 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: SSL 3.0 (0x0300)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

You have to check the logs on the SSL server to see why it has refused the connection. Try to enable SSL debugging on stunnel with: debug=7.

The stunnel server has options = NO_SSLv3, but the client is trying to connect using SSLv3. You need to upgrade the client to support a newer version of SSL or you need to change the stunnel configuration to accept SSLv3.

Share:
23,737

Related videos on Youtube

Ram Rachum
Author by

Ram Rachum

Israeli Python developer.

Updated on September 18, 2022

Comments

  • Ram Rachum
    Ram Rachum over 1 year

    I'm setting up an stunnel server on Windows XP, and I get this bug when a client tries to access:

    2013.02.14 00:02:16 LOG7[8848:7664]: Service [https] accepted (FD=320) from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:7664]: Creating a new thread
2013.02.14 00:02:16 LOG7[8848:7664]: New thread created
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] started
2013.02.14 00:02:16 LOG5[8848:9792]: Service [https] accepted connection from 107.20.36.147:56160
2013.02.14 00:02:16 LOG7[8848:9792]: SSL state (accept): before/accept initialization
2013.02.14 00:02:16 LOG7[8848:9792]: SSL alert (write): fatal: handshake failure
2013.02.14 00:02:16 LOG3[8848:9792]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.14 00:02:16 LOG5[8848:9792]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.14 00:02:16 LOG7[8848:9792]: Local socket (FD=320) closed
2013.02.14 00:02:16 LOG7[8848:9792]: Service [https] finished (0 left)

    Any idea what to do about this? I read online that this might mean that my server is advertising that it can communicate in SSL3 but it in fact can't. If this is true I'd like to know how I can fix this. I'm editing the stunnel.conf file but I have no idea what to change in it to fix this.

    UPDATE:

    The above error message shows only when the Twilio client (i.e. Twilio's server) tries to access my server. When I try to access my server with one of my computers, the page does show up, but after the contents show up, Chrome shows the page as "loading" for around 30 seconds, at the end of which stunnel gives this message:

    transfer: s_poll_wait: TIMEOUTclose exceeded: closing

    UPDATE:

    Here is the wireshark capture: https://gist.github.com/cool-RR/4963477

    Cap file: https://dl.dropbox.com/u/1927707/wireshark.cap

    Note that the server runs on port 8088.

    UPDATE:

    Here is the log from the server (with debug=7):

    2013.02.17 17:06:52 LOG7[7636:2092]: No limit detected for the number of clients
2013.02.17 17:06:52 LOG5[7636:2092]: stunnel 4.54 on x86-pc-msvc-1500 platform
2013.02.17 17:06:52 LOG5[7636:2092]: Compiled/running with OpenSSL 1.0.1c-fips 10 May 2012
2013.02.17 17:06:52 LOG5[7636:2092]: Threading:WIN32 SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:SELECT+IPv6
2013.02.17 17:06:52 LOG5[7636:2092]: Reading configuration from file stunnel.conf
2013.02.17 17:06:52 LOG5[7636:2092]: FIPS mode is enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Compression not enabled
2013.02.17 17:06:52 LOG7[7636:2092]: Snagged 64 random bytes from C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: Wrote 1024 new random bytes to C:\Documents and Settings\User/.rnd
2013.02.17 17:06:52 LOG7[7636:2092]: PRNG seeded successfully
2013.02.17 17:06:52 LOG6[7636:2092]: Initializing service [https]
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Certificate loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Key file: G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Private key loaded
2013.02.17 17:06:52 LOG7[7636:2092]: Could not load DH parameters from G:\Dropbox\StartSSL\SSL Cert.pem
2013.02.17 17:06:52 LOG7[7636:2092]: Using hardcoded DH parameters
2013.02.17 17:06:52 LOG7[7636:2092]: DH initialized with 2048-bit key
2013.02.17 17:06:52 LOG7[7636:2092]: ECDH initialized with curve prime256v1
2013.02.17 17:06:52 LOG7[7636:2092]: SSL options set: 0x03000004
2013.02.17 17:06:52 LOG5[7636:2092]: Configuration successful
2013.02.17 17:06:52 LOG7[7636:2092]: Service [https] (FD=268) bound to 0.0.0.0:8088
2013.02.17 17:07:08 LOG7[7636:2092]: Service [https] accepted (FD=320) from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:2092]: Creating a new thread
2013.02.17 17:07:08 LOG7[7636:2092]: New thread created
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] started
2013.02.17 17:07:08 LOG5[7636:8004]: Service [https] accepted connection from 54.242.25.199:45922
2013.02.17 17:07:08 LOG7[7636:8004]: SSL state (accept): before/accept initialization
2013.02.17 17:07:08 LOG7[7636:8004]: SSL alert (write): fatal: handshake failure
2013.02.17 17:07:08 LOG3[7636:8004]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
2013.02.17 17:07:08 LOG5[7636:8004]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.02.17 17:07:08 LOG7[7636:8004]: Local socket (FD=320) closed
2013.02.17 17:07:08 LOG7[7636:8004]: Service [https] finished (0 left)

    UPDATE:

    Here's my stunnel.conf file.

    • Mircea Vutcovici
      Mircea Vutcovici over 11 years
      The dropbox file seems missing. The server is returning HTTP/404
    • Ram Rachum
      Ram Rachum over 11 years
      @MirceaVutcovici Sorry, fixed now.
    • Ram Rachum
      Ram Rachum about 11 years
      I increased the bounty on the question to 100 points.
    • Stephane
      Stephane about 11 years
      Could you please include the stunnel.conf file as well ? Because it looks like your server is refusing SSLv3.0 connections
    • Ram Rachum
      Ram Rachum about 11 years
      Included it now
  • Ram Rachum
    Ram Rachum over 11 years
    I've updated the question with more details. Do you still need me to do a network capture?
  • Mircea Vutcovici
    Mircea Vutcovici over 11 years
    Yes, to know which version is supported by the SSL client.
  • Ram Rachum
    Ram Rachum over 11 years
    I've done a Wireshark capture and linked to it in the question.
  • Mircea Vutcovici
    Mircea Vutcovici over 11 years
    The capture is interpreted as "HTTP" it should be interpreted as SSL. That file is not the *.cap file. The *.cap is a binary file that contains all traffic including time stamps. You need to search for "ALERT" in the capture information. See: en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protoco‌​l
  • Ram Rachum
    Ram Rachum over 11 years
    Binary file added to question.
  • Ram Rachum
    Ram Rachum over 11 years
    (Fixed bad link.)
  • Ram Rachum
    Ram Rachum about 11 years
    It didn't work even when I removed the NO_SSLv3. This is the log output from that session: gist.github.com/cool-RR/4981928
  • Ram Rachum
    Ram Rachum about 11 years
    I added the log output in the preceding comment, with SSL3 enabled as you requested. Any insights?
  • Mircea Vutcovici
    Mircea Vutcovici about 11 years
    You should take another capture and see which version is used. The error does not make sense. If you have SSLv3 to be accepted on the stunnel, then the server should not refuse it. Try to debug stunnel. If you use Linux for stunnel, run it with strace like: strace -fp <stunnel_PID>. If it is running on Windows use Process Monitor from SysInternals. Try to add in stunnel.conf: sslVersion = all
  • Ram Rachum
    Ram Rachum about 11 years
    Trying to add sslVersion = all results in this error: Service [https]: 'sslVersion = TLSv1' is required in FIPS mode.
  • Ram Rachum
    Ram Rachum about 11 years
    Here's the capture from Wireshark with SSL3 enabled: db.tt/qojUw4DR
  • Ram Rachum
    Ram Rachum about 11 years
    Do you still want me to run Process Monitor?
  • Mircea Vutcovici
    Mircea Vutcovici about 11 years
    Ok, the problem is that you have FIPS mode enabled (it is enabled by default in stunnel compiled with FIPS) and that the client is trying to connect using SSLv3 (I assume, you have to confirm from logs or network capture). But FIPS is working only with TLSv1 or newer.
  • Mircea Vutcovici
    Mircea Vutcovici about 11 years
    You have 2 solutions: 1. upgrade the SSL client (Twilio). 2. disable FIPS compliance, and lower the security, by adding fips = no to stunnel.conf

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Certificate issue: SSL page brings up "you need to set a lock screen pin or password before you can use credential storage" on Android
Cannot map Synology WebDAV (HTTPS) share on Windows
HTTPS Support for Lynx in Windows
In tomcat force http connection to https
Have both Hostname and FQDN in SSL Certificate on IIS
haproxy + stunnel + keep-alive?
TLSv1 handshake failure
How to test https rest webservice in postman
OS X 10.11.6 El Capitan SSLRead() return error -9841
Flutter https with self signed certificate