Disable support for insecure SSLv2 protocol but allow for ONE service
When I try to connect to one of my mailboxes I get a return: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket What does that mean? in stunnel.conf I set the global parameter: options = NO_SSLv2 This works in general. But for the mentioned email provider it could mean that he allows only SSLv2. Is this the reason? Where is described what is inscure at SSLv2? How can I allow for that particular email provider SSLv2 but disallow for all others? Ben
2013/10/15 Ben Stover <bxstover@yahoo.co.uk>:
When I try to connect to one of my mailboxes I get a return:
SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
What does that mean?
in stunnel.conf I set the global parameter:
options = NO_SSLv2
This works in general. But for the mentioned email provider it could mean that he allows only SSLv2. Is this the reason?
Where is described what is inscure at SSLv2?
How can I allow for that particular email provider SSLv2 but disallow for all others?
It is extremely unlikely that this has anything to do with SSLv2. SSLv2 is so old that there are practically no services in the Internet that support only it (however some do allow SSLv2 in addition to newer ones). Some of the most important SSLv2 flaws are explained on Wikipedia: http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_2.0 What stopped you from temporarily removing the global option and verifying if this has anything to do with SSLv2? Most probably it still will not work (the "SSL3_GET_RECORD:wrong version number" message is misleading usually). -- Janusz Dziemidowicz
On 10/15/2013 3:42 PM, Janusz Dziemidowicz wrote:
How can I allow for that particular email provider SSLv2 but disallow for all others? Specify the SSL option(s) in the service section(s) instead of the global section.
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
On 2013-10-15 22:21, Ben Stover wrote:
Where is described what is inscure at SSLv2?
A simple (and mostly correct) explanation is here: http://tools.ietf.org/html/rfc6176 Mike
participants (4)
-
Ben Stover -
Janusz Dziemidowicz -
Michal Trojnara -
Thomas Eifert