On 05/10/2006, at 4:49 AM, Marek Marcola wrote:
Hello,
Dear all,
...
tls_tcpconn_init: Setting in ACCEPT mode (server)
11(5927) tcpconn_add: hashes: 835, 11
11(5927) handle_new_connect: new connection: 0x422d88f0 24 flags:
0002
11(5927) send2child: to tcp child 0 7(5919), 0x422d88f0
7(5919) received n=4 con=0x422d88f0, fd=20
7(5919) DBG: io_watch_add(0x80ed320, 20, 2, 0x422d88f0), fd_no=1
7(5919) tls_update_fd: New fd is 20
7(5919) tls_accept: Error in SSL:
7(5919) tls_error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number
7(5919) DBG: io_watch_del (0x80ed320, 20, 1, 0x10) fd_no=2 called
7(5919) releasing con 0x422d88f0, state -2, fd=20, id=11
7(5919) extra_data 0x422e8a08
11(5927) handle_tcp_child: reader response= 422d88f0, -2 from 0
11(5927) tcpconn_destroy: destroying connection 0x422d88f0, flags
0002
11(5927) tls_close: Closing SSL connection
11(5927) tls_update_fd: New fd is 24
11(5927) tls_shutdown: Shutdown successful
11(5927) tls_tcpconn_clean: Entered
What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version
number" and "SSL: connect failed"?
From server side, you may get this error when:
- server is setup to SSL/TLS and client is connecting in plain mode,
for example:
$ telnet some_server 443
Escape character is '^]'.
lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk
bytes 2 and 3 must be proper SSL3/TLS1 version specification:
0x0300 - SSL3
0x0301 - TLS1
or for SSL2 (in handshake negotiation) byte 4 and 5 has version
information:
0x0200 - SSL2
0x0300 - SSL3
0x0301 - TLS1
and of course using SSL2 client_hello TLS1 may be setup (if
supported
by client and server)
- server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2
client_hello, for example OpenSSL SSL_CTX created with
SSLv23_client_method() method sends SSL2 client_hello with
version information set to TLS1. But when server is set to
understand SSL3/TLS1 only then SSL2 proposition is not recognized
correctly (version information is at bytes 4 and 5, not 2 and 3)
and we get "wrong version number".
To correct this, on client side disable SSL2 compatibility handshake
if SSL_CTX is created with SSLv23_client_method() with
SSL_OP_NO_SSLv2, or on server side create SSL_CTX with
SSLv23_server_method() instead of SSLv3_server_method()
or TLSv1_server_method().
In other words, both sides should have enabled the same
protocols.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
______________________________________________________________________
Marek, I'm also getting the same error:
LOG7[29231:25188864]: SSL alert (write): fatal: handshake failure
LOG3[29231:25188864]: SSL_connect: 1408F10B: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
LOG5[29231:25188864]: Connection reset: 0 bytes sent to SSL, 0 bytes
sent to socket
Are you saying that this error is caused by the client sending using
a different version of SSL to that which the server is using? From
the error message above, the server is using version 3 of SSL,
correct? (I'm using the latest version of stunnel and OpenSSL 0.9.7i).
If so, the Apple's Mail app must be using an older SSL version? Does
anyone know which version it uses?
Or can something else be causing this error?
Thanks,
James.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
