Article delegate-en/3779 of [1-4224] on the server localhost:7119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3776@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: Can I force ssl version 3.0 only?
25 Jun 2007 19:28:15 GMT "Joe Moore" <pvyhabdyi-mxhgu4zwz33w.ml@delegate.org> 
Yutaka,

I am not able to connect when I force ssl version3 or tls version 1. I
have tried with a delegated executable that I compiled as well as with
the binary download from ftp.delegate.org.

The client tries and then times out after  minutes.

Here is the log of the unsuccessful connection when specifying
STLS="fcl,sslway -ssl3".

From /var/spool/delegate-nobody/log/stdout.log:

605:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:299:



from /var/spool/delegate-nobody/log/23:

06/25 12:48:39.07 [612] 1+0: -- Fork(OnetimeServer): 559 -> 612
06/25 12:48:39.07 [612] 1+0: {R} SOA got
[10.in-addr.arpa][nsx.holidaycompanies.com][root.10.in-addr.arpa]
2005254172 10
800 3600 604800 86400
06/25 12:48:39.07 [612] 1+0: (0) accepted [50]
-@[10.0.8.102]10.0.8.102:3132 (0.009s)(1)
06/25 12:48:39.07 [612] 1+0: PATH:
telnet://ss922:23!sslproxy01.test.com:23!10.0.8.102:3132!anonymous@10.0.
8
.102;1182793719
06/25 12:48:39.07 [612] 1+0: # SSL record head[80 4C  1  3  1] SSL2
8?/78
06/25 12:48:39.08 [612] 1+0: isinSSL ? [80] from client
06/25 12:48:39.08 [612] 1+0: SSL Hello?5 [80 76 1 3 1]
06/25 12:48:39.08 [612] 1+0: ## STLS ## IMPLICIT SSL ON 50,50,-1,19
06/25 12:48:39.08 [613] 1+0: -- Fork(FCL): 612 -> 613
06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=2 [53/S]
06/25 12:48:39.08 [612] 1+0: 0.008 CFI_SYNC ready=1 [57/W]
06/25 12:48:40.08 [612] 1+0: waiting CFI_SYNC from sslway (300)...
06/25 12:53:40.08 [612] 1+0: 301.008 CFI_SYNC ready=0 [FFFFFFFE]
06/25 12:53:40.08 [612] 1+0: ERROR: SSL/cl disconnected
06/25 12:53:40.08 [612] 1+0: disconnected [50]
-@[10.0.8.102]10.0.8.102:3132 (301.020s)(0)
06/25 12:53:41.12 [612] 1+0: CFI process remaining (1/1)


Things work OK if I don't specify "sslway -ssl3", or if I specify
"sslway -ssl2". Unfortunately, I need to force version 3.

TIA    ...jgm














-----Original Message-----
From: Yutaka Sato [mailto:pficabdyi-mxhgu4zwz33w.ml@delegate.org] 
Sent: Friday, June 22, 2007 8:49 PM
To: pficabdyi-mxhgu4zwz33w.ml@delegate.org
Cc: feedback@delegate.org; Joe Moore; pficabdyi-mxhgu4zwz33w.ml@delegate.org
Subject: Re: [DeleGate-En:3775] Can I force ssl version 3.0 only?

Joe,

In message
<_A3774@delegate-en.ML_> on
06/23/07(02:35:22)
you "Joe Moore" <pvyhabdyi-mxhgu4zwz33w.ml@delegate.org> wrote:
 |I'm using delegated with "STLS=fcl" to encrypt client side
 |communications. My testing shows that there are weak ciphers (keys
less
 |than 112 bits) available with ssl 1.0 and 2.0 connections. Is there
any
 |way to force clients to use ssl 3.0, or TLS 1.0 only?

It can be specified as:

  STLS="fcl,sslway -ssl3"

or

  STLS="fcl,sslway -tls1"


Cheers,
Yutaka
--

  9 9   Yutaka Sato <pfqcabdyi-mxhgu4zwz33w.ml@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V