Hello, > >> > >> What`s wrong? How to solve the error "SSL3_GET_RECORD:wrong version > >> number" and "SSL: connect failed"? > >> From server side, you may get this error when: > > - server is setup to SSL/TLS and client is connecting in plain mode, > > for example: > > $ telnet some_server 443 > > Escape character is '^]'. > > lkasdkfgjlasdkfgjsdlkfjgsdfkgjsldkfgjhsdfkgsfgk > > > > bytes 2 and 3 must be proper SSL3/TLS1 version specification: > > 0x0300 - SSL3 > > 0x0301 - TLS1 > > or for SSL2 (in handshake negotiation) byte 4 and 5 has version > > information: > > 0x0200 - SSL2 > > 0x0300 - SSL3 > > 0x0301 - TLS1 > > and of course using SSL2 client_hello TLS1 may be setup (if > > supported > > by client and server) > > > > - server is setup to SSL3/TLS1 (not SSL2) and client sends SSL2 > > client_hello, for example OpenSSL SSL_CTX created with > > SSLv23_client_method() method sends SSL2 client_hello with > > version information set to TLS1. But when server is set to > > understand SSL3/TLS1 only then SSL2 proposition is not recognized > > correctly (version information is at bytes 4 and 5, not 2 and 3) > > and we get "wrong version number". > > To correct this, on client side disable SSL2 compatibility handshake > > if SSL_CTX is created with SSLv23_client_method() with > > SSL_OP_NO_SSLv2, or on server side create SSL_CTX with > > SSLv23_server_method() instead of SSLv3_server_method() > > or TLSv1_server_method(). > > In other words, both sides should have enabled the same > > protocols. > > > > Best regards, > > -- > > Marek Marcola <[EMAIL PROTECTED]> > > > > ______________________________________________________________________ > Marek, I'm also getting the same error: > > LOG7[29231:25188864]: SSL alert (write): fatal: handshake failure > LOG3[29231:25188864]: SSL_connect: 1408F10B: error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number > LOG5[29231:25188864]: Connection reset: 0 bytes sent to SSL, 0 bytes > sent to socket > > Are you saying that this error is caused by the client sending using > a different version of SSL to that which the server is using? Yes.
> From > the error message above, the server is using version 3 of SSL, > correct? (I'm using the latest version of stunnel and OpenSSL 0.9.7i). Yes, SSL3_GET_RECORD supports SSL3 and TLS1 but not SSL2. > If so, the Apple's Mail app must be using an older SSL version? Does > anyone know which version it uses? > > Or can something else be causing this error? My proposition is to download ssldump on some Linux box and dump SSL messages from the wire. Then you will exactly know what going on and what SSL version Apple is using. Or even tcpdump with binary data dumped. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
