The error SSL3_GET_CLIENT_HELLO:wrong version number typically occurs when there's a protocol version mismatch during SSL/TLS handshake. Examining your logs shows this happens when Twilio's server (54.242.25.199) connects to your stunnel instance on Windows XP.
From your Wireshark capture and server logs, we can see:
2013.02.17 17:07:08 LOG3[7636:8004]: SSL_accept: 1408A10B: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version numberThe key issues:
- You're running OpenSSL 1.0.1c-fips (2012 build) with FIPS mode enabled
- The client (Twilio) might be attempting an older SSL version
- Windows XP has inherent TLS limitations
Your current stunnel.conf needs these critical modifications:
; TLS protocol configuration
sslVersion = TLSv1.2
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
; Cipher suite restrictions
ciphers = HIGH:!aNULL:!MD5:!RC4:!3DES
curve = secp384r1
To properly diagnose:
- Enable verbose logging in stunnel:
debug = 7 output = stunnel.log - Test with OpenSSL s_client:
openssl s_client -connect yourserver:8088 -tls1_2
Modern TLS 1.2 implementations on Windows XP may require:
; In stunnel.conf
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
If protocol negotiation continues to fail:
- Consider upgrading from Windows XP (end-of-life OS)
- Test with newer OpenSSL/stunnel versions
- Implement a protocol fallback mechanism
After configuration changes, verify with:
openssl ciphers -v | grep TLSv1.2
sslyze --starttls=auto yourserver:8088The error SSL3_GET_CLIENT_HELLO:wrong version number typically occurs when there's a mismatch between the SSL/TLS versions supported by the client and server. From your logs, we can see this happens specifically when Twilio's servers attempt to connect to your stunnel instance.
Looking at the packet capture, we can observe the handshake failure in action. The client (Twilio) appears to be sending a ClientHello message that your stunnel server rejects due to version incompatibility.
Your stunnel.conf file shows several potential problems:
; Old SSLv3 configuration (problematic)
sslVersion = SSLv3
Modern clients (including Twilio's infrastructure) typically use TLS 1.2 or higher, while your server is configured for the outdated and insecure SSLv3.
Here's an improved configuration that should resolve the version mismatch:
; Basic stunnel configuration for modern TLS
[https]
accept = 8088
connect = 127.0.0.1:80
cert = /path/to/your/cert.pem
key = /path/to/your/key.pem
; Modern TLS settings
sslVersion = TLSv1.2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
ciphers = HIGH:!aNULL:!MD5
If the issue persists, consider these additional checks:
- Verify your certificate chain is complete and valid
- Check for intermediate certificate requirements
- Test with OpenSSL's s_client for debugging:
openssl s_client -connect yourserver:8088 -tls1_2 -debug
The transfer timeout you're experiencing might be related to keepalive settings. Add these to your stunnel.conf:
; Keepalive settings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
- Remove all SSLv3 references
- Specify modern TLS versions (1.2+)
- Set appropriate cipher suites
- Configure proper keepalive settings
- Ensure certificate chain is complete
After making these changes, restart stunnel and test with both your browser and Twilio's services. The connection should now establish properly without version negotiation errors.