<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><div>List,</div><div><br></div><div>How does one secure stunnel from man in the middle attacks regarding ssl renegotiation. I have seen <a href="http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION">http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION</a> but I couldn't tell if stunnel is affected by it, nor what I could do outside of installing a newer version of openssl to prevent it. Additionally I did a scan on <a href="http://www.ssllabs.com">www.ssllabs.com</a> and it stated that insecure renegotiation was supported, which isn't good. I am running 0.9.8k-7ubuntu8.4, the standard version that ships with ubuntu 10.04, and stunnel 4.32.</div><div><br></div><div>What can I do to configure stunnel to protect myself? My current config is below.</div><div><br></div><div>Thanks.</div><div>-Joe</div><div><br></div><div><br></div><div><br></div><div><br></div><div><div>; Certificate/key is needed in server mode and optional in client mode</div><div>cert = /etc/stunnel/file.crt</div><div>key = /etc/stunnel/file.key</div><div>foreground = yes</div><div>debug = 5</div><div>ciphers = DES-CBC3-SHA:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5</div><div><br></div><div>; Protocol version (all, SSLv2, SSLv3, TLSv1)</div><div>sslVersion = all</div><div>options = NO_SSLv2</div><div><br></div><div>; Some security enhancements for UNIX systems - comment them out on Win32</div><div>chroot = /var/lib/stunnel4/</div><div>setuid = stunnel4</div><div>setgid = stunnel4</div><div>; PID is created inside chroot jail</div><div>pid = /stunnel4.pid</div><div><br></div><div>; Some performance tunings</div><div>socket = l:TCP_NODELAY=1</div><div>socket = r:TCP_NODELAY=1</div><div><br></div><div>; Service-level configuration</div><div><br></div><div>[https]</div><div>accept = 443</div><div>connect = localhost:80</div><div>TIMEOUTclose = 0</div></div><div><br></div><div><br></div><div><br></div><div><br></div><br><div>
<div><div>Name: Joseph A. Williams</div><div>Email: <a href="mailto:joe@joetify.com">joe@joetify.com</a></div><div>Blog: <a href="http://www.joeandmotorboat.com/">http://www.joeandmotorboat.com/</a></div><div>Twitter: <a href="http://twitter.com/williamsjoe">http://twitter.com/williamsjoe</a></div></div></div><div><br></div></body></html>