<div dir="ltr"><div><div><div><div><div><div><div>Hi Guys,<br></div>To me this looks like a cipher issue.<br></div>There are a few options that you can try to resolve this if it is.<br><br></div>I would try adding the following lines into your STunnel Configuration file:<br><br><pre><code class="gmail-bash gmail-hljs">delay = yes
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = CIPHER_SERVER_PREFERENCE
options = DONT_INSERT_EMPTY_FRAGMENTS</code></pre><br></div>Delay will delay and DNS lookups that maybe actioned by the request (not normally needed but I always include if for sanity sake)<br></div>The three 'options' sections turn off all the known problematic cipher lists if you need a key that is in one of these block feel free to remove that directive but I think a good start would be to leave the 'NO_SSLv3' option in place<br></div>The 'CIPHER_SERVER_PREFERENCE' option will make set whether the client is allowed to renegotiat the ciphers that are to be used between the client and the server process.<br></div>And finally 'DONT_INSERT_EMPTY_FRAGMENTS' will mitigate an issue in the CBC ciphers that was in the SSLv3 and TLS1.0 cipher lists again I only include it for sanity sake now but its better to have than to go without.<br><br><div><div><div><div><div><div><div><div><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">With Kind Regards.<br><br>Scott McKeown<br>Loadbalancer.org<br><a target="_blank" href="http://www.loadbalancer.org">http://www.loadbalancer.org</a><br><div>Tel (UK) - +44 (<span style="font-family:arial;font-size:small">0) 3303801064 (24x7)</span></div><div><span style="font-family:arial;font-size:small">Tel (US) - +1 888.867.9504 (Toll Free)(24x7)</span></div></div></div>
</div></div></div></div></div></div></div></div></div>