2013/11/5 Simner, John john.simner@unify.com:
Dear Janusz, Apologies for unclear information in my previous posting.
The setup is...
Phone Stunnel Client TCP server <----- TLS Server <----- Java based Client (HTTPS protocol) (Simple socket) Sets up new TCP connection -----> TLS Server -----> with tomcat server.
I have also requested more information from the developers of the Java based Client. I had simply pasted the information from their fault report.
Apologies for any confusion. Look forward to your response.
Just to be sure: Java HTTPS client connects to stunnel (working in server mode; it decrypts traffic) which connects to a pure TCP server which connects to another instance of stunnel (in client mode; it encrypts traffic) which connects to Tomcat server using HTTPS, right?
Unfortunately in this setup jsse.enableCBCProtection is completely meaningless on Tomcat server. jsse.enableCBCProtection is a client side setting, which means that it only affects Java HTTPS clients, not Java HTTPS servers. So it should make no difference at all on Tomcat.
From your description the problem is between stunnel in client mode
and Tomcat server, so this setting is not the cause of problems. On the other hand jsse.enableCBCProtection is known to be broken in certain Java versions: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725