List,
How does one secure stunnel from man in the middle attacks regarding ssl renegotiation. I have seen http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATIO... but I couldn't tell if stunnel is affected by it, nor what I could do outside of installing a newer version of openssl to prevent it. Additionally I did a scan on www.ssllabs.com and it stated that insecure renegotiation was supported, which isn't good. I am running 0.9.8k-7ubuntu8.4, the standard version that ships with ubuntu 10.04, and stunnel 4.32.
What can I do to configure stunnel to protect myself? My current config is below.
Thanks. -Joe
; Certificate/key is needed in server mode and optional in client mode cert = /etc/stunnel/file.crt key = /etc/stunnel/file.key foreground = yes debug = 5 ciphers = DES-CBC3-SHA:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = all options = NO_SSLv2
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
; Service-level configuration
[https] accept = 443 connect = localhost:80 TIMEOUTclose = 0
Name: Joseph A. Williams Email: joe@joetify.com Blog: http://www.joeandmotorboat.com/ Twitter: http://twitter.com/williamsjoe