Hi all,
Long time lurker, but first time poster on the Stunnel mailing list. I'm currently entering into a business partnership with a prominent media group, and as such they've got some strict guidelines by which their partners should abide by when it comes to Security/Encryption, both for brand protection, and making sure that both sides are sufficiently covered (at least from a general scan point of view).
Basically the big thing that is coming up in my testing now (predominantly using the Qualysis tool at www.ssllabs.com) is that I'm vulnerable to the BEAST attack, CBC-Mode vulnerabilities and a potential issue of DoS attack due to server accepting Client Side Re-negotiation.
I've spent days now trawling the web looking for a solution, but haven't really found anything of use yet, short of disabling CBC Ciphers completely (e.g 'cipher = RC4-SHA:RC4-MD5:!SSLv2:!ADH:!EDH:!EXP:!aNULL:!eNULL:!NULL' or similar), but I fear this me be too restrictive when it comes to client support.
I guess my question is, are there other stunnel users who've been in the same situation, and is there a recommended cipher/options list when using Stunnel for HTTPS?
Thanks in advance
Shannon