Dear Janusz, Thank you for your email and the information. I forwarded it to the person raising the problem and I received the following response...
- On the tomcat PC there is the latest java version running, 1.7.0.45. The link below mentioned 1.6.0.26 and 29 as broken, and fixed with 1.6.0.30.
- The simple setup is...
PC (running Web Browser) -> PC connects to tomcat server using TCP and starts jHPT (the Java based client) on tomcat. In this simple setup I'm using TCP, not TLS, between PC and tomcat. -> jHPT (tomcat) connects to phone using TLS -> stunnel on phone (in server mode) accepts the TLS connection (tomcat is the client for this TLS connection).
If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=false, the connection between tomcat and phone (stunnel) is stable.
If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=true, the phone (stunnel) resets the connection.
I hope this clarifies what is happening between the client and stunnel on the phone. Within the phone, stunnel connects to the TCP server which then sets up a new connection back to stunnel/client.
So, is there a problem in stunnel or do I need to investigate what is being received between stunnel and the TCP server/TCP connection on the phone.
Once again, thank you for your assistance and I look forward to your response.
Thanks.. John
-----Original Message----- From: Janusz Dziemidowicz [mailto:rraptorr@nails.eu.org] Sent: 05 November 2013 10:59 To: Simner, John Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] stunnel server configuration requirement to handle CBC protection
2013/11/5 Simner, John john.simner@unify.com:
Dear Janusz, Apologies for unclear information in my previous posting.
The setup is...
Phone Stunnel Client TCP server <----- TLS Server <----- Java based Client (HTTPS protocol) (Simple socket) Sets up new TCP connection -----> TLS Server -----> with tomcat server.
I have also requested more information from the developers of the Java based Client. I had simply pasted the information from their fault report.
Apologies for any confusion. Look forward to your response.
Just to be sure: Java HTTPS client connects to stunnel (working in server mode; it decrypts traffic) which connects to a pure TCP server which connects to another instance of stunnel (in client mode; it encrypts traffic) which connects to Tomcat server using HTTPS, right?
Unfortunately in this setup jsse.enableCBCProtection is completely meaningless on Tomcat server. jsse.enableCBCProtection is a client side setting, which means that it only affects Java HTTPS clients, not Java HTTPS servers. So it should make no difference at all on Tomcat. From your description the problem is between stunnel in client mode and Tomcat server, so this setting is not the cause of problems. On the other hand jsse.enableCBCProtection is known to be broken in certain Java versions: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725