2013/11/4 Simner, John john.simner@unify.com
Hi,
Having recently used stunnel on the phone as a server to encrypt the communication between an external client and a simple TCP server socket on the phone, one of the clients have raised the following….
Phone resets a TLS conection from client, when CBC protection is enabled on tomcat server.
The phone syslog shows: Oct 28 14:26:14 10 user.crit syslog: CommsChannelExtenderRx(28881): ./src/CommsChannelExtenderRx.cpp:186 Header section invalid
To prevent a SSL/TLS BEAST attack (CVE-2011-3389) Oracle Java (JSSE) has implemented a CBC protection which can be set with System Property jsse.enableCBCProtection. The default value is true.
What was done:
Start client and connect it with a phone. The TLS connection is established, but then the phone resets the connection, and client is not working.
When I set jsse.enableCBCProtection to false at the tomcat server, the phone accepts the connection and client is working.
To prevent man-in-the-middle attacks, the phone should be able to handle the fragmented TLS block when CBC protection is activated on the client tomcat server.
I have been unable to find the appropriate stunnel configuration item to support this.
Please could you inform me how this is handled through stunnel.
Thank you for your assistance and I look forward to your responses.
It is really unclear from your e-mail what is connecting to what. First you state that you use stunnel as a server on a phone and something connects to it. Then you describe a Tomcat server and something that looks like a bug report that a phone is unable to connect to this Tomcat server. It is really unclear what is your configuration and what is trying to connect to stunnel and where does a Tomcat server sit in this setup. Please provide accurate and detailed description of your setup, maybe then someone will be able to help.