2013/11/5 Simner, John john.simner@unify.com:
Dear Janusz, Thank you for your email and the information. I forwarded it to the person raising the problem and I received the following response...
On the tomcat PC there is the latest java version running, 1.7.0.45. The link below mentioned 1.6.0.26 and 29 as broken, and fixed with 1.6.0.30.
The simple setup is...
PC (running Web Browser) -> PC connects to tomcat server using TCP and starts jHPT (the Java based client) on tomcat. In this simple setup I'm using TCP, not TLS, between PC and tomcat. -> jHPT (tomcat) connects to phone using TLS -> stunnel on phone (in server mode) accepts the TLS connection (tomcat is the client for this TLS connection).
If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=false, the connection between tomcat and phone (stunnel) is stable.
If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=true, the phone (stunnel) resets the connection.
I hope this clarifies what is happening between the client and stunnel on the phone. Within the phone, stunnel connects to the TCP server which then sets up a new connection back to stunnel/client.
So, is there a problem in stunnel or do I need to investigate what is being received between stunnel and the TCP server/TCP connection on the phone.
Once again, thank you for your assistance and I look forward to your response.
I am sorry, but I will not provide support for your company customers. If you are just going to forward my replies to your customers and theirs to me this will not work and I am not going to provide any more help.
I have explained to you what this JSSE option does. stunnel uses OpenSSL for SSL implementation and there are no special options to support 0/n or 1/n-1 record splitting (the CBC protection), it will happily accept both.
I really have no idea where the problem is since your description is again vague. Please debug your own application yourself and establish if the problem is between Java client and stunnel or between stunnel and Tomcat server. I am unable to do this, you must do this yourself. Capturing network traffic with packet sniffer is usually a very good tool for debugging such problems.