Hi Michal,
Thanks for following this up.
I'm using the latest build of STunnel v4.53 as shown below (I check the site once a week just to make sure too)
# stunnel -version stunnel 4.53 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6
Global options: debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH (with "fips = no") session = 300 seconds sslVersion = TLSv1 (with "fips = yes") sslVersion = TLSv1 for client, all for server (with "fips = no") stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
I've also included a copy of my stunnel.cfg file below: # more /etc/stunnel/stunnel.cfg # STunnel configuration file generated by loadbalancer.org appliance setgid = nobody pid = /stunnel.pid debug = 0
[S1] accept = 192.168.82.182:443 connect = 192.168.82.181:81 cert = /etc/loadbalancer.org/certs/S1.pem ciphers = RC4:HIGH:!MD5:!aNULL options = NO_SSLv2 protocol = proxy
I'm looking to include the STunnel Product within our Loadbalancer Appliance in our next upcoming release but with everyone now using the SSL checker that I mentioned in one of my last e-Mails more customers are becoming concerned about MITM Attacks etc. so I would really like to get this solved before I move forward with the project.
Oh, I guess I should also mention that this is running on a Centos 6.2 box.
~Yours, Scott
Scott McKeown wrote:
# stunnel -version stunnel 4.53 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6
This version looks a bit strange, as the FIPS module for OpenSSL 1.x.x hasn't been released yet. http://www.openssl.org/docs/fips/fipsvalidation.html AFAIK the testing snapshots of FIPS 2.0 are clearly marked as such.
I tested: options = CIPHER_SERVER_PREFERENCE in my lab and it works just fine for me.
You may try to recompile stunnel with a fresh build of OpenSSL.
ciphers = RC4:HIGH:!MD5:!aNULL
RC4 is disabled in FIPS mode. You should disable it with: FIPS = no as a part of BEAST protection, or just use OpenSSL without FIPS support.
I'm looking to include the STunnel Product within our Loadbalancer Appliance in our next upcoming release but with everyone now using the SSL checker that I mentioned in one of my last e-Mails more customers are becoming concerned about MITM Attacks etc. so I would really like to get this solved before I move forward with the project.
<ad> As a vendor of a commercial product based on stunnel, you might consider using our commercial support for stunnel. http://eu.loadbalancer.org/support.php http://www.stunnel.org/?page=contact Although the commercial support can hardly beat the quality/price ratio of stunnel-users, your business may still benefit from priority access to our resources. </ad>
Mike
-
Michal Trojnara -
Scott McKeown