SSL compression in 5.27
Hi, while testing the upgrade from stunnel 5.26 to stunnel 5.27 on Solaris, one of the tools I use reported that SSL compression was now supported/possible on connections to an stunnel 5.27 instance; this was not the case with 5.26 or earlier. Unfortunately, it is not possible to demonstrate this using openssl as client, I found this using TestSSLServer, which is java-based and available from http://www.bolet.org/TestSSLServer/. With 5.26: | $ java -jar TestSSLServer.jar $server 443 | Supported versions: TLSv1.2 | Deflate compression: no | Supported cipher suites (ORDER IS NOT SIGNIFICANT): | TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ---------------------- | Server certificate(s): | 4c57045b3f8f9cdd6f487e59a5b008ccb9d38693: CN=***, OU=***, O=***, C=*** | ---------------------- | Minimal encryption strength: strong encryption (96-bit or more) | Achievable encryption strength: strong encryption (96-bit or more) | BEAST status: protected | CRIME status: protected Note: "Deflate compression: no", "CRIME status: protected" With 5.27: | $ java -jar /prod/certmon2/bin/TestSSLServer.jar $server 443 | Supported versions: TLSv1.2 | Deflate compression: YES | Supported cipher suites (ORDER IS NOT SIGNIFICANT): | TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ---------------------- | Server certificate(s): | 4c57045b3f8f9cdd6f487e59a5b008ccb9d38693: CN=***, OU=***, O=***, C=*** | ---------------------- | Minimal encryption strength: strong encryption (96-bit or more) | Achievable encryption strength: strong encryption (96-bit or more) | BEAST status: protected | CRIME status: vulnerable With 5.27, I get "Deflate compression: YES" and "CRIME status: vulnerable". Server OS: Solaris 10/SPARC or Solaris 11/SPARC (others not tested) OpenSSL: 1.0.1p or 1.0.1q (others not tested) Client: TestSSLServer Both stunnel and OpenSSL are self-compiled using Solaris Studio 12.4. The stunnel.conf in question: sslVersion = TLSv1.2 ciphers = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256 cert = test1.crt key = test1.key verify = 2 [test] client = no accept = A.B.C.D:443 connect = 127.0.0.1:8080 The scanner from SSL Labs should be able to check this as well, but I do not have the neccessary modern Python available. I will check if I can reproduce the problem on something a little more mainstream than Solaris 10/11 over the weekend. --
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04.12.2015 14:51, Udo Erdelhoff wrote:
while testing the upgrade from stunnel 5.26 to stunnel 5.27 on Solaris, one of the tools I use reported that SSL compression was now supported/possible on connections to an stunnel 5.27 instance; this was not the case with 5.26 or earlier.
I could not reproduce this problem. Could you please send me the debug logs ("debug = 7") from your stunnel: both the logs generated when stunnel starts, and the logs generated during the tests. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJWZwdaAAoJEC78f/DUFuAUDscP/0Ve47GQZALcrMrgoeBu+Zz6 xpTdV5B+T3k+xym3j66X4qrstpVEtZzaLkB/Mg4RL1xKHOEb4fik1UCr28pTJv/5 ZxZE+EXIgoVX9o65PxmS5911IFFLa3Zw57lOQr75k937N2eFCOKn/YQKWLKT+yIQ jBuH/ZCULkVwXo8P0jt/54+LSFJ0CMViu135RO+sgG+ohSxEyQ/hiSz+sCALbOoR jk3Ru2bF6Y5SdCCq0kZmT3yRA4tnskWec98I5Sxac7uzd7xMNorsnsnjoYIZOJPx SEvfIjKx0ULiUbIYdk4dspygGzE1PzaGsfRXnNkyoGWyRTFcBe623WJOvu/2Vqg6 vpm/5s6cp0HTHBd53TTdgyxXxQ233/HIpUEQsT8CTvkK5qJGcLCmlU04YPsFAxa4 9i9azZtrzfI+skmrBzDGtlGj8vlzFQ6tn7jMiY37x+qs830FBK8HHjBW9kcsHvWC Q7fTDRIbLIG4o72kniXVDu2ifIX/uqHji4J+U+wtCu2hdPdhTJWRYOqVq+HXcG/5 wkxUlFLzK8PotmtLNCT10CIvjUJk92XvhjabnwlX+RVmc4J6BOSP8210oqXeqrTD s6arw9/obVymU7MtURpApA6DGSEnXQKLS0CLFwCaKhQ0JaZuX35daYmQKwEaAJYt JVpacPHrrrT8Uw4RUyfc =Ifgc -----END PGP SIGNATURE-----
participants (2)
-
Michal Trojnara -
Udo Erdelhoff