Hi All,
Has anyone looked at the current issue with the BEAST Attack.
I'm looking at https://www.ssllabs.com/ssltest/index.html which can be used for testing SSL Certificates I also use Pound Proxy which I have now patched and this has removed the threat.
However, I don't seem to be able to get the same result from a STunnel installation. If anyone can give some advice that would be great.
~Yours, Scott
I posted a similar question a few months back, but didnt' get a reply. Would love some more info on this!
Shannon
On 25 May 2012 11:50, Scott McKeown scott@loadbalancer.org wrote:
Hi All,
Has anyone looked at the current issue with the BEAST Attack.
I'm looking at https://www.ssllabs.com/ssltest/index.html which can be used for testing SSL Certificates I also use Pound Proxy which I have now patched and this has removed the threat.
However, I don't seem to be able to get the same result from a STunnel installation. If anyone can give some advice that would be great.
~Yours, Scott
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Shannon,
From what I understand so far a minimum Cipher list of
'RC4:HIGH:!MD5:!aNULL' along with stopping the Client Renegotiating the ciphers seems to resolve the problem.
In Pound the patch allows for two new options to be set: SSLHonorCipherOrder & SSLAllowClientRenegotiation
I've looked in the OpenSSL documentation but I don't seem to be able to find anything that has the same functionality although I'm no expert so I may have just over looked it.
~Scott
On 25 May 2012 14:30, Shannon Carver shannon.carver@gmail.com wrote:
I posted a similar question a few months back, but didnt' get a reply. Would love some more info on this!
Shannon
On 25 May 2012 11:50, Scott McKeown scott@loadbalancer.org wrote:
Hi All,
Has anyone looked at the current issue with the BEAST Attack.
I'm looking at https://www.ssllabs.com/ssltest/index.html which can be used for testing SSL Certificates I also use Pound Proxy which I have now patched and this has removed the threat.
However, I don't seem to be able to get the same result from a STunnel installation. If anyone can give some advice that would be great.
~Yours, Scott
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Scott,
Yes, that's the cipher I'm using which seems to cover everything from a secure ciphers point of view. Any idea how to disable client renegotiations within Stunnel?
Shannon
On 25 May 2012 14:39, Scott McKeown scott@loadbalancer.org wrote:
Hi Shannon,
From what I understand so far a minimum Cipher list of 'RC4:HIGH:!MD5:!aNULL' along with stopping the Client Renegotiating the ciphers seems to resolve the problem.
In Pound the patch allows for two new options to be set: SSLHonorCipherOrder & SSLAllowClientRenegotiation
I've looked in the OpenSSL documentation but I don't seem to be able to find anything that has the same functionality although I'm no expert so I may have just over looked it.
~Scott
On 25 May 2012 14:30, Shannon Carver shannon.carver@gmail.com wrote:
I posted a similar question a few months back, but didnt' get a reply. Would love some more info on this!
Shannon
On 25 May 2012 11:50, Scott McKeown scott@loadbalancer.org wrote:
Hi All,
Has anyone looked at the current issue with the BEAST Attack.
I'm looking at https://www.ssllabs.com/ssltest/index.html which can be used for testing SSL Certificates I also use Pound Proxy which I have now patched and this has removed the threat.
However, I don't seem to be able to get the same result from a STunnel installation. If anyone can give some advice that would be great.
~Yours, Scott
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Shannon,
After flicking through the OpenSSL documents I'm guessing that from the SSL_CTX_set_options page http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html we need to use * SSL_OP_CIPHER_SERVER_PREFERENCE* but if you put that into your config file as: options = CIPHER_SERVER_PREFERENCE STunnel throws an error about the config file, so at the moment I'm a little stuck.
~Scott
On 25 May 2012 15:26, Shannon Carver shannon.carver@gmail.com wrote:
Hi Scott,
Yes, that's the cipher I'm using which seems to cover everything from a secure ciphers point of view. Any idea how to disable client renegotiations within Stunnel?
Shannon
On 25 May 2012 14:39, Scott McKeown scott@loadbalancer.org wrote:
Hi Shannon,
From what I understand so far a minimum Cipher list of 'RC4:HIGH:!MD5:!aNULL' along with stopping the Client Renegotiating the ciphers seems to resolve the problem.
In Pound the patch allows for two new options to be set: SSLHonorCipherOrder & SSLAllowClientRenegotiation
I've looked in the OpenSSL documentation but I don't seem to be able to find anything that has the same functionality although I'm no expert so I may have just over looked it.
~Scott
On 25 May 2012 14:30, Shannon Carver shannon.carver@gmail.com wrote:
I posted a similar question a few months back, but didnt' get a reply. Would love some more info on this!
Shannon
On 25 May 2012 11:50, Scott McKeown scott@loadbalancer.org wrote:
Hi All,
Has anyone looked at the current issue with the BEAST Attack.
I'm looking at https://www.ssllabs.com/ssltest/index.html which can be used for testing SSL Certificates I also use Pound Proxy which I have now patched and this has removed the threat.
However, I don't seem to be able to get the same result from a STunnel installation. If anyone can give some advice that would be great.
~Yours, Scott
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Scott McKeown wrote:
After flicking through the OpenSSL documents I'm guessing that from the SSL_CTX_set_options page http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html we need to use SSL_OP_CIPHER_SERVER_PREFERENCE but if you put that into your config file as: options = CIPHER_SERVER_PREFERENCE STunnel throws an error about the config file, so at the moment I'm a little stuck.
I guess you either use and old stunnel, or an old version of OpenSSL. What is the output of "stunnel -version" on your machine?
Mike
-
Michal Trojnara -
Scott McKeown -
Shannon Carver