[stunnel-users] stunnel, haproxy and ssl cert
Michal Trojnara
Michal.Trojnara at mirt.net
Thu Feb 10 10:24:53 CET 2011
Amol wrote:
> What should be the ideal value for TIMEOUTclose ?
The default should be fine for security.
Microsoft decided to refuse to comply with the SSL specification ignore
close-notify SSL protocol alert be default:
http://msdn.microsoft.com/en-us/library/aa364671%28v=vs.85%29.aspx
http://www.mail-archive.com/[email protected]/msg02474.html
You may use lower values (e.g. 0) to deal with broken Microsoft
implementations of SSL. The error reported by stunnel means that you might
be affected by SSL truncation attack. Microsoft decided to accept this
vulnerability. You my do it as well or drop support for their broken
version of SSL.
Mike
More information about the stunnel-users
mailing list