[stunnel-users] BEAST Attack
Scott McKeown
scott at loadbalancer.org
Fri May 25 16:46:47 CEST 2012
Hi Shannon,
After flicking through the OpenSSL documents I'm guessing that from the
SSL_CTX_set_options page
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html we need to use *
SSL_OP_CIPHER_SERVER_PREFERENCE* but if you put that into your config file
as:
options = CIPHER_SERVER_PREFERENCE
STunnel throws an error about the config file, so at the moment I'm a
little stuck.
~Scott
On 25 May 2012 15:26, Shannon Carver <shannon.carver at gmail.com> wrote:
> Hi Scott,
>
> Yes, that's the cipher I'm using which seems to cover everything from a
> secure ciphers point of view. Any idea how to disable client
> renegotiations within Stunnel?
>
> Shannon
>
>
> On 25 May 2012 14:39, Scott McKeown <scott at loadbalancer.org> wrote:
>
>> Hi Shannon,
>>
>> From what I understand so far a minimum Cipher list of
>> 'RC4:HIGH:!MD5:!aNULL' along with stopping the Client Renegotiating the
>> ciphers seems to resolve the problem.
>>
>> In Pound the patch allows for two new options to be set:
>> SSLHonorCipherOrder & SSLAllowClientRenegotiation
>>
>> I've looked in the OpenSSL documentation but I don't seem to be able to
>> find anything that has the same functionality although I'm no expert so I
>> may have just over looked it.
>>
>>
>> ~Scott
>>
>>
>>
>> On 25 May 2012 14:30, Shannon Carver <shannon.carver at gmail.com> wrote:
>>
>>> I posted a similar question a few months back, but didnt' get a reply.
>>> Would love some more info on this!
>>>
>>> Shannon
>>>
>>> On 25 May 2012 11:50, Scott McKeown <scott at loadbalancer.org> wrote:
>>>
>>>> Hi All,
>>>>
>>>> Has anyone looked at the current issue with the BEAST Attack.
>>>>
>>>> I'm looking at https://www.ssllabs.com/ssltest/index.html which can be
>>>> used for testing SSL Certificates I also use Pound Proxy which I have now
>>>> patched and this has removed the threat.
>>>>
>>>> However, I don't seem to be able to get the same result from a STunnel
>>>> installation. If anyone can give some advice that would be great.
>>>>
>>>>
>>>> ~Yours,
>>>> Scott
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120525/55cd66e3/attachment.html>
More information about the stunnel-users
mailing list