[stunnel-users] BEAST Attack
Michal Trojnara
Michal.Trojnara at mirt.net
Wed May 30 18:06:36 CEST 2012
Scott McKeown wrote:
> # stunnel -version
> stunnel 4.53 on x86_64-unknown-linux-gnu platform
> Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010
> Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6
This version looks a bit strange, as the FIPS module for OpenSSL 1.x.x
hasn't been released yet.
http://www.openssl.org/docs/fips/fipsvalidation.html
AFAIK the testing snapshots of FIPS 2.0 are clearly marked as such.
I tested:
options = CIPHER_SERVER_PREFERENCE
in my lab and it works just fine for me.
You may try to recompile stunnel with a fresh build of OpenSSL.
> ciphers = RC4:HIGH:!MD5:!aNULL
RC4 is disabled in FIPS mode. You should disable it with:
FIPS = no
as a part of BEAST protection, or just use OpenSSL without FIPS
support.
> I'm looking to include the STunnel Product within our Loadbalancer
> Appliance in our next upcoming release but with everyone now using
> the
> SSL checker that I mentioned in one of my last e-Mails more customers
> are becoming concerned about MITM Attacks etc. so I would really like
> to get this solved before I move forward with the project.
<ad>
As a vendor of a commercial product based on stunnel, you might
consider using our commercial support for stunnel.
http://eu.loadbalancer.org/support.php
http://www.stunnel.org/?page=contact
Although the commercial support can hardly beat the quality/price ratio
of stunnel-users, your business may still benefit from priority access
to our resources.
</ad>
Mike
More information about the stunnel-users
mailing list