[stunnel-users] stunnel server configuration requirement to handle CBC protection

Michal Trojnara Michal.Trojnara at mirt.net
Wed Nov 13 19:49:25 CET 2013


On 2013-11-04 18:12, Simner, John wrote:
> To prevent man-in-the-middle attacks, the phone should be able to
> handle the fragmented TLS block when CBC protection is activated on
> the client tomcat server.
>
>  
>
> I have been unable to find the appropriate stunnel configuration item
> to support this.
>
> Please could you inform me how this is handled through stunnel.
>

There is no option to *enable* CBC protection, as this is the default.

Use "options = DONT_INSERT_EMPTY_FRAGMENTS" to disable this secure default.

Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131113/98ef037c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131113/98ef037c/attachment.sig>


More information about the stunnel-users mailing list