[stunnel-users] Improving SSL security and protecting against the BEAST attack

Shannon Carver shannon.carver at gmail.com
Mon Feb 6 18:07:41 CET 2012


Hi all,

Long time lurker, but first time poster on the Stunnel mailing list.  I'm
currently entering into a business partnership with a prominent media
group, and as such they've got some strict guidelines by which their
partners should abide by when it comes to Security/Encryption, both for
brand protection, and making sure that both sides are sufficiently covered
(at least from a general scan point of view).

Basically the big thing that is coming up in my testing now (predominantly
using the Qualysis tool at www.ssllabs.com) is that I'm vulnerable to the
BEAST attack, CBC-Mode vulnerabilities and a potential issue of DoS attack
due to server accepting Client Side Re-negotiation.

I've spent days now trawling the web looking for a solution, but haven't
really found anything of use yet, short of disabling CBC Ciphers completely
(e.g 'cipher = RC4-SHA:RC4-MD5:!SSLv2:!ADH:!EDH:!EXP:!aNULL:!eNULL:!NULL'
or similar), but I fear this me be too restrictive when it comes to client
support.

I guess my question is, are there other stunnel users who've been in the
same situation, and is there a recommended cipher/options list when using
Stunnel for HTTPS?

Thanks in advance

Shannon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120206/fab4e8a1/attachment.html>


More information about the stunnel-users mailing list