[stunnel-users] BEAST Attack

• Previous message (by thread): [stunnel-users] BEAST Attack
• Next message (by thread): [stunnel-users] BEAST Attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Scott McKeown wrote:
> # stunnel -version
> stunnel 4.53 on x86_64-unknown-linux-gnu platform
>  Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010
> Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6

This version looks a bit strange, as the FIPS module for OpenSSL 1.x.x 
hasn't been released yet.
     http://www.openssl.org/docs/fips/fipsvalidation.html
AFAIK the testing snapshots of FIPS 2.0 are clearly marked as such.

I tested:
    options = CIPHER_SERVER_PREFERENCE
in my lab and it works just fine for me.

You may try to recompile stunnel with a fresh build of OpenSSL.

>     ciphers = RC4:HIGH:!MD5:!aNULL

RC4 is disabled in FIPS mode.  You should disable it with:
     FIPS = no
as a part of BEAST protection, or just use OpenSSL without FIPS 
support.

> I'm looking to include the STunnel Product within our Loadbalancer
> Appliance in our next upcoming release but with everyone now using 
> the
> SSL checker that I mentioned in one of my last e-Mails more customers
> are becoming concerned about MITM Attacks etc. so I would really like
> to get this solved before I move forward with the project.

<ad>
As a vendor of a commercial product based on stunnel, you might 
consider using our commercial support for stunnel.
     http://eu.loadbalancer.org/support.php
     http://www.stunnel.org/?page=contact
Although the commercial support can hardly beat the quality/price ratio 
of stunnel-users, your business may still benefit from priority access 
to our resources.
</ad>

Mike

• Previous message (by thread): [stunnel-users] BEAST Attack
• Next message (by thread): [stunnel-users] BEAST Attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]