[stunnel-users] SSL renegotiation patch

Henrik Riomar henrik.riomar at gmail.com
Wed Sep 19 15:03:39 CEST 2012


On Wed, Sep 19, 2012 at 1:57 PM, Janusz Dziemidowicz
<rraptorr at nails.eu.org> wrote:
> 2012/9/18 Henrik Riomar <henrik.riomar at gmail.com>:
>> On Wed, Jun 27, 2012 at 11:42 PM, Janusz Dziemidowicz
>> <rraptorr at nails.eu.org> wrote:
>>> Hi,
>>
>>>
>>> The approach is based on what is being done in Apache. The default is
>>> to allow renegotation, so there should be no surprises for anyone
>>> after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel
>>> free to comment:)
>>>
>>
>> sorry for not noticing this patch earlier, what is the best way the
>> test the effects of this patch. i.e. what test client did you use?
>
> You can use gnutls-cli:
> gnutls-cli --insecure --port 8443 localhost -e
> or s_client from stunnel:
> openssl s_client -host localhost -port 8443 -tls1
> With s_client, you have to input R and press Enter, it will try to
> renegotiate then (awesome hack). Also, note that s_client has problems
> while renegotiating with TLS1.2 (that's why I've added -tls1 option).
>

OK, I tried with gnutls-cli-debug -p 1443 127.0.0.1

...snip...
Checking for Safe renegotiation support... yes
Checking for Safe renegotiation support (SCSV)... yes
...snip...

The above is towards a build of stunnel-4.54b8.tar.gz with
"renegotiation = no" in the config.



More information about the stunnel-users mailing list