[stunnel-users] stunnel server configuration requirement to handle CBC protection
rraptorr at nails.eu.org
Tue Nov 5 14:02:58 CET 2013
2013/11/5 Simner, John <john.simner at unify.com>:
> Dear Janusz,
> Thank you for your email and the information.
> I forwarded it to the person raising the problem and I received the following response...
> - On the tomcat PC there is the latest java version running, 18.104.22.168.
> The link below mentioned 22.214.171.124 and 29 as broken, and fixed with 126.96.36.199.
> - The simple setup is...
> PC (running Web Browser)
> PC connects to tomcat server using TCP and starts jHPT (the Java based client) on tomcat. In this
> simple setup I'm using TCP, not TLS, between PC and tomcat.
> jHPT (tomcat) connects to phone using TLS
> stunnel on phone (in server mode) accepts the TLS connection (tomcat is the client for this TLS
> If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=false,
> the connection between tomcat and phone (stunnel) is stable.
> If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=true,
> the phone (stunnel) resets the connection.
> I hope this clarifies what is happening between the client and stunnel on the phone.
> Within the phone, stunnel connects to the TCP server which then sets up a new connection back to stunnel/client.
> So, is there a problem in stunnel or do I need to investigate what is being received between stunnel and the TCP server/TCP connection on the phone.
> Once again, thank you for your assistance and I look forward to your response.
I am sorry, but I will not provide support for your company customers.
If you are just going to forward my replies to your customers and
theirs to me this will not work and I am not going to provide any more
I have explained to you what this JSSE option does. stunnel uses
OpenSSL for SSL implementation and there are no special options to
support 0/n or 1/n-1 record splitting (the CBC protection), it will
happily accept both.
I really have no idea where the problem is since your description is
again vague. Please debug your own application yourself and establish
if the problem is between Java client and stunnel or between stunnel
and Tomcat server. I am unable to do this, you must do this yourself.
Capturing network traffic with packet sniffer is usually a very good
tool for debugging such problems.
More information about the stunnel-users