[stunnel-users] stunnel server configuration requirement to handle CBC protection

• Previous message (by thread): [stunnel-users] stunnel server configuration requirement to handle CBC protection
• Next message (by thread): [stunnel-users] EXTERNAL: Re: stunnel server configuration requirement to handle CBC protection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2013/11/5 Simner, John <john.simner at unify.com>:
> Dear Janusz,
> Thank you for your email and the information.
> I forwarded it to the person raising the problem and I received the following response...
>
> - On the tomcat PC there is the latest java version running, 1.7.0.45.
>   The link below mentioned 1.6.0.26 and 29 as broken, and fixed with 1.6.0.30.
>
> - The simple setup is...
>
> PC (running Web Browser)
> ->
> PC connects to tomcat server using TCP and starts jHPT (the Java based client) on tomcat. In this
> simple setup I'm using TCP, not TLS, between PC and tomcat.
> ->
> jHPT (tomcat) connects to phone using TLS
> ->
> stunnel on phone (in server mode) accepts the TLS connection (tomcat is the client for this TLS
> connection).
>
> If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=false,
> the connection between tomcat and phone (stunnel) is stable.
>
> If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=true,
> the phone (stunnel) resets the connection.
>
> I hope this clarifies what is happening between the client and stunnel on the phone.
> Within the phone, stunnel connects to the TCP server which then sets up a new connection back to stunnel/client.
>
> So, is there a problem in stunnel or do I need to investigate what is being received between stunnel and the TCP server/TCP connection on the phone.
>
> Once again, thank you for your assistance and I look forward to your response.

I am sorry, but I will not provide support for your company customers.
If you are just going to forward my replies to your customers and
theirs to me this will not work and I am not going to provide any more
help.

I have explained to you what this JSSE option does. stunnel uses
OpenSSL for SSL implementation and there are no special options to
support 0/n or 1/n-1 record splitting (the CBC protection), it will
happily accept both.

I really have no idea where the problem is since your description is
again vague. Please debug your own application yourself and establish
if the problem is between Java client and stunnel or between stunnel
and Tomcat server. I am unable to do this, you must do this yourself.
Capturing network traffic with packet sniffer is usually a very good
tool for debugging such problems.

-- 
Janusz Dziemidowicz

• Previous message (by thread): [stunnel-users] stunnel server configuration requirement to handle CBC protection
• Next message (by thread): [stunnel-users] EXTERNAL: Re: stunnel server configuration requirement to handle CBC protection
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]