Dear Michal, Dear All,

Please find attached a patch to stunnel 4.56 to clear SSL_OP_LEGACY_SERVER_CONNECT.

 

There was a security requirement to ensure that the stunnel client could not connect to unpatched servers.

 

I am aware from OpenSSL (https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html ) that this parameter is currently set by default and has to be manually cleared by calling SSL_CTX_clear_options() or SSL_clear_options()if an OpenSSL client applications wants to ensure they can not connect to unpatched servers (and thus avoid any security issues).

 

The attached patch achieves this.

 

OpenSSL also state “As more servers become patched the option SSL_OP_LEGACY_SERVER_CONNECT will not be set by default in a future version of OpenSSL” so this patch is only required until OpenSSL change the default value.

 

Thanks..

John

 

 

 

Unify: Harmonize your enterprise

 

John Simner BSc(Hons) MSc CEng. MIET

Software Engineer, Devices Development

 

Unify Enterprise Communications Ltd.

 

Tel.: +44 (1908) 817378 (One Number Service)

Email: [email protected]

 

www.unify.co.uk

 

Follow us: Social_media_icons 

 

Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ

Registered No: 5903714, England.

 

This email contains confidential information and is for the exclusive use of the addressee.

If you are not the addressee then any distribution, copying, or use of this email is prohibited.

If received in error, please advise the sender and delete immediately. We accept no liability for
any loss or damage suffered by any person arising from use of this email.