[stunnel-users] ssl renegotiation

Joe Williams joe at joetify.com
Wed Nov 24 06:23:57 CET 2010


How does one secure stunnel from man in the middle attacks regarding ssl renegotiation. I have seen http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION but I couldn't tell if stunnel is affected by it, nor what I could do outside of installing a newer version of openssl to prevent it. Additionally I did a scan on www.ssllabs.com and it stated that insecure renegotiation was supported, which isn't good. I am running 0.9.8k-7ubuntu8.4, the standard version that ships with ubuntu 10.04, and stunnel 4.32.

What can I do to configure stunnel to protect myself? My current config is below.


; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/file.crt
key = /etc/stunnel/file.key
foreground = yes
debug = 5
ciphers = DES-CBC3-SHA:AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
options = NO_SSLv2

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Service-level configuration

accept  = 443
connect = localhost:80
TIMEOUTclose = 0

Name: Joseph A. Williams
Email: joe at joetify.com
Blog: http://www.joeandmotorboat.com/
Twitter: http://twitter.com/williamsjoe

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20101123/e3bdd1a0/attachment.html>

More information about the stunnel-users mailing list