[stunnel-users] stunnel, haproxy and ssl cert

• Previous message (by thread): [stunnel-users] stunnel, haproxy and ssl cert
• Next message (by thread): [stunnel-users] Help with stunnel configuration
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Amol wrote:
> What should be the ideal value for TIMEOUTclose ?

The default should be fine for security.

Microsoft decided to refuse to comply with the SSL specification ignore
close-notify SSL protocol alert be default:
http://msdn.microsoft.com/en-us/library/aa364671%28v=vs.85%29.aspx
http://www.mail-archive.com/[email protected]/msg02474.html

You may use lower values (e.g. 0) to deal with broken Microsoft
implementations of SSL.  The error reported by stunnel means that you might
be affected by SSL truncation attack.  Microsoft decided to accept this
vulnerability.  You my do it as well or drop support for their broken
version of SSL.

Mike

• Previous message (by thread): [stunnel-users] stunnel, haproxy and ssl cert
• Next message (by thread): [stunnel-users] Help with stunnel configuration
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]