[stunnel-users] BEAST Attack

Michal Trojnara Michal.Trojnara at mirt.net
Wed May 30 18:06:36 CEST 2012

Scott McKeown wrote:
> # stunnel -version
> stunnel 4.53 on x86_64-unknown-linux-gnu platform
>  Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010
> Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6

This version looks a bit strange, as the FIPS module for OpenSSL 1.x.x 
hasn't been released yet.
AFAIK the testing snapshots of FIPS 2.0 are clearly marked as such.

I tested:
in my lab and it works just fine for me.

You may try to recompile stunnel with a fresh build of OpenSSL.

>     ciphers = RC4:HIGH:!MD5:!aNULL

RC4 is disabled in FIPS mode.  You should disable it with:
     FIPS = no
as a part of BEAST protection, or just use OpenSSL without FIPS 

> I'm looking to include the STunnel Product within our Loadbalancer
> Appliance in our next upcoming release but with everyone now using 
> the
> SSL checker that I mentioned in one of my last e-Mails more customers
> are becoming concerned about MITM Attacks etc. so I would really like
> to get this solved before I move forward with the project.

As a vendor of a commercial product based on stunnel, you might 
consider using our commercial support for stunnel.
Although the commercial support can hardly beat the quality/price ratio 
of stunnel-users, your business may still benefit from priority access 
to our resources.


More information about the stunnel-users mailing list