[stunnel-users] SSL renegotiation patch
rraptorr at nails.eu.org
Wed Sep 19 13:57:09 CEST 2012
2012/9/18 Henrik Riomar <henrik.riomar at gmail.com>:
> On Wed, Jun 27, 2012 at 11:42 PM, Janusz Dziemidowicz
> <rraptorr at nails.eu.org> wrote:
>> The approach is based on what is being done in Apache. The default is
>> to allow renegotation, so there should be no surprises for anyone
>> after upgrade. Patch applies on latest (4.54b4) stunnel beta. Feel
>> free to comment:)
> sorry for not noticing this patch earlier, what is the best way the
> test the effects of this patch. i.e. what test client did you use?
You can use gnutls-cli:
gnutls-cli --insecure --port 8443 localhost -e
or s_client from stunnel:
openssl s_client -host localhost -port 8443 -tls1
With s_client, you have to input R and press Enter, it will try to
renegotiate then (awesome hack). Also, note that s_client has problems
while renegotiating with TLS1.2 (that's why I've added -tls1 option).
With renegotiation set to yes (default), both of the above should
succeed. With set to no, the client will be disconnected as soon as i
tries to renegotiate.
You can also use online scanner like
https://www.ssllabs.com/ssltest/index.html to verify this, if your
stunnel instance is available from the Internet.
More information about the stunnel-users