[stunnel-users] SSL renegotiation patch

Janusz Dziemidowicz rraptorr at nails.eu.org
Wed Sep 19 15:23:01 CEST 2012

2012/9/19 Henrik Riomar <henrik.riomar at gmail.com>:
>> On Wed, Sep 19, 2012 at 1:57 PM, Janusz Dziemidowicz
>>> or s_client from stunnel:
>>> openssl s_client -host localhost -port 8443 -tls1
>>> With s_client, you have to input R and press Enter, it will try to
>>> renegotiate then (awesome hack). Also, note that s_client has problems
>>> while renegotiating with TLS1.2 (that's why I've added -tls1 option).
> Tried this and got this printout;
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Secure Renegotiation IS supported

This is the same as in gnutls-cli-debug case. It only tells the client
that the server understands a secure renegotiation protocol (as
opposed to older, insecure renegotiation method). It has nothing to do
with the fact that the server will not accept renegotiations (and
renegotiations can also be started by the server itself).
SSL protocol does not have any way to indicate that a server will not
accept renegotiations. It is also not possible to reject them in other
way than disconnection. That is why renegotiations are enabled by
default. You can disable them if you are confident that they won't be
used (which is true in some common cases like most HTTPS scenarios).

Janusz Dziemidowicz

More information about the stunnel-users mailing list