[stunnel-users] stunnel server configuration requirement to handle CBC protection

Simner, John john.simner at unify.com
Mon Nov 4 18:12:18 CET 2013

Having recently used stunnel on the phone as a server to encrypt the communication between an external client and a simple TCP server socket on the phone, one of the clients have raised the following....

Phone resets a TLS conection from client, when CBC protection is enabled on tomcat server.

The phone syslog shows:
Oct 28 14:26:14 10 user.crit syslog: CommsChannelExtenderRx(28881): ./src/CommsChannelExtenderRx.cpp:186 Header section invalid

To prevent a SSL/TLS BEAST attack (CVE-2011-3389) Oracle Java (JSSE) has implemented a CBC protection which can be set with System Property jsse.enableCBCProtection. The default value is true.

What was done:

Start client and connect it with a phone.
The TLS connection is established, but then the phone resets the connection, and client is not working.

When I set jsse.enableCBCProtection to false at the tomcat server, the phone accepts the connection and client is working.

To prevent man-in-the-middle attacks, the phone should be able to handle the fragmented TLS block when CBC protection is activated on the client tomcat server.

I have been unable to find the appropriate stunnel configuration item to support this.
Please could you inform me how this is handled through stunnel.

Thank you for your assistance and I look forward to your responses.


John Simner BSc(Hons) MSc CEng. MIET
Software Engineer

Unify Enterprise Communications Ltd.
Devices Development

K Block, Technology Drive, Beeston, Nottingham, NG9 1LA

Tel.: +44 (0) 19088 17378
Email: john.simner at unify.com <mailto:vorname.name at unify.com>


Follow us: [Social_media_icons] <http://www.unify.com/social-media>

Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ
Registered No: 5903714, England.

This email contains confidential information and is for the exclusive use of the addressee.
If you are not the addressee then any distribution, copying, or use of this email is prohibited.
If received in error, please advise the sender and delete immediately. We accept no liability for
any loss or damage suffered by any person arising from use of this email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131104/9dce209a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5198 bytes
Desc: image001.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131104/9dce209a/attachment.png>

More information about the stunnel-users mailing list