[stunnel-users] stunnel server configuration requirement to handle CBC protection

Janusz Dziemidowicz rraptorr at nails.eu.org
Tue Nov 5 11:59:25 CET 2013

2013/11/5 Simner, John <john.simner at unify.com>:
> Dear Janusz,
> Apologies for unclear information in my previous posting.
> The setup is...
> Phone                     Stunnel                   Client
> TCP server     <-----     TLS Server     <-----     Java based Client (HTTPS protocol)
> (Simple socket)
> Sets up new
> TCP connection ----->     TLS Server     ----->     with tomcat server.
> I have also requested more information from the developers of the Java based Client.
> I had simply pasted the information from their fault report.
> Apologies for any confusion.
> Look forward to your response.

Just to be sure: Java HTTPS client connects to stunnel (working in
server mode; it decrypts traffic) which connects to a pure TCP server
which connects to another instance of stunnel (in client mode; it
encrypts traffic) which connects to Tomcat server using HTTPS, right?

Unfortunately in this setup jsse.enableCBCProtection is completely
meaningless on Tomcat server. jsse.enableCBCProtection is a client
side setting, which means that it only affects Java HTTPS clients, not
Java HTTPS servers. So it should make no difference at all on Tomcat.
>From your description the problem is between stunnel in client mode
and Tomcat server, so this setting is not the cause of problems.
On the other hand jsse.enableCBCProtection is known to be broken in
certain Java versions:

Janusz Dziemidowicz

More information about the stunnel-users mailing list