[stunnel-users] stunnel server configuration requirement to handle CBC protection

Simner, John john.simner at unify.com
Tue Nov 5 13:46:51 CET 2013

Dear Janusz,
Thank you for your email and the information.
I forwarded it to the person raising the problem and I received the following response...

- On the tomcat PC there is the latest java version running,
  The link below mentioned and 29 as broken, and fixed with

- The simple setup is...

PC (running Web Browser)
PC connects to tomcat server using TCP and starts jHPT (the Java based client) on tomcat. In this 
simple setup I'm using TCP, not TLS, between PC and tomcat.
jHPT (tomcat) connects to phone using TLS
stunnel on phone (in server mode) accepts the TLS connection (tomcat is the client for this TLS 

If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=false,
the connection between tomcat and phone (stunnel) is stable.

If I set in the tomcat config the java parameter -Djsse.enableCBCProtection=true,
the phone (stunnel) resets the connection.

I hope this clarifies what is happening between the client and stunnel on the phone.
Within the phone, stunnel connects to the TCP server which then sets up a new connection back to stunnel/client.

So, is there a problem in stunnel or do I need to investigate what is being received between stunnel and the TCP server/TCP connection on the phone.

Once again, thank you for your assistance and I look forward to your response.


-----Original Message-----
From: Janusz Dziemidowicz [mailto:rraptorr at nails.eu.org] 
Sent: 05 November 2013 10:59
To: Simner, John
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] stunnel server configuration requirement to handle CBC protection

2013/11/5 Simner, John <john.simner at unify.com>:
> Dear Janusz,
> Apologies for unclear information in my previous posting.
> The setup is...
> Phone                     Stunnel                   Client
> TCP server     <-----     TLS Server     <-----     Java based Client (HTTPS protocol)
> (Simple socket)
> Sets up new
> TCP connection ----->     TLS Server     ----->     with tomcat server.
> I have also requested more information from the developers of the Java based Client.
> I had simply pasted the information from their fault report.
> Apologies for any confusion.
> Look forward to your response.

Just to be sure: Java HTTPS client connects to stunnel (working in
server mode; it decrypts traffic) which connects to a pure TCP server
which connects to another instance of stunnel (in client mode; it
encrypts traffic) which connects to Tomcat server using HTTPS, right?

Unfortunately in this setup jsse.enableCBCProtection is completely
meaningless on Tomcat server. jsse.enableCBCProtection is a client
side setting, which means that it only affects Java HTTPS clients, not
Java HTTPS servers. So it should make no difference at all on Tomcat.
From your description the problem is between stunnel in client mode
and Tomcat server, so this setting is not the cause of problems.
On the other hand jsse.enableCBCProtection is known to be broken in
certain Java versions:

Janusz Dziemidowicz

More information about the stunnel-users mailing list