[stunnel-users] public domain [PATCH] to stunnel v456 to clear SSL_OP_LEGACY_SERVER_CONNECT

• Previous message (by thread): [stunnel-users] Can not get TLS1.2 work in FIPS mode.
• Next message (by thread): [stunnel-users] (no subject)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Michal, Dear All,
Please find attached a patch to stunnel 4.56 to clear SSL_OP_LEGACY_SERVER_CONNECT.

There was a security requirement to ensure that the stunnel client could not connect to unpatched servers.

I am aware from OpenSSL (https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html ) that this parameter is currently set by default and has to be manually cleared by calling SSL_CTX_clear_options() or SSL_clear_options()if an OpenSSL client applications wants to ensure they can not connect to unpatched servers (and thus avoid any security issues).

The attached patch achieves this.

OpenSSL also state "As more servers become patched the option SSL_OP_LEGACY_SERVER_CONNECT will not be set by default in a future version of OpenSSL" so this patch is only required until OpenSSL change the default value.

Thanks..
John



[Unify: Harmonize your enterprise]

John Simner BSc(Hons) MSc CEng. MIET
Software Engineer, Devices Development

Unify Enterprise Communications Ltd.

Tel.: +44 (1908) 817378 (One Number Service)
Email: john.simner at unify.com <mailto:vorname.name at unify.com>

www.unify.co.uk<http://www.unify.co.uk/>

Follow us: [Social_media_icons] <http://www.unify.com/social-media>

Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ
Registered No: 5903714, England.

This email contains confidential information and is for the exclusive use of the addressee.
If you are not the addressee then any distribution, copying, or use of this email is prohibited.
If received in error, please advise the sender and delete immediately. We accept no liability for
any loss or damage suffered by any person arising from use of this email.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140625/77842f29/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 4137 bytes
Desc: image001.gif
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140625/77842f29/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 5198 bytes
Desc: image002.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140625/77842f29/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noconnectunpatchedservers.patch
Type: application/octet-stream
Size: 520 bytes
Desc: noconnectunpatchedservers.patch
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140625/77842f29/attachment.obj>

• Previous message (by thread): [stunnel-users] Can not get TLS1.2 work in FIPS mode.
• Next message (by thread): [stunnel-users] (no subject)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]