[stunnel-users] Hangs when connecting -- advice pls

Scott McKeown scott at loadbalancer.org
Wed Sep 21 12:15:00 CEST 2016


Hi Guys,
To me this looks like a cipher issue.
There are a few options that you can try to resolve this if it is.

I would try adding the following lines into your STunnel Configuration file:

delay = yes
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = CIPHER_SERVER_PREFERENCE
options = DONT_INSERT_EMPTY_FRAGMENTS


Delay will delay and DNS lookups that maybe actioned by the request (not
normally needed but I always include if for sanity sake)
The three 'options' sections turn off all the known problematic cipher
lists if you need a key that is in one of these block feel free to remove
that directive but I think a good start would be to leave the 'NO_SSLv3'
option in place
The 'CIPHER_SERVER_PREFERENCE' option will make set whether the client is
allowed to renegotiat the ciphers that are to be used between the client
and the server process.
And finally 'DONT_INSERT_EMPTY_FRAGMENTS' will mitigate an issue in the CBC
ciphers that was in the SSLv3 and TLS1.0 cipher lists again I only include
it for sanity sake now but its better to have than to go without.



-- 
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org
Tel (UK) - +44 (0) 3303801064 (24x7)
Tel (US) - +1 888.867.9504 (Toll Free)(24x7)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160921/3b5b62b7/attachment.html>


More information about the stunnel-users mailing list