Dear Janusz, Apologies for unclear information in my previous posting. The setup is...
Phone Stunnel Client TCP server <----- TLS Server <----- Java based Client (HTTPS protocol) (Simple socket) Sets up new TCP connection -----> TLS Server -----> with tomcat server. I have also requested more information from the developers of the Java based Client. I had simply pasted the information from their fault report. Apologies for any confusion. Look forward to your response. Thanks.. John -----Original Message----- From: Janusz Dziemidowicz [mailto:[email protected]] Sent: 05 November 2013 10:21 To: Simner, John Cc: [email protected] Subject: Re: [stunnel-users] stunnel server configuration requirement to handle CBC protection 2013/11/4 Simner, John <[email protected]> > > Hi, > > Having recently used stunnel on the phone as a server to encrypt the > communication between an external client and a simple TCP server socket on > the phone, one of the clients have raised the following…. > > Phone resets a TLS conection from client, when CBC protection is enabled on > tomcat server. > > The phone syslog shows: > Oct 28 14:26:14 10 user.crit syslog: CommsChannelExtenderRx(28881): > ./src/CommsChannelExtenderRx.cpp:186 Header section invalid > > To prevent a SSL/TLS BEAST attack (CVE-2011-3389) Oracle Java (JSSE) has > implemented a CBC protection which can be set with System Property > jsse.enableCBCProtection. The default value is true. > > What was done: > > Start client and connect it with a phone. > The TLS connection is established, but then the phone resets the connection, > and client is not working. > > When I set jsse.enableCBCProtection to false at the tomcat server, the phone > accepts the connection and client is working. > > To prevent man-in-the-middle attacks, the phone should be able to handle the > fragmented TLS block when CBC protection is activated on the client tomcat > server. > > > > > > I have been unable to find the appropriate stunnel configuration item to > support this. > > Please could you inform me how this is handled through stunnel. > > > > Thank you for your assistance and I look forward to your responses. It is really unclear from your e-mail what is connecting to what. First you state that you use stunnel as a server on a phone and something connects to it. Then you describe a Tomcat server and something that looks like a bug report that a phone is unable to connect to this Tomcat server. It is really unclear what is your configuration and what is trying to connect to stunnel and where does a Tomcat server sit in this setup. Please provide accurate and detailed description of your setup, maybe then someone will be able to help. -- Janusz Dziemidowicz _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
