Dear Michal, Dear All, Please find attached a patch to stunnel 4.56 to clear SSL_OP_LEGACY_SERVER_CONNECT.
There was a security requirement to ensure that the stunnel client could not connect to unpatched servers. I am aware from OpenSSL (https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html ) that this parameter is currently set by default and has to be manually cleared by calling SSL_CTX_clear_options() or SSL_clear_options()if an OpenSSL client applications wants to ensure they can not connect to unpatched servers (and thus avoid any security issues). The attached patch achieves this. OpenSSL also state "As more servers become patched the option SSL_OP_LEGACY_SERVER_CONNECT will not be set by default in a future version of OpenSSL" so this patch is only required until OpenSSL change the default value. Thanks.. John [Unify: Harmonize your enterprise] John Simner BSc(Hons) MSc CEng. MIET Software Engineer, Devices Development Unify Enterprise Communications Ltd. Tel.: +44 (1908) 817378 (One Number Service) Email: [email protected] <mailto:[email protected]> www.unify.co.uk<http://www.unify.co.uk/> Follow us: [Social_media_icons] <http://www.unify.com/social-media> Unify Enterprise Communications Limited. Registered Office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ Registered No: 5903714, England. This email contains confidential information and is for the exclusive use of the addressee. If you are not the addressee then any distribution, copying, or use of this email is prohibited. If received in error, please advise the sender and delete immediately. We accept no liability for any loss or damage suffered by any person arising from use of this email.
noconnectunpatchedservers.patch
Description: noconnectunpatchedservers.patch
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
