How can I mitigate POODLE SSL vulnerability when using stunnel as HTTPS reverse proxy?
Asked
Active
Viewed 1.4k times
3 Answers
19
You can disable SSLv3 protocol on stunnel altogether.
From stunnel documentation:
sslVersion = SSL_VERSION
select version of SSL protocol Allowed
options: all, SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2
I've added this to the config file:
sslVersion = TLSv1 TLSv1.1 TLSv1.2
And now I am not able to connect with SSLv3 (using openssl s_client -connect my.domain.com:443 -ssl3)
NOTE: Some older versions of stunnel and OpenSSL don't support TLSv1.2 (and even TLSv1.1). In this case, remove them from sslVersion directive to avoid incorrect version of ssl protocol error.
Sergey
- 958
10
if you prefer to stick with older stunnel (like the 4.53 in your Debian Stable), you can disable SSLv2 and SSLv3 with:
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
instead of
sslVersion = TLSv1
which would disable TLSv1.1 and TLSv1.2 also.
Matija Nalis
- 2,512
2
Since I cannot comment, I will "answer" (sorry).
Anyway, I am running stunnel 5.01 and I also get the "incorrect version of SSL" error after making the change to sslVersion:
[!] Server is down
[.] Reading configuration from file stunnel.conf
[!] Line 4: "sslVersion = TLSv1 TLSv1.1 TLSv1.2": Incorrect version of SSL protocol
Fixed (for me). Had to upgrade stunnel to v5.06 (most current release as of today). Conf file is exactly the same so I guess there is some mojo happening between v5.01 and v5.06 that goes beyond a mere mortal to understand.
Michael Hampton
- 252,907
Local Needs
- 121