How is it possible to disable Secure Client-Initiated Renegotiation in stunnel4? I'm using version stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f and stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e.
The stunnel docs lists an option for that:
renegotiation = yes | no
support SSL renegotiation
but unfortunately, this leads to the following error:
Line 70: "renegotiation = no": Specified option name is not valid here
But where is this the option valid? I tried it for the single services (which makes no sense anyhow), but it didn't work either. The documentation is not very verbose about this, and I couldn't find any information about this with search engines.
Has anyone a clue, how to get this right?
I used the following minimal configuration:
pid=/stunnel4.pid
debug = 5
output = /var/log/stunnel4/stunnel.log
cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
key = /etc/ssl/private/ssl-cert-snakeoil.key
renegotiation = no
[https]
accept = 443
connect = localhost:8000
These tests showed, that Renegotiation is supported:
Qualys' ssltest shows:
Secure Client-Initiated Renegotiation: Supported DoS DANGER (more info)
Doing it manually with openssl, also confirms:
$ openssl s_client -connect localhost:443
CONNECTED(00000003)
[...]
---
R
RENEGOTIATING
depth=0 CN = mint.home
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = mint.home
verify return:1
According to stunnel ChangeLog,
renegotiationparameter was added in stunnel version 4.54. That explains why stunnel 4.53 complains aboutThe alternative solutions: