stunnel TLS issues with some web browsers

Hi,

    I have a problem with stunnel working in server mode (back end web is running on IIS7) and some versions of web browsers specifically Safari, IE10 on Win7, Opera and Safari on iOS 8.4 and Safari on OS X. Newer IE, Chrome and Firefox are working fine. The issue is broken SSL connection (Safari reports cannot open the page because it could not establish a secure connection to the server), following errors are logged in stunnel log file: SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate fallback and  SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number. What's weird is that on some occasions the connections is established but when something is clicked on the web page the connection gets broken. I have tried configuring various cipher combinations on stunnel but so far without any luck.

My current stunnel configuration is following:

cert = chain.pem
key = priv.key

engine = DEP
libwrap = no

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

# Disable weak SSL ciphers
options = NO_SSLv2
options = NO_SSLv3

ciphers = ECDHE+RSA+AES128+SHA:ECDHE+RSA+AES256+SHA:ECDHE+RSA+AES256+SHA256:ECDHE+RSA+AES256+SHA384:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

pid = /var/lib/stunnel/stunnel.pid

setgid = stunnel
setuid = stunnel

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel.log

; Service-level configuration
[https]
accept  = stunnel:443
connect = websrv:80

TIMEOUTclose = 0
tomislav11Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
stunnel/ssl/linux versions would be nice.

you need to set sslVersion = all on old stunnels

it looks like you unwillingly disable TLS 1.0

Also big half of cipher preference list is obsolete:
opensuse 13.2> openssl ciphers 'ECDHE+RSA+AES128+SHA:ECDHE+RSA+AES256+SHA:ECDHE+RSA+AES256+SHA256:ECDHE+RSA+AES256+SHA384:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4'

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA
0
tomislav11Author Commented:
Hi, thanks for the comment. Forgot to put versions, stunnel version is 5.09 built with OpenSSL 1.0.1k which was configured with following options: ./config --prefix=/usr/local/openssl no-asm no-camellia no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-zlib no-zlib-dynamic.
TLSv1 normally should be disabled but I left it out (options = NO_TLSv1) due to testing. Regarding the cipher list this one showed best results according to https://www.ssllabs.com/ssltest/.
0
gheistCommented:
You were looking at right place - ssl labs :)
There you can see that with TLS 1.0 disabled all browsers you mention are not able to connect.
Why dont you use openssl and stunnel build into your linux OS?
And nginx for where you have stunnel to offload logging from backend?
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

tomislav11Author Commented:
Now I have added following ciphers:
AES256+SHA:AES128+SHA:ECDHE+RSA+AES128+SHA:ECDHE+RSA+AES256+SHA:ECDHE+RSA+AES256+SHA256:ECDHE+RSA+AES256+SHA384:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:ECDHE+ECDSA+AES256+GCM+SHA384:ECDHE+ECDSA+AES128+GCM+SHA256:ECDHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES128+GCM+SHA256:ECDHE+ECDSA+AES256+SHA384:ECDHE+ECDSA+AES128+SHA256:ECDHE+RSA+AES256+SHA384:ECDHE+RSA+AES128+SHA256:ECDHE+RSA+AES256+SHA:ECDHE+ECDSA+AES256+SHA:ECDHE+RSA+AES128+SHA:ECDHE+ECDSA+AES128+SHA:DHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+SHA256:DHE+RSA+AES256+SHA:DHE+RSA+CAMELLIA256+SHA:DHE+RSA+AES128+GCM+SHA256:DHE+RSA+AES128+SHA256:DHE+RSA+AES128+SHA:DHE+RSA+SEED+SHA:DHE+RSA+CAMELLIA128+SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

sslabs says TLSv1.0 is supported (grade A- due to lack of FS) but still no luck with these browsers.

Unfortunately I cannot change current software, OpenSSL is patched and customized as it uses an HSM to offload private keys so I'm rather stuck with this setup.
0
gheistCommented:
For PFS you need to enable SSLHonorCipherOrder in Apache.
TLS 1.0 is maximum for OSX 10.8 and OpenSSL 0.9.8 and Android 2.3.7, all lurking around in large numbers.
You cannot disable it for all practical purposes.

-SSLv3 ... !3DES locks out IE on XP

You run openssl commands on different openssl toolkit than built with no-camellia in /usr/local.
Do e.g this in profile you use for testing
alias openssl='LD_PRELOAD=/usr/local/lib/libssl.so:/usr/local/lib/libcrypto.so /usr/local/bin/openssl'
0
gheistCommented:
Some more SSL scanners: http://wiki.cacert.org/SSLScanner

You should regularily check BCP document on SSL/TLS
https://www.rfc-editor.org/bcp-index.html
Current is here: https://www.rfc-editor.org/bcp/bcp195.txt
Basically browsers that do not reach any recommended configuration are between obsolete and unsupportable under any formal securedness requirement.
And on the other hand server should allow all those ciphers that are not broken in last 4 months from that list.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: gheist (https:#a40907981)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.