[stunnel-users] Handshake failure

RUTSCHLE Yves yves.rutschle at c-s.fr
Wed Apr 25 15:43:56 CEST 2007


Hello,

I am trying to set up a stunnel between two machines running LynxOS, 
which is a POSIX derivative.

I've compiled OpenSSL 0.9.8e, and stunnel 4.20:

stunnel 4.20 on i386-unknown-lynxos with OpenSSL 0.9.8e 23 Feb 2007
Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
[...]

I use the following config files:

////// server side
        debug=7
        foreground=yes
        pid=

        CAfile=valid_certs
        key=privkey.pem
        cert=cert.pem
        verify=1

        [SSLTunnel]
        accept=1235
        connect=1234
////// end server side

////// client side
        debug=7
        foreground=yes
        pid=

        CAfile=valid_certs
        key=privkey.pem
        cert=cert.pem
        verify=1

        client=yes

        [SSLTunnel]
        accept=4234
        connect=173.16.1.10:1235
////// end client side

(It's run from different directories so the PEM files are different)

After running both stunnels, I connect to the client side and see a 
beginning
of handshake; however, it then breaks down: from afar, it looks like the 
client
doesn't take the server certificate:

///// server trace
2007.04.25 15:33:22 LOG7[58:0]: Snagged 64 random bytes from 
/home/st07815/.rnd
2007.04.25 15:33:22 LOG7[58:0]: Wrote 1024 new random bytes to 
/home/st07815/.rnd
2007.04.25 15:33:22 LOG7[58:0]: RAND_status claims sufficient entropy 
for the PRNG
2007.04.25 15:33:22 LOG7[58:0]: PRNG seeded successfully
2007.04.25 15:33:22 LOG7[58:0]: Certificate: cert.pem
2007.04.25 15:33:22 LOG7[58:0]: Certificate loaded
2007.04.25 15:33:22 LOG7[58:0]: Key file: privkey.pem
2007.04.25 15:33:22 LOG7[58:0]: Private key loaded
2007.04.25 15:33:22 LOG7[58:0]: Loaded verify certificates from valid_certs
2007.04.25 15:33:22 LOG7[58:0]: Loaded valid_certs revocation lookup file
2007.04.25 15:33:22 LOG7[58:0]: SSL context initialized for service 
SSLTunnel
2007.04.25 15:33:22 LOG5[58:0]: stunnel 4.20 on i386-unknown-lynxos with 
OpenSSL 0.9.8e 23 Feb 2007
2007.04.25 15:33:22 LOG5[58:0]: Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
2007.04.25 15:33:22 LOG6[58:0]: file ulimit = 64 (can be changed with 
'ulimit -n')
2007.04.25 15:33:22 LOG6[58:0]: poll() used - no FD_SETSIZE limit for 
file descriptors
2007.04.25 15:33:22 LOG5[58:0]: 29 clients allowed
2007.04.25 15:33:22 LOG7[58:0]: FD 3 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: FD 4 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: FD 5 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: SO_REUSEADDR option set on accept socket
2007.04.25 15:33:22 LOG7[58:0]: SSLTunnel bound to 0.0.0.0:1235
2007.04.25 15:33:22 LOG7[58:0]: No pid file being created
(end of init, waiting for connection)
2007.04.25 15:34:17 LOG7[58:0]: SSLTunnel accepted FD=6 from 173.16.1.7:1092
2007.04.25 15:34:17 LOG7[68:0]: SSLTunnel started
2007.04.25 15:34:17 LOG7[68:0]: FD 6 in non-blocking mode
2007.04.25 15:34:17 LOG5[68:0]: SSLTunnel accepted connection from 
173.16.1.7:1092
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): before/accept 
initialization
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 read client 
hello A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write server 
hello A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write 
certificate A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write 
certificate request A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 flush data
2007.04.25 15:34:19 LOG3[68:0]: SSL_accept: Peer suddenly disconnected
2007.04.25 15:34:19 LOG5[68:0]: Connection reset: 0 bytes sent to SSL, 0 
bytes sent to socket
2007.04.25 15:34:19 LOG7[58:0]: Cleaning up the signal pipe
2007.04.25 15:34:19 LOG7[58:0]: Process 68 finished with code 0 (0 left)
///// end server trace

///// client trace
2007.04.25 15:33:59 LOG7[12:0]: Snagged 64 random bytes from 
/home/st07815/.rnd
2007.04.25 15:33:59 LOG7[12:0]: Wrote 1024 new random bytes to 
/home/st07815/.rnd
2007.04.25 15:33:59 LOG7[12:0]: RAND_status claims sufficient entropy 
for the PRNG
2007.04.25 15:33:59 LOG7[12:0]: PRNG seeded successfully
2007.04.25 15:33:59 LOG7[12:0]: Certificate: cert.pem
2007.04.25 15:33:59 LOG7[12:0]: Certificate loaded
2007.04.25 15:33:59 LOG7[12:0]: Key file: privkey.pem
2007.04.25 15:33:59 LOG7[12:0]: Private key loaded
2007.04.25 15:33:59 LOG7[12:0]: Loaded verify certificates from valid_certs
2007.04.25 15:33:59 LOG7[12:0]: Loaded valid_certs revocation lookup file
2007.04.25 15:33:59 LOG7[12:0]: SSL context initialized for service 
SSLTunnel
2007.04.25 15:33:59 LOG5[12:0]: stunnel 4.20 on i386-unknown-lynxos with 
OpenSSL 0.9.8e 23 Feb 2007
2007.04.25 15:33:59 LOG5[12:0]: Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
2007.04.25 15:33:59 LOG6[12:0]: file ulimit = 64 (can be changed with 
'ulimit -n')
2007.04.25 15:33:59 LOG6[12:0]: poll() used - no FD_SETSIZE limit for 
file descriptors
2007.04.25 15:33:59 LOG5[12:0]: 29 clients allowed
2007.04.25 15:33:59 LOG7[12:0]: FD 3 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: FD 4 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: FD 5 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: SO_REUSEADDR option set on accept socket
2007.04.25 15:33:59 LOG7[12:0]: SSLTunnel bound to 0.0.0.0:4234
2007.04.25 15:33:59 LOG7[12:0]: No pid file being created
 (end of init, waiting for connection)
2007.04.25 15:34:27 LOG7[12:0]: SSLTunnel accepted FD=6 from 
152.14.101.54:64752
2007.04.25 15:34:27 LOG7[27:0]: SSLTunnel started
2007.04.25 15:34:27 LOG7[27:0]: FD 6 in non-blocking mode
2007.04.25 15:34:27 LOG5[27:0]: SSLTunnel accepted connection from 
152.14.101.54:64752
2007.04.25 15:34:27 LOG7[27:0]: FD 5 in non-blocking mode
2007.04.25 15:34:27 LOG7[27:0]: SSLTunnel connecting 173.16.1.10:1235
2007.04.25 15:34:27 LOG7[27:0]: connect_wait: waiting 10 seconds
2007.04.25 15:34:27 LOG7[27:0]: connect_wait: connected
2007.04.25 15:34:27 LOG5[27:0]: SSLTunnel connected remote server from 
173.16.1.7:1092
2007.04.25 15:34:27 LOG7[27:0]: Remote FD=5 initialized
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): before/connect 
initialization
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): SSLv3 write client 
hello A
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): SSLv3 read server 
hello A
2007.04.25 15:34:28 LOG7[12:0]: Cleaning up the signal pipe
2007.04.25 15:34:28 LOG7[12:0]: Process 27 terminated on signal 11 (0 left)
///// end client trace

Now the strange thing is that this very same setup works on Solaris, so 
I have
something wrong with the port of either OpenSSL or stunnel on LynxOS.

If someone could give me a hint as to where to start poking, I'd greatly
appreciate it.

TIA,
Y.




More information about the stunnel-users mailing list