[stunnel-users] Problems SSLifying an "exec" Service without KeepAlive

Jochen Bern Jochen.Bern at LINworks.de
Tue Feb 22 18:07:24 CET 2011

Hello everyone, today I tried to set up network access to a service
using stunnel 4.35. The underlying service, by default, exits after
every request+reply. When running stunnel in daemon mode, this seems to
upset things such that subsequent connections hang. I cannot quite
pinpoint whether it's a config problem, design (of my setup) problem, or
bug, so any help's welcome ...

More info:

The underlying service accesses a Nagios' livestatus interface
> http://mathias-kettner.de/checkmk_livestatus.html#H1:Remote%20access%20to%20Livestatus
using the "unixcat" tool provided. Unless you specifically request
connection keepalives, unixcat will close/exit after answering one
request, *or* timing out waiting for one. That "exit procedure", AFAICT,
isn't different from what the imapd or pppd in the stunnel(8) manpage's
EXAMPLES section do ...

I need to secure access to the service, so I'm throwing client cert
verification and libwrap at the connections. The current daemon mode
configuration (with several commented-out attempts) reads, slightly
   #socket = a:SO_REUSEADDR=0
   #foreground= yes


   accept       = [...PORT...]

   cert = [...SERVER...].pem
   key  = [...SERVER...].key
   CAfile       = [...CA...].pem
   CApath       = [...TempStagingDirectory...]

   exec = /usr/local/bin/unixcat
   execargs     = unixcat /var/lib/nagios3/rw/live
   pty  = yes

   retry        = no
   session      = 3

   #TIMEOUTclose        = 0
   #TIMEOUTbusy = 5
   #TIMEOUTidle = 5

After starting the stunnel daemon, I can perform *one* normal connection:
> # openssl s_client -CAfile [...CA...].pem -showcerts \
> > -connect [...SERVER...]:[...PORT...] -cert [...CLIENT...].cert \
> > -key [...CLIENT...].key -state                                                                                                                                                                             
> CONNECTED(00000003)                                                                                                                                                                 
> SSL_connect:before/connect initialization                                                                                                                                           
> SSL_connect:SSLv2/v3 write client hello A                                                                                                                                           
> SSL_connect:SSLv3 read server hello A
> SSL handshake has read 1743 bytes and written 1933 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: 1B4221E2917E3BD49AA2102C2CCE60A624DB256D6B4D61F9D0D77EA843DC31BC
>     Session-ID-ctx:
>     Master-Key: 57E6DF8E7E0A741B718E356467450DD00969465295A9C6FE03416ED16E74AF93058EC168EF6DF1B9F3F637F505FF6EF4
>     Key-Arg   : None
>     Start Time: 1298390481
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---

At that point, I can type in one request, then unixcat terminates,
stunnel closes the connection and s_client (?) reports:
> read:errno=104

Typical log output on the server side:
> LOG5[30042:139819109037792]: Reading configuration from file /etc/stunnel/livestatus.conf
> LOG5[30042:139819109037792]: Peer certificate location [...TempStagingDirectory...]
> LOG5[30042:139819109037792]: Configuration successful
> LOG5[30042:139819109037792]: No limit detected for the number of clients
> LOG5[30043:139819109037792]: stunnel 4.35 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
> LOG5[30043:139819109037792]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
> LOG5[30043:1075198288]: Service livestatus accepted connection from [...CLIENT...]:39287
> LOG5[30043:1075198288]: Certificate accepted: depth=1, [...CA...]
> LOG5[30043:1075198288]: Certificate accepted: depth=0, [...CLIENT...]
> LOG3[30043:1075198288]: readsocket: Input/output error (5)
> LOG5[30043:1075198288]: Connection reset: 2293 bytes sent to SSL, 33 bytes sent to socket

Rerunning the exact same command stops dead after the
> CONNECTED(00000003)
and manually "telnet"ing to the port from a different host doesn't
behave in a normal way (closing the connection after I type the first
line of non-SSL stuff) anymore, either. Running the unixcat command from
a local command line, however, still works normally.

I tried running stunnel off inetd, which seems to work, so I'd guess
it's the server-side SSL session cacheing which interferes. However, I
don't see any related stunnel config keywords in the manpage, and
stunnel offering a cached session to a connection *from a different
client host* sound odd to me, too ... ?

Kind regards,
								J. Bern
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel

More information about the stunnel-users mailing list