[stunnel-users] Connection problems and TCP frame checksum errors

Peter pslists at warren-selbert.com
Tue Oct 10 20:27:07 CEST 2006


What does the tcpdump indicate?  Are the failed connections getting dropped or
reset  on the computer that's forwarding or are they actually arriving at the 
stunnel server?  If they make it to the stunnel server what does tcpdump 
indicate at that connection point.
Pete
----- Original Message ----- 
From: "Tommi Nieminen" <ttn at mbnet.fi>
To: <stunnel-users at mirt.net>
Sent: Monday, October 09, 2006 9:40 AM
Subject: [stunnel-users] Connection problems and TCP frame checksum errors


>
> I have the following kind of test environment: SSL clients
> call a public ip address from which the calls are forwarded
> to a linux server with Stunnel. The linux server is in a
> private network. Stunnel decrypts the data and sends it
> forward.
>
> I have been testing this with a browser, monitoring the
> traffic on the server to see that Stunnel forwards the
> calls. Some strange things happen there that I can't
> explain. First of all: sometimes the calls go through
> the server as expected, sometimes the server doesn't
> respond in any way to the client. If I have two terminal
> windows open, one with tcpdump and another with
> tail -f stunnel.log - nothing comes into the log in spite
> of the incoming connections attempts.
>
> Then on other occasions when the calls come to the server,
> it forwards them beautifully to the address and port set in
> the configuration file.
>
> Does anyone have any clue, what this could be due to? I
> haven't been able to explain why it sometimes works and
> sometimes doesn't.
>
> Another thing that bothers me is, that sometimes there
> are TCP frames with incorrect checksum. I've monitored
> with Ethereal and tcpdump. Both show incorrect frames,
> and they are always from the stunnel-end of the connection.
> What could be the cause of those broken frames?
>
> Tommi Nieminen
>
> --------------------------------------------------------
> My stunnel.conf looks like this:
> (any constructive criticism would be welcome :-))
>
> CAfile = /home/tommi/cert/7/demoCA/cacert.pem
> cert = /home/tommi/cert/7/newcert.pem
> key = /home/tommi/cert/7/newkey.pem
>
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
>
> output = /var/log/stunnel/stunnel.log
> pid = /var/run/stunnel/stunnel.pid
> debug = 7
> client = no
>
> [https]
> accept  = 443
> connect = 192.168.10.17:5010
> TIMEOUTclose = 0
>
> --------------------------------------------------------
> A succesful connection from stunnel.log:
>
> 2006.10.09 18:01:43 LOG7[11889:3083744960]: https accepted FD=7 from
> 131.177.254.92:2689
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: https started
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: FD 7 in non-blocking mode
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: TCP_NODELAY option set on local
> socket
> 2006.10.09 18:01:43 LOG5[11889:3083742128]: https connected from
> 131.177.254.92:2689
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept):
> before/accept initialization
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 read
> client hello A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 write
> server hello A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 write
> certificate A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 write
> server done A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3
> flush data
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 read
> client key exchange A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 read
> finished A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 write
> change cipher spec A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3 write
> finished A
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: SSL state (accept): SSLv3
> flush data
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    2 items in the session cache
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    0 client connects
> (SSL_connect())
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    0 client connects that
> finished
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    0 client renegotiations
> requested
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    8 server connects
> (SSL_accept())
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    7 server connects that
> finished
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    0 server renegotiations
> requested
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    4 session cache hits
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    1 session cache misses
> 2006.10.09 18:01:43 LOG7[11889:3083742128]:    1 session cache timeouts
> 2006.10.09 18:01:43 LOG6[11889:3083742128]: SSL accepted: new session
> negotiated
> 2006.10.09 18:01:43 LOG6[11889:3083742128]: Negotiated ciphers: AES256-SHA
>            SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: FD 8 in non-blocking mode
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: https connecting
> 192.168.10.17:5010
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: connect_wait: waiting 10 seconds
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: connect_wait: connected
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: Remote FD=8 initialized
> 2006.10.09 18:01:43 LOG7[11889:3083742128]: TCP_NODELAY option set on remote
> socket
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: Socket closed on read
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: SSL write shutdown
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: SSL alert (write): warning:
> close notify
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: SSL_shutdown retrying
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: SSL doesn't need to read or write
> 2006.10.09 18:02:45 LOG6[11889:3083742128]: s_poll_wait timeout: connection
> close
> 2006.10.09 18:02:45 LOG5[11889:3083742128]: Connection closed: 0 bytes sent
> to SSL, 405 bytes sent to socket
> 2006.10.09 18:02:45 LOG7[11889:3083742128]: https finished (0 left)
>
>
> (and the failed connections leave also no mark in the log, but tcpdump
> sees the attempts on the server)
>
> --------------------------------------------------------
> A sample of tcpdump's output with incorrect checksum:
>
> 18:02:45.150656 IP (tos 0x0, ttl  64, id 11218, offset 0, flags [DF], proto:
> TCP (6), length: 77) 192.168.20.18.https > 131.177.254.92.2689: P, cksum
> 0x5708 (incorrect (-> 0xf1bf), 1035:1072(37) ack 756 win 7504
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006
> 




More information about the stunnel-users mailing list