[stunnel-users] Stunnel waits for a long time if client does not negotiate SSL

Denis Solovyov elk at elk.ru
Tue Aug 7 22:23:16 CEST 2012

> stunnel thinks the pipe is still open until the peer closes it. 
> Have you tried using the TIMEOUTidle or TIMEOUTbusy option?
> http://www.stunnel.org/static/stunnel.html

Yes, I wrote in my message that they didn't have effect, unfortunately
(although of course expected to have). I set them to different values
(for example, 10 or 60 sec), and connection just kept established for
minutes. I can understand why it happens, I want to understand if there
is a way to avoid it as this may cause bringing down an entire service,
as far as I understand...

For example, proftpd has different timeouts for login and idle. I'd
appreciate "SSL negotiation timeout", but maybe there is another
solution or even this is my local problem.

I forgot to write that pop3 software was not started by stunnel at all
here since SSL was not negotiated. Just a waiting stunnel process.

> On Tue, Aug 7, 2012 at 3:47 PM, Denis Solovyov <elk at elk.ru> wrote:
> Hello,

> I use stunnel 4.53 to provide pop3s for existing pop3 service. I start
> stunnel from xinetd, and then exec pop3 utility from stunnel.

> If a legal pop3s client connects to a server, everything's fine. But if
> I try to do "telnet host 995" with a simple telnet client and then just
> do nothing (or even close telnet client without quitting) stunnel
> process keeps waiting for a very long time (actually maybe forever, I
> just kill it). The last line in log in such case "Service [stunnel]
> accepted connection from xx.xx.xx.xx:xxxx". No stunnel TIMEOUT* options
> have effect in this situation.

> What can I do to avoid such "waiting"?
> Maybe stunnel should have something like "SSL negotiation timeout"?  Or
> is there a way to emulate it? (Analyzing `ps` or `netstat` is a bad idea
> of course.)

With the best regards,
Denis Solovyov

More information about the stunnel-users mailing list