[stunnel-users] Question : prevent close-nofity alerts from stunnel-server

bhakta79 bhakta79 at gmail.com
Thu Nov 29 05:03:23 CET 2012


I was trying MITM on a windows application (which talks to a M$ server). 
Stunnel was running on my windows xp machine.

windows-client-app  -> stunnel server ---> stunnel client --> M$ Server

What I found is that stunnel server sends close notify alert to the 
windows client app which causes the client to suspend all further 
communication (busted windows-client of course!). I tried setting the 
TimeoutClose option to high values but I always saw the server sending 
close notify alert (is the timeout close only a client-side parameter?)

Is there a way to configure server to not send close notify?

stullen logs:

2012.11.28 18:32:12 LOG7[3908:5904]: SSL socket closed on SSL_read
2012.11.28 18:32:12 LOG7[3908:5904]: Sent socket write shutdown
2012.11.28 18:32:12 LOG7[3908:4232]: Socket closed on read
2012.11.28 18:32:12 LOG5[3908:5904]: Connection closed: 901 byte(s) sent 
to SSL, 38020 byte(s) sent to socket
2012.11.28 18:32:12 LOG7[3908:4232]: Sending close_notify alert
2012.11.28 18:32:12 LOG7[3908:4232]: SSL alert (write): warning: close 
2012.11.28 18:32:12 LOG6[3908:4232]: SSL_shutdown successfully sent 
close_notify alert
2012.11.28 18:32:12 LOG7[3908:5904]: Remote socket (FD=356) closed 
<mailto:stunnel-users at stunnel.org>

I finally ended up making this one line code-change to stop server from 
sending close alert that helped my MITM progress.


         if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && 
!sock_open_rd && !c->sock_ptr) {
             s_log(LOG_DEBUG, "BHAKTA - HACK -> Skip Sending 
close_notify alert");
*!            if(0 && SSL_version(c->ssl)!=SSL2_VERSION) { /* SSLv3, 
TLSv1 */*
                 s_log(LOG_DEBUG, "Sending close_notify alert");
             } else { /* no alerts in SSLv2, including the close_notify 
alert */
                 s_log(LOG_DEBUG, "Closing SSLv2 socket");
                     shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the 
kernel */
                     shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */
                 /* notify the OpenSSL library */

Is there a way to prevent server from sending close notify alert by 
means of stunel.conf parameters?


debug = 7
output = stunnel.log

cert = fakecert.pem
key = fakecert.key


socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

sslVersion = TLSv1
accept  =
connect =

client = yes
sslVersion = TLSv1
accept =
connect =

TIMEOUTclose = 300

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20121129/1688d32a/attachment.html>

More information about the stunnel-users mailing list