[stunnel-users] transfer() loop executes not transferring any data and truncated data when using unix sockets

Michal Trojnara Michal.Trojnara at mirt.net
Fri Feb 8 10:40:17 CET 2013


Dustin Lundquist wrote:
>> read(7, "HTTP/1.0 200 OKrnContent-Type: text/plainrnContent-Length:
>> 
>> 56391rnrnXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"...,
>> 18432) = 18432
>> poll([{fd=7, events=0}, {fd=3, events=POLLIN|POLLOUT}], 2, 43200000)
>> = 2 ([{fd=7, revents=POLLHUP}, {fd=3, revents=POLLOUT}])

poll() returned POLLHUP for socket 7, so the read side of this socket 
has been closed.

>> read(7, "", 0)                    = 0
>> sendto(6, "<31>Feb  5 15:08:44 stunnel: LOG7[20119:0]: Socket
>> closed on read", 65, MSG_NOSIGNAL, NULL, 0) = 65
>> write(2, "2013.02.05 15:08:44 LOG7[20119:0]: Socket closed on
>> readn", 57) = 57

Stunnel detects is properly.  Looks good.

> Here read() was being called with a size of zero, which according it
> the man page should return 0 and have no other results.

I guess the call to read() is indeed redundant here, as the condition 
could be detected by poll().  On the other hand it should be harmless.

>> > Web client  ---(SSL)--->  stunnel  ---(unix socket)--> haproxy
>> > ---(tcp/http)---> web server

It might be useful to see the configuration file, at lest whether 
"TIMEOUTclose" and "reset" options were specified.

>> > Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]:
>> > Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010

Interesting.  I don't think OpenSSL 1.0.0 is supported by FIPS (neither 
1.2 nor 2.0).

>> > Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]:
>> > sock_open_rd=n, sock_open_wr=Y

Read side of the socket was closed.

>> > Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]:
>> > SSL_RECEIVED_SHUTDOWN=n, SSL_SENT_SHUTDOWN=Y

close_notify was sent (this SSL functionality is broken in Microsoft 
software).

>> > Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]:
>> > sock_can_rd=Y, sock_can_wr=n

Looks like something I need to investigate.  sock_can_rd should=yes 
should not happen with sock_open_rd=no.
I definitely need to investigate how half-closed sockets are handled 
with Unix domain sockets.

>> > input buffer: 0 byte(s), ssl input buffer: 0 byte(s)
[cut]
>> > 2.  Add the "reset=no" parameter to our stunnel.conf (which
>> > seems to fix the problem, but makes me wonder if we're not
>> > opening ourselves up to other problems--  like really
>> > getting stuck in an infinite loop that that watchdog is
>> > intended to avoid.)

I this case (with empty buffers) "reset = no" should be safe.

>> > My best hypothesis at this point is that the transfer() code was
>> > written only with TCP sockets in mind, and that something about
>> > the unix socket in use here is triggering that loop too often.

Unix sockets indeed got much less testing than TCP sockets.

Mike



More information about the stunnel-users mailing list