[stunnel-users] Stunnel v4.54 SSL_connect: Peer suddenly disconnected

Brian Wilkins bwilkins at gmail.com
Wed Jan 2 14:59:07 CET 2013


It thinks your server is a client. Remove client = yes. You need to have a
client instance if stunnel and a server instance of stunnel. I am not too
keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the
traffic and then it gets down selected to unencrypted on the receiving end.

Brian

On Wednesday, January 2, 2013, Arun Kumar wrote:

> Team,
>
> I am configuring stunnel for the first time.
> My Requirement:     "NetApp DataFabricManager" application on SLES10 SP4
> platform  <------  (LDAP over Stunnel) -----> Windows 2003 Active
> Directory, for Active Directory user authentication.
>
>
> Stunnel.conf:
> -----------------------------------------------------------
> setuid = root
> setgid = root
>
> client = yes
>
> debug = 7
> output = /root/stunnel.log
>
> cert = /opt/crt_key.pem
> key = /opt/crt_key.pem
>
> pid = /var/run/stunnel.pid
>
> verify = 3
> CAfile = /opt/crt_key.pem
>
> options = NO_SSLv2
>
> [ldap]
> accept = 389
> connect = winad1-197-187:636
>
> [ldap-ha]
> accept = 8389
> connect = winad2-197-189:636
> -----------------------------------------------------------
>
> ocm5-197-196:~ # dfm ldap list
> Address                                    Port   Last Use
>   Last Failure
> ------------------------------------------ ------
> -------------------------- --------------------------
> 127.0.0.1                                  389    2013-01-02
> 14:01:52.000000
> 127.0.0.1                                  8389   2013-01-02
> 13:49:35.000000
> ocm5-197-196:~ #
>
>
> ocm5-197-196:~ # dfm ldap find user1
> Warning: Failed to bind to ldap server '127.0.0.1' as user
> 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact
> LDAP server
> Error: Failed to search for user1.
> ocm5-197-196:~ #
>
> NOTE: If i add active directory server IP in the above list, instead of
> 127.0.0.1, ldap authentication works fine.
>
> ocm5-197-196:~ # cat /etc/services
> ...
> .....
> ........
> #### This is a Manual Entry made by root user for AD authentication
> services & Stunnel Integration ########
> ldap-ha         8389/tcp    # 2nd LDAP host for DC redundancy [Redirected
> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
> ldap-ha         8389/udp    # 2nd LDAP host for DC redundancy [Redirected
> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
>
>
> ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf
>
>
> stunnel.log:
>
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on
> x86_64-unknown-linux-gnu platform
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with
> OpenSSL 0.9.8a 11 Oct 2005
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD
> SSL:+ENGINE Auth:none Sockets:POLL+IPv6
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration from
> file /root/stunnel-4.54/tools/stunnel.conf
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes
> from /root/.rnd
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new random bytes
> to /root/.rnd
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: PRNG seeded successfully
> 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service [ldap]
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate:
> /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates
> from /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem
> revocation lookup file
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004
> 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service
> [ldap-ha]
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate:
> /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates
> from /opt/crt_key.pem
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem
> revocation lookup file
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Configuration successful
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap] (FD=7) bound
> to 0.0.0.0:389
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap-ha] (FD=8)
> bound to 0.0.0.0:8389
> 2013.01.02 14:00:42 LOG7[7103:47010476379680]: Created pid file
> /var/run/stunnel.pid
> 2013.01.02 14:01:52 LOG7[7103:47010476379680]: Service [ldap] accepted
> (FD=3) from 127.0.0.1:60332
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] started
> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] accepted
> connection from 127.0.0.1:60332
> 2013.01.02 14:01:52 LOG6[7103:1073809728]: connect_blocking: connecting
> 192.168.10.7:636
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: connect_blocking: s_poll_wait
> 192.168.10.7:636: waiting 10 seconds
> 2013.01.02 14:01:52 LOG5[7103:1073809728]: connect_blocking: connected
> 192.168.10.7:636
> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] connected remote
> server from 192.168.10.1:40664
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10)
> initialized
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect):
> before/connect initialization
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect): SSLv3
> write client hello A
> 2013.01.02 14:01:52 LOG3[7103:1073809728]: SSL_connect: Peer suddenly
> disconnected
>  <------------------
> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Connection reset: 0 byte(s)
> sent to SSL, 0 byte(s) sent to socket
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10) closed
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Local socket (FD=3) closed
> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] finished (0 left)
>
>
> I initially started with stunnel-4.14 available with SLES10 GA OS media.
> Noticed peer disconnected issue.
> I went through the stunnel mailing list archive for related issues, but
> didn't get much help.
> Finally upgraded stunnel to v4.54 & to no progress.
>
> google hits mentioned that its configuration issue / client is not
> accepting sockets..  but finally no clue how to proceed.
>
> Kindly assist "SSL_connect: Peer suddenly disconnected"  & SSL handshake
> work.
>
> Warm Regards,
> Arun
> UNIX admin
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130102/b6bde07c/attachment.html>


More information about the stunnel-users mailing list