[stunnel-users] Stunnel4 not working?

David H. Durgee dhdurgee at verizon.net
Sat May 9 13:54:56 CEST 2015


> Please see highlighted below:
>
> On Fri, May 8, 2015 at 5:27 PM, David H. Durgee <dhdurgee at verizon.net  <https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users>>
> wrote:
>
> >/  At some point in the near past stunnel stopped working on my laptop.  The
> />/  laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the
> />/  repositories.  I enabled debug=7, but I am not getting much from the log:
> />/
> />/
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Clients allowed=500
> />/
> />/
> />/
> />/  *2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]:
> />/  stunnel 4.53 on x86_64-pc-linux-gnu platform 2015.05.08 17
> />/  <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL
> />/  1.0.1e 11 Feb 2013 2015.05.08 17 <2015.05.08%2017>:12:06
> />/  LOG5[10804:140318864611136]: Running  with OpenSSL 1.0.1f 6 Jan 2014
> />/  2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: Update
> />/  OpenSSL shared libraries or rebuild stunnel*
> /
>
> Is there a reason that you're using libraries from a different compiled
> Stunnel? In fact, isn't there another Stunnel package you can use that is
> more up-to-date? If not, perhaps compile your own using the OpenSSL
> libraries that comes with Mint.

I am using the package from the Mint repository, which in this case is 
the Ubuntu Trusty repository.  If you know of a repository I can add 
with a more current package I will do so.  If necessary I guess I could 
build from source, but I don't do that often and would prefer to locate 
a binary.

> >/
> />/  2015.05.08 17:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD
> />/  SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
> />/  2015.05.08 17:12:06 LOG5[10804:140318864611136]: Reading configuration
> />/  from file /etc/stunnel/stunnel.conf
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Compression not enabled
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully
> />/  2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service
> />/  section [telnets]
> />/  *2015.05.08 17 <2015.05.08%2017>:12:06 LOG4[10804:140318864611136]:
> />/  Insecure file permissions on /etc/ssl/certs/stunnel.pem*
> /
>
> Warning: the permissions may be too wide-open (should be 700 I assume)
>
>
> >/
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate:
> />/  /etc/ssl/certs/stunnel.pem
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file:
> />/  /etc/ssl/certs/stunnel.pem
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set:
> />/  0x00000004
> />/  2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service
> />/  section [dsp3270s]
> />/  *2015.05.08 17 <2015.05.08%2017>:12:06 LOG4[10804:140318864611136]:
> />/  Insecure file permissions on /etc/ssl/certs/stunnel.pem*
> /
>
> Same as above, perhaps too wide open, permissions should be 700 I assume.
>
>
> >/
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate:
> />/  /etc/ssl/certs/stunnel.pem
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file:
> />/  /etc/ssl/certs/stunnel.pem
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set:
> />/  0x00000004
> />/  2015.05.08 17:12:06 LOG5[10804:140318864611136]: Configuration successful
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [telnets]
> />/  (FD=12) bound to 0.0.0.0:3141
> />/  2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [dsp3270s]
> />/  (FD=13) bound to 0.0.0.0:7490
> />/  2015.05.08 17:12:06 LOG7[10810:140318864611136]: Created pid file
> />/  /stunnel4.pid
> />/  2015.05.08 17:12:31 LOG7[10810:140318864611136]: Service [telnets]
> />/  accepted (FD=3) from 127.0.0.1:40090
> />/  2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] started
> />/  2015.05.08 17:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap
> />/  process
> />/  2015.05.08 17:12:31 LOG7[10810:140318864770816]: Acquired libwrap process
> />/  #0
> />/
> />/
> />/  *2015.05.08 17 <2015.05.08%2017>:12:31 LOG3[10810:140318864770816]:
> />/  Unexpected socket close (read_blocking) 2015.05.08 17
> />/  <2015.05.08%2017>:12:31 LOG5[10810:140318864770816]: Connection reset: 0
> />/  byte(s) sent to SSL, 0 byte(s) sent to socket 2015.05.08 17
> />/  <2015.05.08%2017>:12:31 LOG7[10810:140318864770816]: Local socket (FD=3)
> />/  closed*
> /
>
> that sounds like SELinux permissions perhaps? Have you tried temporarily
> disabling SELinux, or perhaps you have a firewall (iptables) set up? You'll
> have to allow the incoming port and possibly an entry in /etc/services
> IIRC. I don't know if this helps but this is what I found:
> https://sites.google.com/site/easylinuxtipsproject/security
> A link to "ufw" may prove useful, if your system has that installed. Most
> systems have locked-down privileged ports (any port less than 1024, like in
> your example).

I  do have ufw here, but I have the same problem with it enabled or 
disabled.  The telnets service is listening on port 3141 and the 
dsp3270s on port 7490, so neither of them are privileged ports.

> >/
> />/  2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets]
> />/  finished (0 left)
> />/  2015.05.08 17:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s),
> />/  32 data byte(s), 58 control byte(s)
> />/  2015.05.08 17:13:32 LOG7[10810:140318864611136]: Service [dsp3270s]
> />/  accepted (FD=3) from 127.0.0.1:48534
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s]
> />/  started
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap
> />/  process
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: Acquired libwrap process
> />/  #1
> />/  *2015.05.08 17 <2015.05.08%2017>:13:32 LOG3[10810:140318864770816]:
> />/  Unexpected socket close (read_blocking)*
> />/
> /
> That sounds like some kind of firewall issue (like above).

As noted above, same behavior with ufw enabled or disabled.

> >/  2015.05.08 17:13:32 LOG5[10810:140318864770816]: Connection reset: 0
> />/  byte(s) sent to SSL, 0 byte(s) sent to socket
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: Local socket (FD=3)
> />/  closed
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s]
> />/  finished (0 left)
> />/  2015.05.08 17:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s),
> />/  32 data byte(s), 58 control byte(s)
> />/
> />/
> /  When in a situation like this, I would first try unprivileged ports with
> localhost using iperf, just to generate some dummy traffic. A good
> technique I use when debugging stunnel versus debugging networking or other
> security issues is to do local traffic only like this:
>
>     1. iperf client connect to localhost port 5000
>     2. Stunnel client listen on port 5000, connect to localhost port 6000
>     3. Stunnel server listen on port 6000, connect to localhost port 7000
>     4. iperf server listening on localhost port 7000
>
> As you can see from that, running iperf client for a few seconds, it should
> be able to connect to the iperf server. If not, stunnel is not working.
> Debug this FIRST before proceeding to working with non-localhost IP
> addresses. The actual procedure would be as follows:
>
>     1. Download/install iperf
>     2. Verify iperf works by having one shell run as server, listening on
>     localhost port 7000, and another shell setup iperf client sending on port
>     7000. If that works, then proceed. Don't use iperf to connect to port 7000
>     again.
>     3. Set up two config files, one for stunnel client and one for stunnel
>     server, with different ports and the "client=yes" in the client config
>     file. For easier detection with "ps" or "top", you can copy the executable
>     file to another name (i.e., "s4client" for the stunnel 4 client, and
>     "s4server" for the stunnel 4 server). Similarly for iperf, you can copy the
>     exe to "iperfc" and "iperfs" for iperf server, for easier process detection.
>     4. Start up the stunnel server first, then stunnel client, with the
>     appropriate config files per the port enumeration mentioned above.
>     5. Start iperf server listening on port 7000.
>     6. Start iperf client sending on port 5000. If you get some really large
>     value or nothing, then your stunnel config (client/server) needs to be
>     debugged first before proceeding to non-localhost IPs. I usually get
>     something like 3GB/sec when using a Windows 7 VM inside Windows 7 doing
>     this from DOS prompts with appropriate server/client configs set up. I
>     usually use four windows: two for iperf (c/s), two for stunnel (c/s).
>
> Hope that helps...
>    -Rob
I have an stunnel server on another system on the LAN and that is the 
one I am having the client with the problem connect to while trying to 
find the problem.  I know that server is working, as I have seen other 
incoming traffic handled by it.

I suspect the problem is related to the message you pointed out that I 
missed about SSL libraries.  I would very much appreciate a pointer to a 
more current package in a repository.

Thanks for your response, Rob.

Dave


More information about the stunnel-users mailing list