[stunnel-users] stunnel 5.x no answer in server mode?

Ulli Horlacher framstag at rus.uni-stuttgart.de
Wed Aug 31 09:40:57 CEST 2016


I use stunnel as a https proxy for my own http server (*).

The server mode of stunnel 5.x does not work any more.
It accepts the connection and then immediatelly closes it without sending
back any data. 
stunnel 4.x is working fine (for many years!), with the same configuration.

Here is my (test) config which shows the problem (host is Ubuntu 16.04):

root at xerus:/tmp# cat stunnel.conf 
pid = /tmp/stunnel.pid
output = /home/fex/spool/stunneld.log
debug = debug
fips = no
foreground = yes

[https]
accept = 443
cert = /home/fex/etc/stunnel.pem
sslVersion = all
TIMEOUTclose = 1
exec = perl
execargs = perl -T /home/fex/bin/fexsrv stunnel


root at xerus:/tmp# /opt/stunnel-5.35/bin/stunnel stunnel.conf
2016.08.30 18:58:55 LOG7[ui]: Clients allowed=500
2016.08.30 18:58:55 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform
2016.08.30 18:58:55 LOG5[ui]: Compiled/running with OpenSSL 1.0.2g-fips  1 Mar 2016
2016.08.30 18:58:55 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2016.08.30 18:58:55 LOG7[ui]: errno: (*__errno_location ())
2016.08.30 18:58:55 LOG5[ui]: Reading configuration from file /tmp/stunnel.conf
2016.08.30 18:58:55 LOG5[ui]: UTF-8 byte order mark not detected
2016.08.30 18:58:55 LOG5[ui]: FIPS mode disabled
2016.08.30 18:58:55 LOG7[ui]: Compression disabled
2016.08.30 18:58:55 LOG7[ui]: Snagged 64 random bytes from /root/.rnd
2016.08.30 18:58:55 LOG7[ui]: Wrote 1024 new random bytes to /root/.rnd
2016.08.30 18:58:55 LOG7[ui]: PRNG seeded successfully
2016.08.30 18:58:55 LOG6[ui]: Initializing service [https]
2016.08.30 18:58:55 LOG6[ui]: Loading certificate from file: /home/fex/etc/stunnel.pem
2016.08.30 18:58:55 LOG6[ui]: Certificate loaded from file: /home/fex/etc/stunnel.pem
2016.08.30 18:58:55 LOG6[ui]: Loading private key from file: /home/fex/etc/stunnel.pem
2016.08.30 18:58:55 LOG6[ui]: Private key loaded from file: /home/fex/etc/stunnel.pem
2016.08.30 18:58:55 LOG7[ui]: Private key check succeeded
2016.08.30 18:58:55 LOG7[ui]: DH initialization
2016.08.30 18:58:55 LOG7[ui]: Using DH parameters from /home/fex/etc/stunnel.pem
2016.08.30 18:58:55 LOG6[ui]: 1024-bit DH parameters loaded
2016.08.30 18:58:55 LOG7[ui]: ECDH initialization
2016.08.30 18:58:55 LOG7[ui]: ECDH initialized with curve prime256v1
2016.08.30 18:58:55 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000)
2016.08.30 18:58:55 LOG5[ui]: Configuration successful
2016.08.30 18:58:55 LOG7[ui]: Listening file descriptor created (FD=7)
2016.08.30 18:58:55 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2016.08.30 18:58:55 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443
2016.08.30 18:58:55 LOG7[ui]: Created pid file /tmp/stunnel.pid

(here comes the https client connect)

2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s)
2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
2016.08.30 18:59:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:44166
2016.08.30 18:59:20 LOG7[0]: Service [https] started
2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on local socket
2016.08.30 18:59:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:44166
2016.08.30 18:59:20 LOG6[0]: Peer certificate not required
2016.08.30 18:59:20 LOG7[0]: SSL state (accept): before/accept initialization
2016.08.30 18:59:20 LOG7[0]: SNI: no virtual services defined
2016.08.30 18:59:20 LOG7[0]: New session callback
2016.08.30 18:59:20 LOG7[0]:      1 server accept(s) requested
2016.08.30 18:59:20 LOG7[0]:      1 server accept(s) succeeded
2016.08.30 18:59:20 LOG7[0]:      0 server renegotiation(s) requested
2016.08.30 18:59:20 LOG7[0]:      0 session reuse(s)
2016.08.30 18:59:20 LOG7[0]:      0 internal session cache item(s)
2016.08.30 18:59:20 LOG7[0]:      0 internal session cache fill-up(s)
2016.08.30 18:59:20 LOG7[0]:      0 internal session cache miss(es)
2016.08.30 18:59:20 LOG7[0]:      0 external session cache hit(s)
2016.08.30 18:59:20 LOG7[0]:      0 expired session(s) retrieved
2016.08.30 18:59:20 LOG6[0]: SSL accepted: new session negotiated
2016.08.30 18:59:20 LOG6[0]: No peer certificate received
2016.08.30 18:59:20 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-SHA256 (128-bit encryption)
2016.08.30 18:59:20 LOG7[0]: Compression: null, expansion: null
2016.08.30 18:59:20 LOG6[0]: Local mode child started (PID=30833)
2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on remote socket
2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) initialized
2016.08.30 18:59:20 LOG6[0]: Read socket closed (readsocket)
2016.08.30 18:59:20 LOG7[0]: Sending close_notify alert
2016.08.30 18:59:20 LOG7[0]: SSL alert (write): warning: close notify
2016.08.30 18:59:20 LOG6[0]: SSL_shutdown successfully sent close_notify alert
2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s)
2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x1
2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x0
2016.08.30 18:59:20 LOG7[ui]: Dispatching signals from the signal pipe
2016.08.30 18:59:20 LOG7[ui]: Processing SIGCHLD
2016.08.30 18:59:20 LOG6[ui]: Child process 30833 finished with code 1
2016.08.30 18:59:20 LOG7[ui]: Signal pipe is empty
2016.08.30 18:59:20 LOG3[0]: socket fd: Broken pipe (32)
2016.08.30 18:59:20 LOG6[0]: writesocket: Socket is closed
2016.08.30 18:59:20 LOG5[0]: Connection closed: 0 byte(s) sent to SSL, 23 byte(s) sent to socket
2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) closed
2016.08.30 18:59:20 LOG7[0]: Local descriptor (FD=3) closed
2016.08.30 18:59:20 LOG7[0]: Service [https] finished (0 left)

The client receives no data at all, the connection is closed by the server
(stunnel).

As I wrote: with stunnel 4.27 everything works as expected. Does stunnel
5.x need another configuration?


(*) http://fex.rus.uni-stuttgart.de/

-- 
Ullrich Horlacher              Server und Virtualisierung
Rechenzentrum TIK         
Universitaet Stuttgart         E-Mail: horlacher at tik.uni-stuttgart.de
Allmandring 30a                Tel:    ++49-711-68565868
70569 Stuttgart (Germany)      WWW:    http://www.tik.uni-stuttgart.de/
REF:<20160831074057.GA13703 at rus.uni-stuttgart.de>


More information about the stunnel-users mailing list