[stunnel-users] stunnel 5.x no answer in server mode?

Małgorzata Olszówka gosia at olszowka.net
Tue Sep 13 12:10:19 CEST 2016


W dniu 31.08.2016 o 09:40, Ulli Horlacher pisze:
>
> I use stunnel as a https proxy for my own http server (*).
>
> The server mode of stunnel 5.x does not work any more.
> It accepts the connection and then immediatelly closes it without sending
> back any data.
> stunnel 4.x is working fine (for many years!), with the same configuration.
>
> Here is my (test) config which shows the problem (host is Ubuntu 16.04):
>
> root at xerus:/tmp# cat stunnel.conf
> pid = /tmp/stunnel.pid
> output = /home/fex/spool/stunneld.log
> debug = debug
> fips = no
> foreground = yes
>
> [https]
> accept = 443
> cert = /home/fex/etc/stunnel.pem
> sslVersion = all
> TIMEOUTclose = 1
> exec = perl
> execargs = perl -T /home/fex/bin/fexsrv stunnel
>
>
> root at xerus:/tmp# /opt/stunnel-5.35/bin/stunnel stunnel.conf
> 2016.08.30 18:58:55 LOG7[ui]: Clients allowed=500
> 2016.08.30 18:58:55 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform
> 2016.08.30 18:58:55 LOG5[ui]: Compiled/running with OpenSSL 1.0.2g-fips  1 Mar 2016
> 2016.08.30 18:58:55 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 2016.08.30 18:58:55 LOG7[ui]: errno: (*__errno_location ())
> 2016.08.30 18:58:55 LOG5[ui]: Reading configuration from file /tmp/stunnel.conf
> 2016.08.30 18:58:55 LOG5[ui]: UTF-8 byte order mark not detected
> 2016.08.30 18:58:55 LOG5[ui]: FIPS mode disabled
> 2016.08.30 18:58:55 LOG7[ui]: Compression disabled
> 2016.08.30 18:58:55 LOG7[ui]: Snagged 64 random bytes from /root/.rnd
> 2016.08.30 18:58:55 LOG7[ui]: Wrote 1024 new random bytes to /root/.rnd
> 2016.08.30 18:58:55 LOG7[ui]: PRNG seeded successfully
> 2016.08.30 18:58:55 LOG6[ui]: Initializing service [https]
> 2016.08.30 18:58:55 LOG6[ui]: Loading certificate from file: /home/fex/etc/stunnel.pem
> 2016.08.30 18:58:55 LOG6[ui]: Certificate loaded from file: /home/fex/etc/stunnel.pem
> 2016.08.30 18:58:55 LOG6[ui]: Loading private key from file: /home/fex/etc/stunnel.pem
> 2016.08.30 18:58:55 LOG6[ui]: Private key loaded from file: /home/fex/etc/stunnel.pem
> 2016.08.30 18:58:55 LOG7[ui]: Private key check succeeded
> 2016.08.30 18:58:55 LOG7[ui]: DH initialization
> 2016.08.30 18:58:55 LOG7[ui]: Using DH parameters from /home/fex/etc/stunnel.pem
> 2016.08.30 18:58:55 LOG6[ui]: 1024-bit DH parameters loaded
> 2016.08.30 18:58:55 LOG7[ui]: ECDH initialization
> 2016.08.30 18:58:55 LOG7[ui]: ECDH initialized with curve prime256v1
> 2016.08.30 18:58:55 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000)
> 2016.08.30 18:58:55 LOG5[ui]: Configuration successful
> 2016.08.30 18:58:55 LOG7[ui]: Listening file descriptor created (FD=7)
> 2016.08.30 18:58:55 LOG7[ui]: Option SO_REUSEADDR set on accept socket
> 2016.08.30 18:58:55 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443
> 2016.08.30 18:58:55 LOG7[ui]: Created pid file /tmp/stunnel.pid
>
> (here comes the https client connect)
>
> 2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s)
> 2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0
> 2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1
> 2016.08.30 18:59:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:44166
> 2016.08.30 18:59:20 LOG7[0]: Service [https] started
> 2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on local socket
> 2016.08.30 18:59:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:44166
> 2016.08.30 18:59:20 LOG6[0]: Peer certificate not required
> 2016.08.30 18:59:20 LOG7[0]: SSL state (accept): before/accept initialization
> 2016.08.30 18:59:20 LOG7[0]: SNI: no virtual services defined
> 2016.08.30 18:59:20 LOG7[0]: New session callback
> 2016.08.30 18:59:20 LOG7[0]:      1 server accept(s) requested
> 2016.08.30 18:59:20 LOG7[0]:      1 server accept(s) succeeded
> 2016.08.30 18:59:20 LOG7[0]:      0 server renegotiation(s) requested
> 2016.08.30 18:59:20 LOG7[0]:      0 session reuse(s)
> 2016.08.30 18:59:20 LOG7[0]:      0 internal session cache item(s)
> 2016.08.30 18:59:20 LOG7[0]:      0 internal session cache fill-up(s)
> 2016.08.30 18:59:20 LOG7[0]:      0 internal session cache miss(es)
> 2016.08.30 18:59:20 LOG7[0]:      0 external session cache hit(s)
> 2016.08.30 18:59:20 LOG7[0]:      0 expired session(s) retrieved
> 2016.08.30 18:59:20 LOG6[0]: SSL accepted: new session negotiated
> 2016.08.30 18:59:20 LOG6[0]: No peer certificate received
> 2016.08.30 18:59:20 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-SHA256 (128-bit encryption)
> 2016.08.30 18:59:20 LOG7[0]: Compression: null, expansion: null
> 2016.08.30 18:59:20 LOG6[0]: Local mode child started (PID=30833)
> 2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on remote socket
> 2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) initialized
> 2016.08.30 18:59:20 LOG6[0]: Read socket closed (readsocket)
> 2016.08.30 18:59:20 LOG7[0]: Sending close_notify alert
> 2016.08.30 18:59:20 LOG7[0]: SSL alert (write): warning: close notify
> 2016.08.30 18:59:20 LOG6[0]: SSL_shutdown successfully sent close_notify alert
> 2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s)
> 2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x1
> 2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x0
> 2016.08.30 18:59:20 LOG7[ui]: Dispatching signals from the signal pipe
> 2016.08.30 18:59:20 LOG7[ui]: Processing SIGCHLD
> 2016.08.30 18:59:20 LOG6[ui]: Child process 30833 finished with code 1
> 2016.08.30 18:59:20 LOG7[ui]: Signal pipe is empty
> 2016.08.30 18:59:20 LOG3[0]: socket fd: Broken pipe (32)
> 2016.08.30 18:59:20 LOG6[0]: writesocket: Socket is closed
> 2016.08.30 18:59:20 LOG5[0]: Connection closed: 0 byte(s) sent to SSL, 23 byte(s) sent to socket
> 2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) closed
> 2016.08.30 18:59:20 LOG7[0]: Local descriptor (FD=3) closed
> 2016.08.30 18:59:20 LOG7[0]: Service [https] finished (0 left)
>
> The client receives no data at all, the connection is closed by the server
> (stunnel).
>
> As I wrote: with stunnel 4.27 everything works as expected. Does stunnel
> 5.x need another configuration?
>
>
> (*) http://fex.rus.uni-stuttgart.de/
>
Hi,
The log messages show, that the child process  terminated with code 1. 
This is the point where you should start looking for the cause.
It is impossible to say anything without analysis of the executed fexsrv 
program. Changes in stunnel could cause it, but the other reasons are 
possible.

Regards.

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus



More information about the stunnel-users mailing list