[stunnel-users] Hangs when connecting -- advice pls

Dave Gradwell davegradwell at yahoo.co.uk
Wed Sep 14 16:45:35 CEST 2016 

My Stunnel client gets to this point, then hangs indefinitely:
SSL state (connect): SSLv2/v3 write client hello A
Is this a fault with Stunnel or is it something I’m doing wrong



Full client-side output:
"""""""""""""""""""
Last login: Wed Sep 14 06:50:40 on ttys004
Daves-MBP-2016:~ dave$ /Users/dave/Desktop/stunnel-test/stunnel /Users/dave/Desktop/stunnel-test/stunnel-sender.conf
2016.09.14 06:54:35 LOG7[ui]: Clients allowed=125
2016.09.14 06:54:35 LOG7[cron]: Cron thread initialized
2016.09.14 06:54:35 LOG5[ui]: stunnel 5.35 on x86_64-apple-darwin15.4.0 platform
2016.09.14 06:54:35 LOG5[ui]: Compiled with OpenSSL 0.9.8zd 8 Jan 2015
2016.09.14 06:54:35 LOG5[ui]: Running  with OpenSSL 0.9.8zh 14 Jan 2016
2016.09.14 06:54:35 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2016.09.14 06:54:35 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,SNI
2016.09.14 06:54:35 LOG7[ui]: errno: (*__error())
2016.09.14 06:54:35 LOG5[ui]: Reading configuration from file /Users/dave/Desktop/stunnel-test/stunnel-sender.conf
2016.09.14 06:54:35 LOG5[ui]: UTF-8 byte order mark not detected
2016.09.14 06:54:35 LOG7[ui]: Compression disabled
2016.09.14 06:54:35 LOG7[ui]: Snagged 64 random bytes from /Users/dave/.rnd
2016.09.14 06:54:35 LOG7[ui]: Wrote 1024 new random bytes to /Users/dave/.rnd
2016.09.14 06:54:35 LOG7[ui]: PRNG seeded successfully
2016.09.14 06:54:35 LOG6[ui]: Initializing inetd mode configuration
2016.09.14 06:54:35 LOG6[ui]: Loading certificate from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Certificate loaded from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Loading private key from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG4[ui]: Insecure file permissions on /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Private key loaded from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG7[ui]: Private key check succeeded
2016.09.14 06:54:35 LOG4[ui]: Service [stunnel] needs authentication to prevent MITM attacks
2016.09.14 06:54:35 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000)
2016.09.14 06:54:35 LOG5[ui]: Configuration successful
2016.09.14 06:54:35 LOG7[ui]: Service [stunnel] started
2016.09.14 06:54:35 LOG5[ui]: Service [stunnel] accepted connection
2016.09.14 06:54:35 LOG6[ui]: failover: round-robin, starting at entry #0
2016.09.14 06:54:35 LOG6[ui]: s_connect: connecting ::1:874
2016.09.14 06:54:35 LOG7[ui]: s_connect: s_poll_wait ::1:874: waiting 10 seconds
2016.09.14 06:54:35 LOG5[ui]: s_connect: connected ::1:874
2016.09.14 06:54:35 LOG5[ui]: Service [stunnel] connected remote server from ::1:51362
2016.09.14 06:54:35 LOG7[ui]: Option TCP_NODELAY set on remote socket
2016.09.14 06:54:35 LOG7[ui]: Remote descriptor (FD=3) initialized
2016.09.14 06:54:35 LOG6[ui]: SNI: sending servername: localhost
2016.09.14 06:54:35 LOG6[ui]: Peer certificate not required
2016.09.14 06:54:35 LOG7[ui]: SSL state (connect): before/connect initialization
2016.09.14 06:54:35 LOG7[ui]: SSL state (connect): SSLv2/v3 write client hello A
^C
Daves-MBP-2016:~ dave$ 
"""""""""""""""""""


My stunnel-sender.conf:
"""""""""""""""""""
debug = 7
output = /Users/dave/Desktop/stunnel-test/sender-stunnel-output.log
foreground = yes
client = yes
connect = localhost:874
cert = /Users/dave/Desktop/stunnel-test/cert.pem
verify = 0
"""""""""""""""""""


My stunnel-receiver.conf:
"""""""""""""""""""
debug = 7
output = /Users/dave/Desktop/stunnel-test/receiver-stunnels-output.log
pid = /Users/dave/Desktop/stunnel-test/stunnel-rsyncd-stunnels.pid
cert = /Users/dave/Desktop/stunnel-test/cert.pem
verify = 0
delay = yes
exec = /Users/dave/Desktop/stunnel-test/rsync
execArgs = -vvvv --daemon --server --config=/Users/dave/Desktop/stunnel-test/stunnel-rsyncd.conf .
foreground = yes
client = no
"""""""""""""""""""


My receiver-error.log:
"""""""""""""""""""
2016.09.14 06:54:35 LOG7[ui]: Clients allowed=125
2016.09.14 06:54:35 LOG7[cron]: Cron thread initialized
2016.09.14 06:54:35 LOG5[ui]: stunnel 5.35 on x86_64-apple-darwin15.4.0 platform
2016.09.14 06:54:35 LOG5[ui]: Compiled with OpenSSL 0.9.8zd 8 Jan 2015
2016.09.14 06:54:35 LOG5[ui]: Running  with OpenSSL 0.9.8zh 14 Jan 2016
2016.09.14 06:54:35 LOG5[ui]: Update OpenSSL shared libraries or rebuild stunnel
2016.09.14 06:54:35 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,SNI
2016.09.14 06:54:35 LOG7[ui]: errno: (*__error())
2016.09.14 06:54:35 LOG5[ui]: Reading configuration from file /Users/dave/Desktop/stunnel-test/stunnel-receiver.conf
2016.09.14 06:54:35 LOG5[ui]: UTF-8 byte order mark not detected
2016.09.14 06:54:35 LOG7[ui]: Compression disabled
2016.09.14 06:54:35 LOG7[ui]: Snagged 64 random bytes from /dev/urandom
2016.09.14 06:54:35 LOG7[ui]: PRNG seeded successfully
2016.09.14 06:54:35 LOG6[ui]: Initializing inetd mode configuration
2016.09.14 06:54:35 LOG6[ui]: Loading certificate from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Certificate loaded from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Loading private key from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG4[ui]: Insecure file permissions on /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: Private key loaded from file: /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG7[ui]: Private key check succeeded
2016.09.14 06:54:35 LOG7[ui]: DH initialization
2016.09.14 06:54:35 LOG7[ui]: Using DH parameters from /Users/dave/Desktop/stunnel-test/cert.pem
2016.09.14 06:54:35 LOG6[ui]: 2048-bit DH parameters loaded
2016.09.14 06:54:35 LOG7[ui]: ECDH initialization
2016.09.14 06:54:35 LOG7[ui]: ECDH initialized with curve prime256v1
2016.09.14 06:54:35 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000)
2016.09.14 06:54:35 LOG5[ui]: Configuration successful
2016.09.14 06:54:35 LOG7[ui]: Service [stunnel] started
2016.09.14 06:54:35 LOG7[ui]: Option TCP_NODELAY set on local socket
2016.09.14 06:54:35 LOG5[ui]: Service [stunnel] accepted connection from ::1:51362
2016.09.14 06:54:35 LOG6[ui]: Peer certificate not required
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): before/accept initialization
2016.09.14 06:54:35 LOG7[ui]: SNI: no virtual services defined
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): SSLv3 read client hello A
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): SSLv3 write server hello A
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): SSLv3 write certificate A
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): SSLv3 write certificate request A
2016.09.14 06:54:35 LOG7[ui]: SSL state (accept): SSLv3 flush data
2016.09.14 06:54:40 LOG3[ui]: SSL_accept: Peer suddenly disconnected
2016.09.14 06:54:40 LOG5[ui]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.09.14 06:54:40 LOG7[ui]: Deallocating application specific data for addr index
2016.09.14 06:54:40 LOG7[ui]: Service [stunnel] finished (0 left)
"""""""""""""""""""



The server-side-Stunnel is invoked via launchd using this LaunchDaemon (but this seems to be working okay — I think):
"""""""""""""""""""
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disabled</key>
	<false/>
	<key>StandardErrorPath</key>
	<string>/Users/dave/Desktop/stunnel-test/receiver-error.log</string>
	<key>StandardOutPath</key>
	<string>/Users/dave/Desktop/stunnel-test/receiver-out.log</string>
	<key>Label</key>
	<string>com.stunnel.test</string>
	<key>ProgramArguments</key>
	<array>
		<string>/Users/dave/Desktop/stunnel-test/stunnel</string>
		<string>/Users/dave/Desktop/stunnel-test/stunnel-receiver.conf</string>
	</array>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<false/>
	</dict>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SockServiceName</key>
			<string>874</string>
			<key>SockType</key>
			<string>stream</string>
		</dict>
	</dict>
</dict>
</plist>
"""""""""""""""""""



I’ve looked at the output of 
bash-3.2# tcpdump -i all -XX -xx -vv port 874
but this didn’t give me any obvious clues.  
I can send it if it’s useful but I’ve omitted it for now as it’s long.

I’ve reproduced the same hang on Mac OS X 10.11 and 10.6.
I’ve recompiled Stunnel in 10.11 and 10.9 environments but still get this same hang.

Any advice appreciated..
— Dave.

More information about the stunnel-users mailing list