[stunnel-users] SSL errors do not trigger failover?

Richard Monk rmonk at redhat.com
Fri Jan 27 15:05:58 CET 2017


We are using stunnel to work around an SSL issue in another service, and set
stunnel.conf up to do prio failover.  We noticed something unusual.  If the TCP
session connects, but the SSL negotiation fails, it doesn't fail over to the
next server on the list.  I looked at the code for the latest version and this
doesn't seem to be caught anywhere.

What I saw in client.c shows that it only checks failover after trying to
establish the TCP session, but then the SSL session happens later and doesn't
give any info back to the failover code should something go wrong.

Is this expected behavior, or should I look into a bug report / patch?  I was
thinking maybe a configurable option to allow SSL errors to trigger failover
just like TCP errors.

Richard Monk (rmonk at redhat.com) - Senior Principal Security Analyst
Red Hat Inc. - Raleigh NC
GPG Key ID: 0x942CDB25

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170127/b6892caa/attachment.sig>

More information about the stunnel-users mailing list