[stunnel-users] [EXTERNAL] Re: Stunnel connection issue?

Flo Rance trourance at gmail.com
Thu Jul 5 15:32:51 CEST 2018


Hi,

Did you try with another type of client to see if the issue is the same ?

Flo

On Thu, Jul 5, 2018 at 1:41 PM, Spies, Will <Will_Spies at comcast.com> wrote:

> Thanks for the quick response. The client is an Echo Show device and there
> is no log. It is an RTSP connection and my backend (behind Stunnel) is
> Live555ProxyServer.  I read somewhere there is some bug related to MSIE
> that closed the connection like this and the fix is to use TIMEOUTclose=0
> which I did but this did not help. This is the earlier (startup) portion of
> my log:
>
> 2018.07.05 05:30:45 LOG7[ui]: Clients allowed=500
> 2018.07.05 05:30:45 LOG5[ui]: stunnel 5.48 on x86_64-pc-linux-gnu platform
> 2018.07.05 05:30:45 LOG5[ui]: Compiled/running with OpenSSL 1.1.0g  2 Nov
> 2017
> 2018.07.05 05:30:45 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6
> TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 2018.07.05 05:30:45 LOG7[ui]: errno: (*__errno_location ())
> 2018.07.05 05:30:45 LOG5[ui]: Reading configuration from file
> /etc/stunnel/stunnel.conf
> 2018.07.05 05:30:45 LOG5[ui]: UTF-8 byte order mark not detected
> 2018.07.05 05:30:45 LOG5[ui]: FIPS mode disabled
> 2018.07.05 05:30:45 LOG7[ui]: Compression disabled
> 2018.07.05 05:30:45 LOG7[ui]: No PRNG seeding was required
> 2018.07.05 05:30:45 LOG6[ui]: Initializing service [rtsp]
> 2018.07.05 05:30:45 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
> 2018.07.05 05:30:45 LOG7[ui]: TLS options: 0x02004004 (+0x00004000,
> -0x00000000)
> 2018.07.05 05:30:45 LOG6[ui]: Loading certificate from file:
> /etc/stunnel/stunnel.pem
> 2018.07.05 05:30:45 LOG6[ui]: Certificate loaded from file:
> /etc/stunnel/stunnel.pem
> 2018.07.05 05:30:45 LOG6[ui]: Loading private key from file:
> /etc/stunnel/stunnel.pem
> 2018.07.05 05:30:45 LOG4[ui]: Insecure file permissions on
> /etc/stunnel/stunnel.pem
> 2018.07.05 05:30:45 LOG6[ui]: Private key loaded from file:
> /etc/stunnel/stunnel.pem
> 2018.07.05 05:30:45 LOG7[ui]: Private key check succeeded
> 2018.07.05 05:30:45 LOG7[ui]: ECDH initialization
> 2018.07.05 05:30:45 LOG7[ui]: ECDH initialized with curve prime256v1
> 2018.07.05 05:30:45 LOG5[ui]: Configuration successful
> 2018.07.05 05:30:45 LOG7[ui]: Binding service [rtsp]
> 2018.07.05 05:30:45 LOG7[ui]: Listening file descriptor created (FD=7)
> 2018.07.05 05:30:45 LOG7[ui]: Setting accept socket options (FD=7)
> 2018.07.05 05:30:45 LOG7[ui]: Option SO_REUSEADDR set on accept socket
> 2018.07.05 05:30:45 LOG6[ui]: Service [rtsp] (FD=7) bound to
> 192.168.112.16:443
> 2018.07.05 05:30:45 LOG7[main]: No pid file being created
> 2018.07.05 05:30:45 LOG7[cron]: Cron thread initialized
> 2018.07.05 05:31:00 LOG7[main]: Found 1 ready file descriptor(s)
> 2018.07.05 05:31:00 LOG7[main]: FD=4 events=0x2001 revents=0x0
> 2018.07.05 05:31:00 LOG7[main]: FD=7 events=0x2001 revents=0x1
> 2018.07.05 05:31:00 LOG7[main]: Service [rtsp] accepted (FD=3) from
> 192.168.112.194:51692
> 2018.07.05 05:31:00 LOG7[0]: Service [rtsp] started
> 2018.07.05 05:31:00 LOG7[0]: Setting local socket options (FD=3)
> 2018.07.05 05:31:00 LOG7[0]: Option TCP_NODELAY set on local socket
> 2018.07.05 05:31:00 LOG5[0]: Service [rtsp] accepted connection from
> 192.168.112.194:51692
> 2018.07.05 05:31:00 LOG6[0]: Peer certificate not required
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): before SSL initialization
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): before SSL initialization
> 2018.07.05 05:31:00 LOG7[0]: SNI: no virtual services defined
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): SSLv3/TLS read client
> hello
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): SSLv3/TLS write server
> hello
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): SSLv3/TLS write
> certificate
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): SSLv3/TLS write key
> exchange
> 2018.07.05 05:31:00 LOG7[0]: TLS state (accept): SSLv3/TLS write server
> done
> 2018.07.05 05:31:00 LOG7[main]: Found 1 ready file descriptor(s)
> 2018.07.05 05:31:00 LOG7[main]: FD=4 events=0x2001 revents=0x0
> 2018.07.05 05:31:00 LOG7[main]: FD=7 events=0x2001 revents=0x1
> 2018.07.05 05:31:00 LOG7[main]: Service [rtsp] accepted (FD=9) from
> 192.168.112.197:43868
> (bottom part in my original email)
>
>
>
> -----Original Message-----
> From: Peter Pentchev [mailto:roam at ringlet.net]
> Sent: Thursday, July 05, 2018 7:18 AM
> To: Spies, Will <Will_Spies at cable.comcast.com>
> Cc: stunnel-users at stunnel.org
> Subject: [EXTERNAL] Re: [stunnel-users] Stunnel connection issue?
>
> On Thu, Jul 05, 2018 at 09:58:33AM +0000, Spies, Will wrote:
> > I've been trying to get Stunnel to work for some time now.  I have
> > avoided using the mail list - but I see no recourse now.  I think I've
> > tried just about every setting I could find.  I appear to be getting a
> > connection issue - but as you will see the log just doesn't indicate
> > clearly what is going on.  The behavior is my client is failing to get
> > a connection through Stunnel to my backend.  The log appears to be
> > closing a socket (but can't tell which one frontend or backend).
>
> Actually the log says "TLS socket closed (SSL_read)", which means that the
> "read some bytes from the secure socket" operation said "there are no bytes
> to read, the other side closed the connection", meaning your client, the
> one that negotiates the TLS connection with stunnel, has closed the
> connection immediately after stunnel considered it negotiated.
> The next line in the log, "0 byte(s) sent to TLS, 0 byte(s) sent to
> socket", says that the client did indeed not even try to send any data over
> the established secure connection or receive any data from it, it just
> closed the connection immediately after stunnel thought they had formed a
> chummy relationship.
>
> Is there any way you could get your client program to log verbosely what
> it is trying to do over the secure connection?  Are there any messages on
> that side?
>
> G'luck,
> Peter
>
> --
> Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
> PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
> Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180705/953be4d2/attachment-0001.html>


More information about the stunnel-users mailing list