[stunnel-users] Intermittent error in 042_inetd

Eric S Eberhard flash at vicsmba.com
Mon Jul 9 23:19:46 CEST 2018


The 50% could be because the server side is not fully updated - we have this
problem a lot with very large companies that should know better (and in
reality should overlap instead of changing over - meaning allow SSLv3 for 3
months or something while also accepting TLSv2.

 

A very good way to test is to get a telnet program.  Then "telnent localhost
port#" - the port # being the port number stunnel is running on.  This will
remove all variables except stunnel and allow you to see the output.  It
could be you are connecting fine and failing some other authentication like
a login - which you can see often with telnet.  And set your firewall to not
allow telnet on port 23.  Also, we have found stunnel MUCH more reliable
under inetd (if you are on Unix of course) than as a stand-alone server.  A
little performance loss that is unnoticeable to us - big customers exchange
2-4 million XML documents a day (using stunnel) so inetd is definitely not
the most efficient way, but the machines are so darn fast it seems not to
matter.

 

The certificates have become more painful but I have never had to use an
official signed one.  I make my own with openssl.  However, there are
intermediate ones that are needed from whomever you connect to if they have
a signed certificate - say from Verisign - you may need your certificate and
Verisigns, etc - in a chain.  

 

I use "cacert" to set to a large file of .pem certificates - which I simply
download from the Web (available all over, some work, some don't.  When you
get one that works . then use it.  You can modify them by adding anything
not found in the file.  Supposedly the cacert file I have now is good till
2020 for the big names.

 

You can also use openssl to get the certificate from the server - just ask
and you shall receive.   It should have the entire chain.

 

I used to have on massive cacert for everyone and it was getting out of
hand.  As tacky as it is, I just make a cacert.pem file for every connection
(e.g. Walmart, Fedex, Target, whatever).  This allows working connections to
keep working while you fiddle with a tricky one.

 

Eric

 

 

Eric S Eberhard

VICS (Vertical Integrated Computer Systems)

Voice: 928 567 3529

Cell    : 928 301 7537  (not reliable except for text or if not home)

2933 W Middle Verde Rd

Camp Verde, AZ  86322

 

From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
Ian Bamforth
Sent: Wednesday, July 04, 2018 9:00 AM
To: stunnel-users at stunnel.org
Subject: [stunnel-users] Intermittent error in 042_inetd

 

Afternoon,

 

Until recently we'd disabled `make test` because of certificate problems -
we've re-enabled it (using `make check`) but are getting intermittent
failures (around 50% of CI runs). Below is the output from the logs - I
can't see what's gone wrong, can anyone shed any light?

 

2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648

2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())

2018.07.04 09:59:36 LOG7[ui]: Compression disabled

2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required

2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK

2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02004004 (+0x00004000,
-0x00000000)

2018.07.04 09:59:36 LOG7[ui]: Private key check succeeded

2018.07.04 09:59:36 LOG7[ui]: ECDH initialization

2018.07.04 09:59:36 LOG7[ui]: ECDH initialized with curve prime256v1

2018.07.04 09:59:36 LOG7[ui]: Binding service [server]

2018.07.04 09:59:36 LOG7[ui]: Listening file descriptor created (FD=6)

2018.07.04 09:59:36 LOG7[ui]: Setting accept socket options (FD=6)

2018.07.04 09:59:36 LOG7[ui]: Option SO_REUSEADDR set on accept socket

2018.07.04 09:59:36 LOG7[main]: Created pid file
/opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid

2018.07.04 09:59:36 LOG7[cron]: Cron thread initialized

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: Service [server] accepted (FD=3) from
127.0.0.1:58890

2018.07.04 09:59:36 LOG7[0]: Service [server] started

2018.07.04 09:59:36 LOG7[0]: Setting local socket options (FD=3)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on local socket

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: SNI: no virtual services defined

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server
hello

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write key
exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client key
exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read change
cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read finished

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change
cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: New session callback

2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) requested

2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) succeeded

2018.07.04 09:59:36 LOG7[0]:      0 server renegotiation(s) requested

2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)

2018.07.04 09:59:36 LOG7[0]:      1 internal session cache item(s)

2018.07.04 09:59:36 LOG7[0]:      0 internal session cache fill-up(s)

2018.07.04 09:59:36 LOG7[0]:      0 internal session cache miss(es)

2018.07.04 09:59:36 LOG7[0]:      0 external session cache hit(s)

2018.07.04 09:59:36 LOG7[0]:      0 expired session(s) retrieved

2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null

2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=10)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) initialized

2018.07.04 09:59:36 LOG7[0]: TLS alert (read): warning: close notify

2018.07.04 09:59:36 LOG7[0]: Sent socket write shutdown

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) closed

2018.07.04 09:59:36 LOG7[0]: Local descriptor (FD=3) closed

2018.07.04 09:59:36 LOG7[0]: Service [server] finished (0 left)

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe

2018.07.04 09:59:36 LOG7[main]: Processing SIGCHLD

2018.07.04 09:59:36 LOG7[main]: Retrieving pid statuses with waitpid()

2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648

2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())

2018.07.04 09:59:36 LOG7[ui]: Compression disabled

2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required

2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK

2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02000004 (+0x00000000,
-0x00000000)

2018.07.04 09:59:36 LOG7[ui]: No certificate or private key specified

2018.07.04 09:59:36 LOG7[0]: Service [inetd client] started

2018.07.04 09:59:36 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:4433: waiting
10 seconds

2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=3)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) initialized

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server
hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server
certificate

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server key
exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server done

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client key
exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write change
cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read change
cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read finished

2018.07.04 09:59:36 LOG7[0]: New session callback

2018.07.04 09:59:36 LOG7[0]: Peer certificate was cached (1241 bytes)

2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) requested

2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) succeeded

2018.07.04 09:59:36 LOG7[0]:      0 client renegotiation(s) requested

2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)

2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null

2018.07.04 09:59:36 LOG7[0]: Sending close_notify alert

2018.07.04 09:59:36 LOG7[0]: TLS alert (write): warning: close notify

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) closed

2018.07.04 09:59:36 LOG7[0]: Service [inetd client] finished (0 left)

2018.07.04 09:59:36 LOG7[0]: Deallocating section defaults

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe

2018.07.04 09:59:36 LOG7[main]: Processing SIGNAL_TERMINATE

2018.07.04 09:59:36 LOG7[main]: Leak detection table utilization: 86/997,
8.63%

2018.07.04 09:59:36 LOG7[main]: Removed pid file
/opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid

2018.07.04 09:59:36 LOG7[main]: Deallocating section defaults

 


Regards,



Ian Bamforth 
Senior Software Engineer 
Operations & Planning Systems Division

T:   <tel:00441133443970> +44 (0)113 344 3970 
M:  <tel:00447852404240> +44 (0)7852 404240 
E:   <mailto:Ian.Bamforth at tracsis.com> Ian.Bamforth at tracsis.com 
W:  <https://www.tracsis.com> www.tracsis.com 
 <http://www.tracsisops.com> www.tracsisops.com 

Follow Us
 
<https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:14
20795682492,tas:tracsis>    <https://www.twitter.com/tracsis> 

Tracsis plc 
Leeds Innovation Centre 
103 Clarendon Road 
Leeds 
LS2 9DF 


  <https://static.tracsis.com/email/award4.png> 
Tracsis Operations and Planning Systems Division is a Division of Tracsis
plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited
(05047148), Safety Information Systems Limited trading as COMPASS (02588404)
and Tracsis Retail and Operations Limited (04225250), all subsidiaries of
Tracsis plc with a registered office at Leeds Innovation Centre,103
Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email
and its attachments may be confidential and are intended solely for the use
of the individual(s) to whom it is addressed. If you are not the intended
recipient of this email and its attachments, you must take no action based
upon them, nor must you copy or show them to anyone. Please contact the
sender if you believe you have received this email in error.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180709/4f04ee5e/attachment-0001.html>


More information about the stunnel-users mailing list