[stunnel-users] Intermittent error in 042_inetd

Ian Bamforth Ian.Bamforth at tracsis.com
Tue Jul 10 10:04:40 CEST 2018


Hi Eric,

Thanks for the very detailed reply!  I had a conversation direct with one of the stunnel devs, she confirmed that there's a bug in the tests and supplied a patch.  I guess this will be released in the next version.  It only affects the tests, so the current version is fine, as long as you don't try to run the tests during installation.

Regards,

Ian Bamforth
Senior Software Engineer
Operations & Planning Systems Division

T:  +44 (0)113 344 3970<tel:00441133443970>
M: +44 (0)7852 404240<tel:00447852404240>
E:  Ian.Bamforth at tracsis.com<mailto:Ian.Bamforth at tracsis.com>
W: www.tracsis.com<https://www.tracsis.com>
www.tracsisops.com<http://www.tracsisops.com>

Follow Us
[https://static.tracsis.com/email/lin2.png]<https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:1420795682492,tas:tracsis>  [https://static.tracsis.com/email/twi2.png] <https://www.twitter.com/tracsis>

Tracsis plc
Leeds Innovation Centre
103 Clarendon Road
Leeds
LS2 9DF

[https://static.tracsis.com/email/award4.png]
Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.



From: Eric S Eberhard <flash at vicsmba.com>
Sent: 09 July 2018 22:20
To: Ian Bamforth <Ian.Bamforth at tracsis.com>; stunnel-users at stunnel.org
Subject: RE: [stunnel-users] Intermittent error in 042_inetd

The 50% could be because the server side is not fully updated - we have this problem a lot with very large companies that should know better (and in reality should overlap instead of changing over - meaning allow SSLv3 for 3 months or something while also accepting TLSv2.

A very good way to test is to get a telnet program.  Then "telnent localhost port#" - the port # being the port number stunnel is running on.  This will remove all variables except stunnel and allow you to see the output.  It could be you are connecting fine and failing some other authentication like a login - which you can see often with telnet.  And set your firewall to not allow telnet on port 23.  Also, we have found stunnel MUCH more reliable under inetd (if you are on Unix of course) than as a stand-alone server.  A little performance loss that is unnoticeable to us - big customers exchange 2-4 million XML documents a day (using stunnel) so inetd is definitely not the most efficient way, but the machines are so darn fast it seems not to matter.

The certificates have become more painful but I have never had to use an official signed one.  I make my own with openssl.  However, there are intermediate ones that are needed from whomever you connect to if they have a signed certificate - say from Verisign - you may need your certificate and Verisigns, etc - in a chain.

I use "cacert" to set to a large file of .pem certificates - which I simply download from the Web (available all over, some work, some don't.  When you get one that works ... then use it.  You can modify them by adding anything not found in the file.  Supposedly the cacert file I have now is good till 2020 for the big names.

You can also use openssl to get the certificate from the server - just ask and you shall receive.   It should have the entire chain.

I used to have on massive cacert for everyone and it was getting out of hand.  As tacky as it is, I just make a cacert.pem file for every connection (e.g. Walmart, Fedex, Target, whatever).  This allows working connections to keep working while you fiddle with a tricky one.

Eric


Eric S Eberhard
VICS (Vertical Integrated Computer Systems)
Voice: 928 567 3529
Cell    : 928 301 7537  (not reliable except for text or if not home)
2933 W Middle Verde Rd
Camp Verde, AZ  86322

From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ian Bamforth
Sent: Wednesday, July 04, 2018 9:00 AM
To: stunnel-users at stunnel.org<mailto:stunnel-users at stunnel.org>
Subject: [stunnel-users] Intermittent error in 042_inetd

Afternoon,

Until recently we'd disabled `make test` because of certificate problems - we've re-enabled it (using `make check`) but are getting intermittent failures (around 50% of CI runs). Below is the output from the logs - I can't see what's gone wrong, can anyone shed any light?

2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648
2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())
2018.07.04 09:59:36 LOG7[ui]: Compression disabled
2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required
2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02004004 (+0x00004000, -0x00000000)
2018.07.04 09:59:36 LOG7[ui]: Private key check succeeded
2018.07.04 09:59:36 LOG7[ui]: ECDH initialization
2018.07.04 09:59:36 LOG7[ui]: ECDH initialized with curve prime256v1
2018.07.04 09:59:36 LOG7[ui]: Binding service [server]
2018.07.04 09:59:36 LOG7[ui]: Listening file descriptor created (FD=6)
2018.07.04 09:59:36 LOG7[ui]: Setting accept socket options (FD=6)
2018.07.04 09:59:36 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.07.04 09:59:36 LOG7[main]: Created pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid
2018.07.04 09:59:36 LOG7[cron]: Cron thread initialized
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: Service [server] accepted (FD=3) from 127.0.0.1:58890
2018.07.04 09:59:36 LOG7[0]: Service [server] started
2018.07.04 09:59:36 LOG7[0]: Setting local socket options (FD=3)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on local socket
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: SNI: no virtual services defined
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server hello
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client key exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read change cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read finished
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: New session callback
2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) requested
2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) succeeded
2018.07.04 09:59:36 LOG7[0]:      0 server renegotiation(s) requested
2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)
2018.07.04 09:59:36 LOG7[0]:      1 internal session cache item(s)
2018.07.04 09:59:36 LOG7[0]:      0 internal session cache fill-up(s)
2018.07.04 09:59:36 LOG7[0]:      0 internal session cache miss(es)
2018.07.04 09:59:36 LOG7[0]:      0 external session cache hit(s)
2018.07.04 09:59:36 LOG7[0]:      0 expired session(s) retrieved
2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null
2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=10)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) initialized
2018.07.04 09:59:36 LOG7[0]: TLS alert (read): warning: close notify
2018.07.04 09:59:36 LOG7[0]: Sent socket write shutdown
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) closed
2018.07.04 09:59:36 LOG7[0]: Local descriptor (FD=3) closed
2018.07.04 09:59:36 LOG7[0]: Service [server] finished (0 left)
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe
2018.07.04 09:59:36 LOG7[main]: Processing SIGCHLD
2018.07.04 09:59:36 LOG7[main]: Retrieving pid statuses with waitpid()
2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648
2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())
2018.07.04 09:59:36 LOG7[ui]: Compression disabled
2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required
2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02000004 (+0x00000000, -0x00000000)
2018.07.04 09:59:36 LOG7[ui]: No certificate or private key specified
2018.07.04 09:59:36 LOG7[0]: Service [inetd client] started
2018.07.04 09:59:36 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:4433: waiting 10 seconds
2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=3)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) initialized
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server done
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2018.07.04 09:59:36 LOG7[0]: New session callback
2018.07.04 09:59:36 LOG7[0]: Peer certificate was cached (1241 bytes)
2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) requested
2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) succeeded
2018.07.04 09:59:36 LOG7[0]:      0 client renegotiation(s) requested
2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)
2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null
2018.07.04 09:59:36 LOG7[0]: Sending close_notify alert
2018.07.04 09:59:36 LOG7[0]: TLS alert (write): warning: close notify
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) closed
2018.07.04 09:59:36 LOG7[0]: Service [inetd client] finished (0 left)
2018.07.04 09:59:36 LOG7[0]: Deallocating section defaults
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe
2018.07.04 09:59:36 LOG7[main]: Processing SIGNAL_TERMINATE
2018.07.04 09:59:36 LOG7[main]: Leak detection table utilization: 86/997, 8.63%
2018.07.04 09:59:36 LOG7[main]: Removed pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid
2018.07.04 09:59:36 LOG7[main]: Deallocating section defaults

Regards,

Ian Bamforth
Senior Software Engineer
Operations & Planning Systems Division

T:  +44 (0)113 344 3970<tel:00441133443970>
M: +44 (0)7852 404240<tel:00447852404240>
E:  Ian.Bamforth at tracsis.com<mailto:Ian.Bamforth at tracsis.com>
W: www.tracsis.com<https://www.tracsis.com>
www.tracsisops.com<http://www.tracsisops.com>

Follow Us
[https://static.tracsis.com/email/lin2.png]<https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:1420795682492,tas:tracsis>  [https://static.tracsis.com/email/twi2.png] <https://www.twitter.com/tracsis>

Tracsis plc
Leeds Innovation Centre
103 Clarendon Road
Leeds
LS2 9DF

[https://static.tracsis.com/email/award4.png]
Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180710/f7d775ad/attachment.html>


More information about the stunnel-users mailing list