[stunnel-users] Strange connection failure in one environment

Christopher Schultz chris at christopherschultz.net
Fri Oct 25 16:09:00 CEST 2019


I've been using stunnel in two environments (dev, prod) for a long time
without any problems. Recently, my dev environment started acting funny
and I can't connect to it from outside the box.

Can someone take a look and let me know if you have any suggestions for
where to look for a problem?

Both environments have the following things in common:

1. Hosted in Amazon EC2, no load-balancer in the way
2. Configuration requires client-certificate to connect
3. All certificates are valid, self-signed, and properly-trusted by both
4. TLS configuration has been locked-down to TLSv1.2, selected cipher
suites, FIPS mode=off
5. All versions are the same: stunnel 4.56 w/OpenSSL 1.0.2k-fips

The production (working) environment happens to be i686 and the
development environment happens to be x86-86, but I don't believe that
is relevant.

When I use e.g. "openssl s_client" to connect to the production
environment and I *do not* provide a client certificate, I am able to
perform the initial TLS handshake, get a cipher suite negotiated, etc.
and then the connection fails because I didn't provide the client
certificate, of course. I *can* see in the handshake the list of allowed
client certificates.

When I do the same in development, I get a handshake failure. No allowed
client certificates are shown. No nothing.

If I connect on localhost to the dev server, I get what I'm expecting:
allowed client certificates are listed, connection is closed because I'm
not using the client certificate. Connecting from another host gets my a
handshake failure.

Again, there are no load-balancers or anything between the outside and
the EC2 instance. I'm connecting as directly as it's possible to
connect. The box definitely allows incoming connections on the port I'm
trying to use; the AWS security group is configured correctly.

I have tried dropping ALL security configuration on the dev server's
stunnel.conf such as client-cert requirements, TLS protocols, cipher
suites, etc. and I get the same behavior every time. I'm starting to
think that it has nothing to do with my stunnel.conf configuration at
all, but I'm at a loss as to where to look, next.

Any ideas?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20191025/20f64e41/attachment.sig>

More information about the stunnel-users mailing list