[stunnel-users] stunnel with OpenSSL engine: reload leaks HSM connections?

Eric Eberhard flash at vicsmba.com
Thu Sep 26 19:20:24 CEST 2019

Try running in inetd mode -- even if you don't like this you will learn
something.  Inetd will close connections as needed.  E

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
Lynch, Andrew
Sent: Thursday, September 26, 2019 5:56 AM
To: stunnel-users at stunnel.org
Subject: [stunnel-users] stunnel with OpenSSL engine: reload leaks HSM


We are using stunnel as a server to terminate incoming TLS connections.  The
config has around 70 services with certificates whose EC private keys are
stored in an HSM and accessed using an OpenSSL engine.

Over time, after numerous reloads of stunnel (kill -HUP) the HSM reports
that its connection table is full.  Logging from the engine shows that
stunnel is never freeing the keys and therefore the engine is not closing
the associated sessions with the HSM.  Each stunnel reload opens 70 new
sessions until eventually the HSM's configured limit is exceeded.

This behaviour has been observed on Suse Enterprise Linux 12.3 with the
system-provided stunnel-5.00-4.3.4, but I can reproduce it with my own build
of the current version 5.55.

Is this a known issue?  It appears that other (ephemeral) keys are being
freed, just not those associated with the service certificates.

Currently our workaround is to perform a full restart instead of a reload.
This closes all HSM sessions when the process terminates, but of course it
also kills any open client connections so it can only be done during the
scheduled maintenance windows.


stunnel-users mailing list
stunnel-users at stunnel.org

More information about the stunnel-users mailing list