[stunnel-users] S-tunnel will not send TLS

Fri Mar 13 12:53:07 CET 2020

On Fri, Mar 13, 2020 at 11:19:16AM +0000, Jan Falk wrote:
[format recovered]
> Peter Pentchev wrote:
> > On Fri, Mar 13, 2020 at 09:42:27AM +0000, Jan Falk wrote:
> > > Hi.
> > > Can someone tell me why Stunnel stops at wating 10s? Log:
> > > 
> > > 2020.03.12 09:43:36 LOG6[main]: Initializing service 
> > > [x3_x4_DICOM_BFT_client]
> > [snip]
> > > 2020.03.12 09:44:37 LOG7[0]: Service [x3_x4_HL7_BFT_client] started
> > > 2020.03.12 09:44:37 LOG7[0]: Setting local socket options (FD=508)
> > > 2020.03.12 09:44:37 LOG7[0]: Option TCP_NODELAY set on local socket
> > > 2020.03.12 09:44:37 LOG5[0]: Service [x3_x4_HL7_BFT_client] accepted 
> > > connection from 127.0.0.1:50299
> > > 2020.03.12 09:44:37 LOG6[0]: s_connect: connecting 10.67.6.106:6161
> > > 2020.03.12 09:44:37 LOG7[0]: s_connect: s_poll_wait 10.67.6.106:6161: 
> > > waiting 10 seconds
> > 
> > Have you made sure that there is something listening on port 6161 of the
> > 10.67.6.106 host and that the host that stunnel is running on can
> > establish a connection to it? No firewalls, no routing problems or
> > anything like that?
> > 
> > What happens if you run - on the host that stunnel runs on - this:
> > 
> >   nc -v -z 10.67.6.106 6161
> > 
> > ...and also, if stunnel is supposed to establish a secure connection to
> > that host (that is, if stunnel is working in client mode):
> > 
> >   openssl s_client -connect 10.67.6.106:6161
> > 

> > The first command should exit immediately and tell you that a TCP
> > connection was established successfully; the second one should also try
> > to negotiate a TLS connection and show you what the server on the other
> > side tells you after the connection has been established.
> 
> Thanks Peter for a quick reply.
> 
> Yes we have a connection with reciving server, in wireshark I can see
> that vi get three ack:s on establishment. As I understand it, on third
> Ack the TLS is supposed to be sent, but instead my Stunnel halts on 10
> sek. And there I stand.....
> 
> The reciving server is not reply to non-crypted communication.

OK, so at least the network troubles may be ruled out... to some extent.

Can you show us your stunnel configuration file? Is stunnel supposed to
connect to this service in its client mode (stunnel accepts a plaintext
connection and connects to a TLS service), or in server mode (stunnel
accepts a TLS connection, connects to a plaintext service)?

If stunnel is supposed to run in client mode, that means that whatever
is listening for incoming TCP connections on 10.67.6.106:6161 should not
only accept the connection, but also start a TLS negotiation, and
the "openssl s_client" command I posted above should show you this TLS
negotiation. If this does not happen - if s_client does not show you
a TLS negotiation, server names, certificates, etc - then something is
wrong with the service running at 10.67.6.106:6161; you should make sure
that this is fixed before attempting to get stunnel to talk to it.

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200313/b7c141f1/attachment.sig>