Hello,<br><br>We recently implemented Stunnel on Centos 5.6 for ssl offloading for our java application. The application has applets to communicate java objects over https to a tomcat server on the server side. We have it setup in front of our Alteon/Radware load balancer. This hardware load balancer is capable of ssl load balancing, but has produced a very specific packet reset that only presents itself in ssl processing. We decided to implement Stunnel in front of this load balancer to fix this problem. Ssl offloading was working great with Stunnel until we ran into Java 7. if I run any version of our applets on java 6 they work. If i run java 7 they do not work. <br>
<br>I have tried googling and looking for this error but I have only found some references to SNI... is this correct? Is there anything I can do. <br>
<br>Please forgive me if i have omitted any details I will be more than happy to include a packet capture or other details if needed.<br><br>I compiled stunnel with the following options<br>./configure --disable-libwrap --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc --with-ssl=/usr/local/ssl<br>
<br>also i compiled OpenSSL 1.0.0d with the following <br>./Configure threads shared linux-generic64<br><br>stunnel -version<br>No limit detected for the number of clients<br>signal_pipe: FD=3 allocated (non-blocking mode)<br>
signal_pipe: FD=4 allocated (non-blocking mode)<br>stunnel 4.42 on x86_64-unknown-linux-gnu platform<br>Compiled/running with OpenSSL 1.0.0d 8 Feb 2011<br>Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6<br>stunnel 4.42 on x86_64-unknown-linux-gnu platform<br>
Compiled/running with OpenSSL 1.0.0d 8 Feb 2011<br>Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6<br><br>Global option defaults<br>debug = daemon.notice<br>pid = /usr/local/var/run/stunnel/stunnel.pid<br>
RNDbytes = 64<br>RNDfile = /dev/urandom<br>RNDoverwrite = yes<br><br>Service-level option defaults<br>ciphers = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH<br>curve = prime256v1<br>session = 300 seconds<br>
sslVersion = TLSv1 for client, all for server<br>stack = 65536 bytes<br>TIMEOUTbusy = 300 seconds<br>TIMEOUTclose = 60 seconds<br>TIMEOUTconnect = 10 seconds<br>TIMEOUTidle = 43200 seconds<br>verify = none<br>
str_stats: 112 block(s), 4046 byte(s)<br><br><br>stunnel.conf<br>cert=/etc/stunnel/stunnel.pem<br>debug=7<br>output=/var/log/stunnel.log<br>socket=l:TCP_NODELAY=1<br>socket=r:TCP_NODELAY=1<br>[https]<br>accept=<a href="http://0.0.0.0:443" target="_blank">0.0.0.0:443</a><br>
connect=<a href="http://172.16.18.100:80" target="_blank">172.16.18.100:80</a><br>
session = 300<br>TIMEOUTbusy = 300<br>TIMEOUTconnect = 10<br>TIMEOUTidle = 43200<br>client = no<br><br><br>stunnel.log<br>2011.08.22 16:58:49 LOG7[438154:47689394220768]: Service https accepted FD=2 from <a href="http://10.0.11.27:46830" target="_blank">10.0.11.27:46830</a><br>
2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https started<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: Option TCP_NODELAY set on local socket<br>2011.08.22 16:58:49 LOG5[438154:1104877888]: Service https accepted connection from <a href="http://10.0.11.27:46830" target="_blank">10.0.11.27:46830</a><br>
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): before/accept initialization<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 read client hello A<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write server hello A<br>
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write certificate A<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write key exchange A<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write certificate request A<br>
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 flush data<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL alert (read): fatal: internal error<br><span style="background-color: rgb(255, 255, 102);">2011.08.22 16:58:49 LOG3[438154:1104877888]: SSL_accept: 14094438: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error</span><br style="background-color: rgb(255, 255, 102);">
<span style="background-color: rgb(255, 255, 102);">
</span>2011.08.22 16:58:49 LOG5[438154:1104877888]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https finished (1 left)<br>2011.08.22 16:58:49 LOG7[438154:1104877888]: str_stats: 0 block(s), 0 byte(s)<br>
2011.08.22 16:59:01 LOG7[438154:1104947520]: Socket closed on read<br>2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending SSL write shutdown<br>2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (write): warning: close notify<br>
2011.08.22 16:59:01 LOG6[438154:1104947520]: SSL_shutdown successfully sent close_notify<br>2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (read): warning: close notify<br>2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL closed on SSL_read<br>
2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending socket write shutdown<br>2011.08.22 16:59:01 LOG5[438154:1104947520]: Connection closed: 49445 bytes sent to SSL, 8175 bytes sent to socket<br><br><br><br>-- <br><p> </p>
<p>Thank You,<br><span style="color:rgb(31, 73, 125)">Andrew Heuneman<br></span><span style="color:rgb(31, 73, 125)">Senior Systems Administrator<br></span><span style="color: rgb(31, 73, 125);">Reading Plus®/Taylor Associates</span></p>
<p><span style="color:rgb(31, 73, 125)"></span><span style="color:rgb(31, 73, 125)">Helping students become
proficient silent readers.<br></span><span style="color:rgb(31, 73, 125)"><<a href="http://twitter.com/readingplus" target="_blank">http://twitter.com/readingplus</a>><br></span><span style="color:rgb(31, 73, 125)"><<a href="http://www.facebook.com/pages/Reading-Plus/165970877038" target="_blank">http://www.facebook.com/pages/Reading-Plus/165970877038</a>></span></p>
<p><span style="color:#1F497D"> </span></p><br>