<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">Please see highlighted below:</div><div class="gmail_quote"><br></div><div class="gmail_quote">On Fri, May 8, 2015 at 5:27 PM, David H. Durgee <span dir="ltr"><<a href="mailto:dhdurgee@verizon.net" target="_blank">dhdurgee@verizon.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">At some point in the near past stunnel stopped working on my laptop. The laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the repositories. I enabled debug=7, but I am not getting much from the log:<br>
<br>
<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Clients allowed=500<br>
<b style="background-color:rgb(255,255,0)"><a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: stunnel 4.53 on x86_64-pc-linux-gnu platform<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL 1.0.1e 11 Feb 2013<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Running with OpenSSL 1.0.1f 6 Jan 2014<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Update OpenSSL shared libraries or rebuild stunnel</b></blockquote><div><br></div><div>Is there a reason that you're using libraries from a different compiled Stunnel? In fact, isn't there another Stunnel package you can use that is more up-to-date? If not, perhaps compile your own using the OpenSSL libraries that comes with Mint.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Reading configuration from file /etc/stunnel/stunnel.conf<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Compression not enabled<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG6[10804:140318864611136]: Initializing service section [telnets]<br>
<b style="background-color:rgb(255,255,0)"><a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem</b></blockquote><div><br></div><div>Warning: the permissions may be too wide-open (should be 700 I assume)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Certificate loaded<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Private key loaded<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG6[10804:140318864611136]: Initializing service section [dsp3270s]<br>
<b style="background-color:rgb(255,255,0)"><a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem</b></blockquote><div><br></div><div>Same as above, perhaps too wide open, permissions should be 700 I assume.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Certificate loaded<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Private key loaded<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG5[10804:140318864611136]: Configuration successful<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Service [telnets] (FD=12) bound to <a href="http://0.0.0.0:3141" target="_blank">0.0.0.0:3141</a><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10804:140318864611136]: Service [dsp3270s] (FD=13) bound to <a href="http://0.0.0.0:7490" target="_blank">0.0.0.0:7490</a><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:06 LOG7[10810:140318864611136]: Created pid file /stunnel4.pid<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864611136]: Service [telnets] accepted (FD=3) from <a href="http://127.0.0.1:40090" target="_blank">127.0.0.1:40090</a><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: Service [telnets] started<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap process<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: Acquired libwrap process #0<br>
<b style="background-color:rgb(255,255,0)"><a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking)<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: Local socket (FD=3) closed</b></blockquote><div><br></div><div>that sounds like SELinux permissions perhaps? Have you tried temporarily disabling SELinux, or perhaps you have a firewall (iptables) set up? You'll have to allow the incoming port and possibly an entry in /etc/services IIRC. I don't know if this helps but this is what I found:</div><div><a href="https://sites.google.com/site/easylinuxtipsproject/security">https://sites.google.com/site/easylinuxtipsproject/security</a><br></div><div>A link to "ufw" may prove useful, if your system has that installed. Most systems have locked-down privileged ports (any port less than 1024, like in your example).</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: Service [telnets] finished (0 left)<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864611136]: Service [dsp3270s] accepted (FD=3) from <a href="http://127.0.0.1:48534" target="_blank">127.0.0.1:48534</a><br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] started<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap process<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: Acquired libwrap process #1<br>
<b style="background-color:rgb(255,255,0)"><a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking)</b><br></blockquote><div><br></div><div>That sounds like some kind of firewall issue (like above).</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: Local socket (FD=3) closed<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] finished (0 left)<br>
<a href="tel:2015.05.08%2017" value="+12015050817" target="_blank">2015.05.08 17</a>:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)<br>
<br></blockquote><div><br></div><div> When in a situation like this, I would first try unprivileged ports with localhost using iperf, just to generate some dummy traffic. A good technique I use when debugging stunnel versus debugging networking or other security issues is to do local traffic only like this:</div><div><div><ol><li>iperf client connect to localhost port 5000</li><li>Stunnel client listen on port 5000, connect to localhost port 6000</li><li>Stunnel server listen on port 6000, connect to localhost port 7000</li><li>iperf server listening on localhost port 7000</li></ol><div>As you can see from that, running iperf client for a few seconds, it should be able to connect to the iperf server. If not, stunnel is not working. Debug this FIRST before proceeding to working with non-localhost IP addresses. The actual procedure would be as follows:</div></div><ol><li>Download/install iperf</li><li>Verify iperf works by having one shell run as server, listening on localhost port 7000, and another shell setup iperf client sending on port 7000. If that works, then proceed. Don't use iperf to connect to port 7000 again.</li><li>Set up two config files, one for stunnel client and one for stunnel server, with different ports and the "client=yes" in the client config file. For easier detection with "ps" or "top", you can copy the executable file to another name (i.e., "s4client" for the stunnel 4 client, and "s4server" for the stunnel 4 server). Similarly for iperf, you can copy the exe to "iperfc" and "iperfs" for iperf server, for easier process detection.</li><li>Start up the stunnel server first, then stunnel client, with the appropriate config files per the port enumeration mentioned above.</li><li>Start iperf server listening on port 7000.</li><li>Start iperf client sending on port 5000. If you get some really large value or nothing, then your stunnel config (client/server) needs to be debugged first before proceeding to non-localhost IPs. I usually get something like 3GB/sec when using a Windows 7 VM inside Windows 7 doing this from DOS prompts with appropriate server/client configs set up. I usually use four windows: two for iperf (c/s), two for stunnel (c/s).</li></ol><div>Hope that helps...</div></div><div> -Rob</div></div></div></div>