<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">I am experiencing an issue with version 4.29, which is the version available on yum for centos6. </div><div class="">I am getting the following error: "Unexpected socket close (read_blocking)".</div><div class="">This error only occurs once per stunnel instance upon the first connection only.</div><div class="">More recent versions of stunnel do not have this problem, but I am hoping to work around this issue on the default version for this OS.</div><div class="">My hosts.allow and hosts.deny files are both empty. I have tried adding my services to hosts.allow, but it did not have any noticeble effect.</div><div class=""><br class=""></div><div class="">This is the version that I am using (installed with "yum install stunnel"):</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">$ stunnel -version</div><div class="">stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 11 Feb 2013</div><div class="">Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP</div><div class=""> </div><div class="">Global options</div><div class="">debug = 5</div><div class="">pid = /var/run/stunnel.pid</div><div class="">RNDbytes = 64</div><div class="">RNDfile = /dev/urandom</div><div class="">RNDoverwrite = yes</div><div class=""> </div><div class="">Service-level options</div><div class="">cert = /etc/stunnel/stunnel.pem</div><div class="">ciphers = FIPS</div><div class="">key = /etc/stunnel/stunnel.pem</div><div class="">session = 300 seconds</div><div class="">stack = 65536 bytes</div><div class="">sslVersion = TLSv1</div><div class="">TIMEOUTbusy = 300 seconds</div><div class="">TIMEOUTclose = 60 seconds</div><div class="">TIMEOUTconnect = 10 seconds</div><div class="">TIMEOUTidle = 43200 seconds</div><div class="">verify = none</div></blockquote><div class=""><br class=""></div><div class="">This is what my demonstration setup looks like:</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">nc_client --TCP--> stunnel_client (2000) --SSL--> stunnel_server (2100) --TCP--> nc_server (2200)</div></blockquote><div class=""><br class=""></div><div class="">Steps to reproduce:</div><div class=""><br class=""></div><div class="">(1) Start the netcat TCP server.</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">$ nc -l 2200</div></blockquote><div class=""><br class=""></div><div class="">(2) Leave the server open and open a new terminal for the rest of the commands.</div><div class=""><br class=""></div><div class="">(3) Create “client_config.txt” with the following contents:</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">pid = /tmp/client_stunnel.pid</div><div class="">debug = 7</div><div class="">output = /tmp/client_stunnel.log</div><div class="">client = yes</div><div class="">ciphers = ALL</div><div class="">fips = no</div><div class="">foreground = no</div><div class=""><br class=""></div><div class="">[CLIENT_PROXY_0]</div><div class="">accept = 0.0.0.0:2000</div><div class="">connect = 127.0.0.1:2100</div></blockquote><div class=""><br class=""></div><div class="">(4) Create “server_config.txt” with the following contents:</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">pid = /tmp/server_stunnel.pid</div><div class="">debug = 7</div><div class="">output = /tmp/server_stunnel.log</div><div class="">client = no</div><div class="">ciphers = ALL</div><div class="">fips = no</div><div class="">cert = /tmp/server_stunnel.pem</div><div class="">foreground = no</div></blockquote><div class=""><br class=""></div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">[SVR_PROXY_0]</div><div class="">accept = 0.0.0.0:2100</div><div class="">connect = 127.0.0.1:2200</div></blockquote><div class=""><br class=""></div><div class="">(4) Start the stunnel client:</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">$ cat client_config.txt | stunnel -fd 0</div></blockquote><div class=""><br class=""></div>(5) Start the stunnel server:<br class=""><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">$ cat server_config.txt | stunnel -fd 0</div></blockquote><div class=""><br class=""></div><div class="">(6) Send three sequential messages through stunnel to the netcat server:</div><blockquote class="" style="margin: 0px 0px 0px 40px; border: none; padding: 0px;"><div class="">$ echo "Test 1" | nc 127.0.0.1 2000 </div><div class="">$ echo "Test 2" | nc 127.0.0.1 2000 </div><div class="">$ echo "Test 3" | nc 127.0.0.1 2000 </div></blockquote><br class=""><div class="">(7) You should see only “Test 3” appear at the netcat server.</div><div class=""><br class=""></div><div class="">“Test 1” will have failed to pass from the stunnel client to the stunnel server and the log will report an "Unexpected socket close (read_blocking)” error.</div><div class="">“Test 2” is not the first connection for the stunnel client, so it will pass through to the stunnel server successfully. But because it is the first connection for the stunnel server, it will fail there with the same error.</div><div class="">“Test 3” is not the first connection for either the stunnel client or stunnel server, so it will make it through successfully to the netcat server. All subsequent connections will work.</div><div class=""><br class=""></div><div class="">Basically my question is: Is there any way to make this setup work on the first connection with version 4.29, or is a new version necessary?</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Matthew</div></body></html>