<html><head></head><body><div class="ydpdad6c613yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div dir="ltr" data-setdir="false">>> <span><span style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">Over time, after numerous reloads of stunnel (kill -HUP) the HSM reports that its connection table is full. </span></span></div><div dir="ltr" data-setdir="false"><span><div><div dir="ltr" style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;">>> Logging from the engine shows that stunnel is never freeing the keys and therefore the engine is not closing the associated sessions with the HSM. Each stunnel reload opens 70 new sessions until eventually the HSM's configured limit is exceeded.<br></div><div dir="ltr" style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;"><br></div></div><div dir="ltr" style="color: rgb(38, 40, 42); font-family: Helvetica Neue, Helvetica, Arial, sans-serif;" data-setdir="false">Where does the signal dispatcher free keys on SIG_HUP?</div></span></div><div dir="ltr" data-setdir="false"><a href="https://github.com/mtrojnar/stunnel/blob/master/src/stunnel.c" rel="nofollow" target="_blank">https://github.com/mtrojnar/stunnel/blob/master/src/stunnel.c</a></div><div dir="ltr" data-setdir="false"><div><br></div><div><br></div></div></div><div id="ydpaf216824yahoo_quoted_0356605184" class="ydpaf216824yahoo_quoted"><div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;"><div><div dir="ltr">Date: Fri, 27 Sep 2019 07:23:29 +0000<br></div><div dir="ltr">From: "Lynch, Andrew" <<a href="mailto:andrew.lynch@atos.net" rel="nofollow" target="_blank">andrew.lynch@atos.net</a>><br></div><div dir="ltr">To: Eric Eberhard <<a href="mailto:flash@vicsmba.com" rel="nofollow" target="_blank">flash@vicsmba.com</a>><br></div><div dir="ltr">Cc: "<a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a>" <<a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a>><br></div><div dir="ltr">Subject: Re: [stunnel-users] stunnel with OpenSSL engine: reload leaks HSM connections</div><div dir="ltr"><br></div><div dir="ltr">Hi Eric,<br></div><div dir="ltr"><br></div><div dir="ltr">Thank you for your suggestion. It is certainly worth looking into, although I suspect it may be impractical in our environment.<br></div><div dir="ltr"><br></div><div dir="ltr">Now we have a single stunnel.conf with 70 services which would translate into 70 additional entries in inetd.conf. Each of those entries then needs to have its own reduced stunnel.conf so that it will only load the cert and key for its endpoint.<br></div><div dir="ltr"><br></div><div dir="ltr">The stunnel HOWTO recommends daemon mode over inetd mode due to the overhead for forking and SSL initialization. We would have additional overhead for engine init and HSM connection.<br></div><div dir="ltr"><br></div><div dir="ltr">Regards,<br></div><div dir="ltr">Andrew.<br></div><div dir="ltr"><br></div><div dir="ltr">-----Original Message-----<br></div><div dir="ltr">From: Eric Eberhard [mailto:<a href="mailto:flash@vicsmba.com" rel="nofollow" target="_blank">flash@vicsmba.com</a>] <br></div><div dir="ltr">Sent: Thursday, September 26, 2019 7:20 PM<br></div><div dir="ltr">To: Lynch, Andrew; <a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr">Subject: RE: [stunnel-users] stunnel with OpenSSL engine: reload leaks HSM connections?<br></div><div dir="ltr"><br></div><div dir="ltr">Try running in inetd mode -- even if you don't like this you will learn something. Inetd will close connections as needed. E<br></div><div dir="ltr"><br></div><div dir="ltr">-----Original Message-----<br></div><div dir="ltr">From: stunnel-users [mailto:<a href="mailto:stunnel-users-bounces@stunnel.org" rel="nofollow" target="_blank">stunnel-users-bounces@stunnel.org</a>] On Behalf Of Lynch, Andrew<br></div><div dir="ltr">Sent: Thursday, September 26, 2019 5:56 AM<br></div><div dir="ltr">To: <a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr">Subject: [stunnel-users] stunnel with OpenSSL engine: reload leaks HSM connections?<br></div><div dir="ltr"><br></div><div dir="ltr">Hi,<br></div><div dir="ltr"><br></div><div dir="ltr">We are using stunnel as a server to terminate incoming TLS connections. The config has around 70 services with certificates whose EC private keys are stored in an HSM and accessed using an OpenSSL engine.<br></div><div dir="ltr"><br></div><div dir="ltr">Over time, after numerous reloads of stunnel (kill -HUP) the HSM reports that its connection table is full. Logging from the engine shows that stunnel is never freeing the keys and therefore the engine is not closing the associated sessions with the HSM. Each stunnel reload opens 70 new sessions until eventually the HSM's configured limit is exceeded.<br></div><div dir="ltr"><br></div><div dir="ltr">This behaviour has been observed on Suse Enterprise Linux 12.3 with the system-provided stunnel-5.00-4.3.4, but I can reproduce it with my own build of the current version 5.55.<br></div><div dir="ltr"><br></div><div dir="ltr">Is this a known issue? It appears that other (ephemeral) keys are being freed, just not those associated with the service certificates.<br></div><div dir="ltr"><br></div><div dir="ltr">Currently our workaround is to perform a full restart instead of a reload.<br></div><div dir="ltr">This closes all HSM sessions when the process terminates, but of course it also kills any open client connections so it can only be done during the scheduled maintenance windows.<br></div><div dir="ltr"><br></div><div dir="ltr">Regards,<br></div><div dir="ltr">Andrew.<br></div><div dir="ltr"><br></div><div dir="ltr">_______________________________________________<br></div><div dir="ltr">stunnel-users mailing list<br></div><div dir="ltr"><a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr"><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="nofollow" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">Subject: Digest Footer<br></div><div dir="ltr"><br></div><div dir="ltr">_______________________________________________<br></div><div dir="ltr">stunnel-users mailing list<br></div><div dir="ltr"><a href="mailto:stunnel-users@stunnel.org" rel="nofollow" target="_blank">stunnel-users@stunnel.org</a><br></div><div dir="ltr"><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" rel="nofollow" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br></div><div dir="ltr"><br></div><div dir="ltr"><br></div><div dir="ltr">------------------------------<br></div><div dir="ltr"><br></div><div dir="ltr">End of stunnel-users Digest, Vol 182, Issue 14<br></div><div dir="ltr">**********************************************<br></div></div>
</div>
</div></body></html>