April 2011 - stunnel-users

Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept initialization
by Jack Liu 28 Apr '11

28 Apr '11

Thx for continuing reply my msg, Yes, there is var/log/messages Inside there only has some iptables log, FTP, SMTP application log and nothing else. I am positive that this problem is not cause by iptables, becuase I tried with iptables off. Nothing else related to stunnel is found in that folder. Any other suggestions? Mr. Jack > From: sunyucong(a)gmail.com > Date: Mon, 25 Apr 2011 20:00:30 -0700 > Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept initialization > To: jackliu92(a)hotmail.com > CC: stunnel-users(a)stunnel.org > > I guess in centos that's /var/log/messages > but in general, you should probably check everything in /var/log to make sure. > > On Mon, Apr 25, 2011 at 5:38 PM, Jack Liu <jackliu92(a)hotmail.com> wrote: > > Thank you for helping, but both logs r not presented in my var/log/ dir. Any > > other suggestions? > > > > > > Mr. Jack > > > > > > > > > > > >> From: sunyucong(a)gmail.com > >> Date: Mon, 25 Apr 2011 16:25:20 -0700 > >> Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): > >> before/accept initialization > >> To: jackliu92(a)hotmail.com > >> CC: stunnel-users(a)stunnel.org > >> > >> Are you sure that's entire log? check /var/log/daemons.log and > >> syslog.log as well. > >> > >> On Sun, Apr 24, 2011 at 1:30 AM, Jack Liu <jackliu92(a)hotmail.com> wrote: > >> > It anyone knows how to fix Stunnel stuck at SSL state (accept): > >> > before/accept initialization??? > >> > > >> > Here is the log: > >> > > >> > ----------------------------------------------------------------------------------------------------------- > >> > [root@vps1 ~]#stunnel /etc/stunnel/stunnel.conf > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Snagged 64 random bytes from > >> > /root/.rnd > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Wrote 1024 new random bytes > >> > to > >> > /root/.rnd > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: RAND_status claims > >> > sufficient > >> > entropy for the PRNG > >> > 2011.04.24 02:25:13 LOG6[32174:3085993680]: PRNG seeded successfully > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Certificate: > >> > /etc/stunnel/stunnel.pem > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Key file: > >> > /etc/stunnel/stunnel.pem > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Verify directory set to > >> > /etc/stunnel/CA > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: CRL directory set to > >> > /etc/stunnel/CRL > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: SSL context initialized for > >> > service 3proxy > >> > 2011.04.24 02:25:13 LOG5[32174:3085993680]: stunnel 4.15 on > >> > i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > >> > 2011.04.24 02:25:13 LOG5[32174:3085993680]: Threading:PTHREAD SSL:ENGINE > >> > Sockets:POLL,IPv6 Auth:LIBWRAP > >> > 2011.04.24 02:25:13 LOG6[32174:3085993680]: file ulimit = 1024 (can be > >> > changed with 'ulimit -n') > >> > 2011.04.24 02:25:13 LOG6[32174:3085993680]: poll() used - no FD_SETSIZE > >> > limit for file descriptors > >> > 2011.04.24 02:25:13 LOG5[32174:3085993680]: 500 clients allowed > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 3 in non-blocking mode > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 4 in non-blocking mode > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 5 in non-blocking mode > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: SO_REUSEADDR option set on > >> > accept socket > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: 3proxy bound to > >> > 0.0.0.0:30001 > >> > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Created pid file > >> > /var/run/stunnel.pid > >> > 2011.04.24 02:25:20 LOG7[32174:3085993680]: 3proxy accepted FD=6 from > >> > xx.xxx.xxx.xx:41165 > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: 3proxy started > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 6 in non-blocking mode > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 7 in non-blocking mode > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 8 in non-blocking mode > >> > 2011.04.24 02:25:20 LOG7[32174:3085993680]: Cleaning up the signal pipe > >> > 2011.04.24 02:25:20 LOG6[32174:3085993680]: Child process 32176 finished > >> > with code 0 > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: Connection from > >> > xx.xxx.xxx.xx:41165 permitted by libwrap > >> > 2011.04.24 02:25:20 LOG5[32174:3085990800]: 3proxy connected from > >> > xx.xxx.xxx.xx:41165 > >> > 2011.04.24 02:25:20 LOG7[32174:3085990800]: SSL state (accept): > >> > before/accept initialization <-----------------------Stuck here > >> > forever!!! > >> > 2011.04.24 02:25:22 LOG3[32174:3085990800]: SSL_accept: Peer suddenly > >> > disconnected > >> > 2011.04.24 02:25:22 LOG5[32174:3085990800]: Connection reset: 0 bytes > >> > sent > >> > to SSL, 0 bytes sent to socket > >> > 2011.04.24 02:25:22 LOG7[32174:3085990800]: 3proxy finished (0 left) > >> > 2011.04.24 02:25:25 LOG3[32174:3085993680]: Received signal 2; > >> > terminating > >> > 2011.04.24 02:25:25 LOG7[32174:3085993680]: removing pid file > >> > /var/run/stunnel.pid > >> > [root@vps1 ~]# > >> > > >> > ----------------------------------------------------------------------------------------------------------- > >> > stunnel.conf: > >> > cert = /etc/stunnel/stunnel.pem > >> > key = /etc/stunnel/stunnel.pem > >> > CApath = /etc/stunnel/CA > >> > CRLpath = /etc/stunnel/CRL > >> > debug = 7 > >> > foreground = yes > >> > verify = 1 > >> > # > >> > [3proxy] > >> > accept = 30001 > >> > connect = 127.0.0.1:33135 > >> > > >> > ----------------------------------------------------------------------------------------------------------- > >> > > >> > I am hosting with CentOS 5.5, and installed Stunnel via yum. > >> > Planning to use it with 3Proxy. However I experience the problem above, > >> > can > >> > someone please help with that? > >> > Thank you very much! > >> > > >> > > >> > > >> > Mr. Jack > >> > > >> > _______________________________________________ > >> > stunnel-users mailing list > >> > stunnel-users(a)stunnel.org > >> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > >> > > >> > > >

3 6

Patch to enhance verify=3 with SHA-1 check
by Philipp Hartwig 27 Apr '11

27 Apr '11

As indicated in a previous mail to this list I was surprised by the following behavior: With "verify=3" stunnel doesn't compare the peer's certificate with the locally installed certificate for actual equality but it only checks whether they have the same subject. The recent Comodo incident[1] has shown that it is not impossible to get a certificate which matches the subject of the certificate of some interesting server and is signed by a trusted CA. That's why I was interested in a stricter form of verification (at least in client mode). I have attached a small patch, derived from code in the file "mutt_ssl.c" of the Mutt[2] mail client, which adds a check for equality of SHA-1 hashes to the "verify=3" certificate check. I mainly wrote it for personal use but maybe someone else will find it useful or has some comments. Regards, Philipp [1] http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow… [2] http://www.mutt.org/

1 0

Re: [stunnel-users] Réf. : Re: Need some informations about stunnel (AC,?crl?files)
by Ludolf Holzheid 27 Apr '11

27 Apr '11

On Wed, 2011-04-27 13:06:43 +0200, laurent.uk(a)bnpparibas.com wrote: > Dear ludolf thanks you for your response. > > So if i use verify = 3, the crl files is useless. > > I went to the url http://crl.verisign.com , and there were a lot of files. > > what are the files corresponding of the crl list please? Those with the ".crl" extension, I suppose ;-) You'll need to look for the CRLs matching the certificates you want to use. Note, there may be CRLs for intermediate certificates too. At least (the randomly selected) Class3SoftwarePublishers.crl seems to be in DES format, you might have to convert it to PEM for use with stunnel. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Re: [stunnel-users] Need some informations about stunnel (AC, crl files)
by Ludolf Holzheid 27 Apr '11

27 Apr '11

On Wed, 2011-04-27 10:47:42 +0200, laurent.uk(a)bnpparibas.com wrote: > Hi all, > > I need some informations about stunnel. > > First, when the client's software use a certificate signed by a CA like > veriSign. Did we need to add the certificates of this CA? or it is not > neccessary because it is a knowned CA. If you are using verify=3, stunnel checks client certificates against the set of certificates in CApath or CAfile, not against CAs and CRLs. In order to have stunnel check the certificate chain of client certificates, you'll have to use verify=2. For that, stunnel needs access to the CA's root certificate and the intermediate certificates (i.e. they have to be locally installed to CApath/CAfile). > Secondally, i need to download and update the crl files, and also (if it's > possible) the certificates of knowed CA. How can i do that in my AIX's > machine please? This depends on the way the CA publishes its certificates and CRLs. For VeriSign, my first idea is to use wget to download them from http://crl.verisign.com. There may be better ways, though. And I don't know AIX. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Re: [stunnel-users] need help for the error VERIFY ERROR ONLY MY: no cert fo (verify = 3)
by Ludolf Holzheid 26 Apr '11

26 Apr '11

On Tue, 2011-04-26 17:00:06 +0200, laurent.uk(a)bnpparibas.com wrote: > Hi, > > I tried to configure my STUNNEL server, with my client's software test but > i always have the the following error : > > 2011.04.26 14:23:09 LOG4[1683500:258]: VERIFY ERROR ONLY MY: no cert for > /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts > > [..] > > I tried to extract the public certificate from the crl-3skey-ebics-ts and > add it in the keystore and in the folder /usr/local/ssl/certs/trusted/ > > [..] > > verify = 3 > ; Don't forget to c_rehash CApath > ; CApath is located inside chroot jail > ;CApath = /opt/freeware/etc/stunnel/ > ; It's often easier to use CAfile > CAfile = /opt/freeware/etc/stunnel/ca.pem > ; Don't forget to c_rehash CRLpath Laurent, If you specify a CAfile in 'verify=3' mode, you need to add the client's certificates to this file. You could also store the client's certificates in PEM format files (one file per certificate) in a directory stunnel can reach at connection time. You have to specify the name of this directory as CApath then (in contrast to CAfile), and you'll have to run c_rehash on this directory. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid(a)bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------

1 0

Temporary failure in name resolution
by Phil Wieland 26 Apr '11

26 Apr '11

I think I've done something stupid but I can't work out what. I'm running stunnel4 version 4.29 on an Ubuntu server box, using it to tunnel smtp connections to my ISP's mail server. Everything works perfectly until I reboot the server, when it stops working. In syslog, I get: Apr 24 15:56:11 friedbread stunnel: LOG5[1101:3074997104]: ssmtp accepted connection from 127.0.0.1:50681 Apr 24 15:56:11 friedbread stunnel: LOG3[1101:3074997104]: Error resolving 'smtp.blueyonder.co.uk': Temporary failure in name resolution (EAI_AGAIN) Apr 24 15:56:11 friedbread stunnel: LOG3[1101:3074997104]: No host resolved Apr 24 15:56:11 friedbread stunnel: LOG5[1101:3074997104]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket every time I attempt to send mail. I can ping smtp.blueyonder.co.uk no problem. The problem persists until I restart stunnel4, after which it works perfectly for weeks on end. Looking at syslog for boot time, it looks like stunnel tries to resolve smtp.blueyonder.co.uk as soon as it starts, but dhcp hasn't finished at this time so it fails. It seems to cache something from the failure and not try again? Even though the error is "Temporary". All advice gratefully received. Phil Wieland Liverpool, UK. ###@friedbread:~$ stunnel4 -version stunnel 4.29 on i486-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none ###@friedbread:~$ cat /etc/stunnel/stunnel.conf ; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail) ; Certificate/key is needed in server mode and optional in client mode cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = /var/log/stunnel4/stunnel.log ; Use it for client mode client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 [ssmtp] accept = 55899 connect = smtp.blueyonder.co.uk:465 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 ; vim:ft=dosini ###@friedbread:~$

3 2

Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept initialization
by Jack Liu 26 Apr '11

26 Apr '11

Thank you for helping, but both logs r not presented in my var/log/ dir. Any other suggestions? Mr. Jack > From: sunyucong(a)gmail.com > Date: Mon, 25 Apr 2011 16:25:20 -0700 > Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept initialization > To: jackliu92(a)hotmail.com > CC: stunnel-users(a)stunnel.org > > Are you sure that's entire log? check /var/log/daemons.log and > syslog.log as well. > > On Sun, Apr 24, 2011 at 1:30 AM, Jack Liu <jackliu92(a)hotmail.com> wrote: > > It anyone knows how to fix Stunnel stuck at SSL state (accept): > > before/accept initialization??? > > > > Here is the log: > > ----------------------------------------------------------------------------------------------------------- > > [root@vps1 ~]#stunnel /etc/stunnel/stunnel.conf > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Snagged 64 random bytes from > > /root/.rnd > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Wrote 1024 new random bytes to > > /root/.rnd > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: RAND_status claims sufficient > > entropy for the PRNG > > 2011.04.24 02:25:13 LOG6[32174:3085993680]: PRNG seeded successfully > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Certificate: > > /etc/stunnel/stunnel.pem > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Key file: > > /etc/stunnel/stunnel.pem > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Verify directory set to > > /etc/stunnel/CA > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: CRL directory set to > > /etc/stunnel/CRL > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: SSL context initialized for > > service 3proxy > > 2011.04.24 02:25:13 LOG5[32174:3085993680]: stunnel 4.15 on > > i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 > > 2011.04.24 02:25:13 LOG5[32174:3085993680]: Threading:PTHREAD SSL:ENGINE > > Sockets:POLL,IPv6 Auth:LIBWRAP > > 2011.04.24 02:25:13 LOG6[32174:3085993680]: file ulimit = 1024 (can be > > changed with 'ulimit -n') > > 2011.04.24 02:25:13 LOG6[32174:3085993680]: poll() used - no FD_SETSIZE > > limit for file descriptors > > 2011.04.24 02:25:13 LOG5[32174:3085993680]: 500 clients allowed > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 3 in non-blocking mode > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 4 in non-blocking mode > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 5 in non-blocking mode > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: SO_REUSEADDR option set on > > accept socket > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: 3proxy bound to 0.0.0.0:30001 > > 2011.04.24 02:25:13 LOG7[32174:3085993680]: Created pid file > > /var/run/stunnel.pid > > 2011.04.24 02:25:20 LOG7[32174:3085993680]: 3proxy accepted FD=6 from > > xx.xxx.xxx.xx:41165 > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: 3proxy started > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 6 in non-blocking mode > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 7 in non-blocking mode > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 8 in non-blocking mode > > 2011.04.24 02:25:20 LOG7[32174:3085993680]: Cleaning up the signal pipe > > 2011.04.24 02:25:20 LOG6[32174:3085993680]: Child process 32176 finished > > with code 0 > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: Connection from > > xx.xxx.xxx.xx:41165 permitted by libwrap > > 2011.04.24 02:25:20 LOG5[32174:3085990800]: 3proxy connected from > > xx.xxx.xxx.xx:41165 > > 2011.04.24 02:25:20 LOG7[32174:3085990800]: SSL state (accept): > > before/accept initialization <-----------------------Stuck here > > forever!!! > > 2011.04.24 02:25:22 LOG3[32174:3085990800]: SSL_accept: Peer suddenly > > disconnected > > 2011.04.24 02:25:22 LOG5[32174:3085990800]: Connection reset: 0 bytes sent > > to SSL, 0 bytes sent to socket > > 2011.04.24 02:25:22 LOG7[32174:3085990800]: 3proxy finished (0 left) > > 2011.04.24 02:25:25 LOG3[32174:3085993680]: Received signal 2; terminating > > 2011.04.24 02:25:25 LOG7[32174:3085993680]: removing pid file > > /var/run/stunnel.pid > > [root@vps1 ~]# > > ----------------------------------------------------------------------------------------------------------- > > stunnel.conf: > > cert = /etc/stunnel/stunnel.pem > > key = /etc/stunnel/stunnel.pem > > CApath = /etc/stunnel/CA > > CRLpath = /etc/stunnel/CRL > > debug = 7 > > foreground = yes > > verify = 1 > > # > > [3proxy] > > accept = 30001 > > connect = 127.0.0.1:33135 > > ----------------------------------------------------------------------------------------------------------- > > > > I am hosting with CentOS 5.5, and installed Stunnel via yum. > > Planning to use it with 3Proxy. However I experience the problem above, can > > someone please help with that? > > Thank you very much! > > > > > > > > Mr. Jack > > > > _______________________________________________ > > stunnel-users mailing list > > stunnel-users(a)stunnel.org > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > > >

1 0

Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization
by Jack Liu 25 Apr '11

25 Apr '11

I installed the 4.35 one into my CentOS, it seems like the same problem still exist. Is there anything I can do to fix it? Mr. Jack Date: Sun, 24 Apr 2011 19:09:35 -0700 From: josealf(a)rocketmail.com Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization To: jackliu92(a)hotmail.com Hi Mr Jack, RPMS attached. Let me know if you need further help. Regards, Jose From: Jack Liu <jackliu92(a)hotmail.com> To: josealf(a)rocketmail.com; stunnel-users(a)stunnel.org Sent: Sun, April 24, 2011 1:08:44 PM Subject: RE: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization Yes sure, please provide the binary. Thank you very much! One additional information, running socket5 on 3Proxy. Mr. Jack > Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization > To: jackliu92(a)hotmail.com; stunnel-users(a)stunnel.org > From: josealf(a)rocketmail.com > Date: Sun, 24 Apr 2011 11:49:05 +0000 > > If you ruled out a configuration error, You should try with a more recent version of stunnel. You can recompile the SRPM (4.29) from redhat 6 (or scientific linux 6) and it works fine under CentOS 5. I can provide binaries if needed. > > -----Original Message----- > From: Jack Liu <jackliu92(a)hotmail.com> > Sender: stunnel-users-bounces(a)stunnel.org > Date: Sun, 24 Apr 2011 02:30:24 > To: <stunnel-users(a)stunnel.org> > Subject: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept > initialization > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)stunnel.org > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > >

1 0

Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization
by Jack Liu 25 Apr '11

25 Apr '11

Thank you! Mr. Jack Date: Sun, 24 Apr 2011 19:09:35 -0700 From: josealf(a)rocketmail.com Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization To: jackliu92(a)hotmail.com Hi Mr Jack, RPMS attached. Let me know if you need further help. Regards, Jose From: Jack Liu <jackliu92(a)hotmail.com> To: josealf(a)rocketmail.com; stunnel-users(a)stunnel.org Sent: Sun, April 24, 2011 1:08:44 PM Subject: RE: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization Yes sure, please provide the binary. Thank you very much! One additional information, running socket5 on 3Proxy. Mr. Jack > Subject: Re: [stunnel-users] Stunnel stuck at SSL state (accept): before/acceptinitialization > To: jackliu92(a)hotmail.com; stunnel-users(a)stunnel.org > From: josealf(a)rocketmail.com > Date: Sun, 24 Apr 2011 11:49:05 +0000 > > If you ruled out a configuration error, You should try with a more recent version of stunnel. You can recompile the SRPM (4.29) from redhat 6 (or scientific linux 6) and it works fine under CentOS 5. I can provide binaries if needed. > > -----Original Message----- > From: Jack Liu <jackliu92(a)hotmail.com> > Sender: stunnel-users-bounces(a)stunnel.org > Date: Sun, 24 Apr 2011 02:30:24 > To: <stunnel-users(a)stunnel.org> > Subject: [stunnel-users] Stunnel stuck at SSL state (accept): before/accept > initialization > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)stunnel.org > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > > >

1 0

Stunnel stuck at SSL state (accept): before/accept initialization
by Jack Liu 25 Apr '11

25 Apr '11

It anyone knows how to fix Stunnel stuck at SSL state (accept): before/accept initialization??? Here is the log: ----------------------------------------------------------------------------------------------------------- [root@vps1 ~]#stunnel /etc/stunnel/stunnel.conf 2011.04.24 02:25:13 LOG7[32174:3085993680]: Snagged 64 random bytes from /root/.rnd 2011.04.24 02:25:13 LOG7[32174:3085993680]: Wrote 1024 new random bytes to /root/.rnd 2011.04.24 02:25:13 LOG7[32174:3085993680]: RAND_status claims sufficient entropy for the PRNG 2011.04.24 02:25:13 LOG6[32174:3085993680]: PRNG seeded successfully 2011.04.24 02:25:13 LOG7[32174:3085993680]: Certificate: /etc/stunnel/stunnel.pem 2011.04.24 02:25:13 LOG7[32174:3085993680]: Key file: /etc/stunnel/stunnel.pem 2011.04.24 02:25:13 LOG7[32174:3085993680]: Verify directory set to /etc/stunnel/CA 2011.04.24 02:25:13 LOG7[32174:3085993680]: CRL directory set to /etc/stunnel/CRL 2011.04.24 02:25:13 LOG7[32174:3085993680]: SSL context initialized for service 3proxy 2011.04.24 02:25:13 LOG5[32174:3085993680]: stunnel 4.15 on i686-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 2011.04.24 02:25:13 LOG5[32174:3085993680]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2011.04.24 02:25:13 LOG6[32174:3085993680]: file ulimit = 1024 (can be changed with 'ulimit -n') 2011.04.24 02:25:13 LOG6[32174:3085993680]: poll() used - no FD_SETSIZE limit for file descriptors 2011.04.24 02:25:13 LOG5[32174:3085993680]: 500 clients allowed 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 3 in non-blocking mode 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 4 in non-blocking mode 2011.04.24 02:25:13 LOG7[32174:3085993680]: FD 5 in non-blocking mode 2011.04.24 02:25:13 LOG7[32174:3085993680]: SO_REUSEADDR option set on accept socket 2011.04.24 02:25:13 LOG7[32174:3085993680]: 3proxy bound to 0.0.0.0:30001 2011.04.24 02:25:13 LOG7[32174:3085993680]: Created pid file /var/run/stunnel.pid 2011.04.24 02:25:20 LOG7[32174:3085993680]: 3proxy accepted FD=6 from xx.xxx.xxx.xx:41165 2011.04.24 02:25:20 LOG7[32174:3085990800]: 3proxy started 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 6 in non-blocking mode 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 7 in non-blocking mode 2011.04.24 02:25:20 LOG7[32174:3085990800]: FD 8 in non-blocking mode 2011.04.24 02:25:20 LOG7[32174:3085993680]: Cleaning up the signal pipe 2011.04.24 02:25:20 LOG6[32174:3085993680]: Child process 32176 finished with code 0 2011.04.24 02:25:20 LOG7[32174:3085990800]: Connection from xx.xxx.xxx.xx:41165 permitted by libwrap 2011.04.24 02:25:20 LOG5[32174:3085990800]: 3proxy connected from xx.xxx.xxx.xx:41165 2011.04.24 02:25:20 LOG7[32174:3085990800]: SSL state (accept): before/accept initialization <-----------------------Stuck here forever!!! 2011.04.24 02:25:22 LOG3[32174:3085990800]: SSL_accept: Peer suddenly disconnected 2011.04.24 02:25:22 LOG5[32174:3085990800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2011.04.24 02:25:22 LOG7[32174:3085990800]: 3proxy finished (0 left) 2011.04.24 02:25:25 LOG3[32174:3085993680]: Received signal 2; terminating 2011.04.24 02:25:25 LOG7[32174:3085993680]: removing pid file /var/run/stunnel.pid [root@vps1 ~]# ----------------------------------------------------------------------------------------------------------- stunnel.conf: cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem CApath = /etc/stunnel/CA CRLpath = /etc/stunnel/CRL debug = 7 foreground = yes verify = 1 # [3proxy] accept = 30001 connect = 127.0.0.1:33135 ----------------------------------------------------------------------------------------------------------- I am hosting with CentOS 5.5, and installed Stunnel via yum. Planning to use it with 3Proxy. However I experience the problem above, can someone please help with that? Thank you very much! Mr. Jack

3 3