February 2013 - stunnel-users

Stunnel 4 failing to connect to gmail
by Asif Iqbal 11 Dec '20

11 Dec '20

I am faling to connect to gmail. Not sure what that bind error means. iqbala@ghar:~$ sudo stunnel4 2008.12.15 13:53:17 LOG7[3839:3083650736]: Snagged 64 random bytes from /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: Wrote 1024 new random bytes to /home/iqbala/.rnd 2008.12.15 13:53:17 LOG7[3839:3083650736]: RAND_status claims sufficient entropy for the PRNG 2008.12.15 13:53:17 LOG7[3839:3083650736]: PRNG seeded successfully 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Certificate loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: Key file: /etc/stunnel/stunnel.pem 2008.12.15 13:53:17 LOG7[3839:3083650736]: Private key loaded 2008.12.15 13:53:17 LOG7[3839:3083650736]: SSL context initialized for service ssmtp 2008.12.15 13:53:17 LOG5[3839:3083650736]: stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 2008.12.15 13:53:17 LOG5[3839:3083650736]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.12.15 13:53:17 LOG6[3839:3083650736]: file ulimit = 1024 (can be changed with 'ulimit -n') 2008.12.15 13:53:17 LOG6[3839:3083650736]: poll() used - no FD_SETSIZE limit for file descriptors 2008.12.15 13:53:17 LOG5[3839:3083650736]: 500 clients allowed 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 10 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 11 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: FD 12 in non-blocking mode 2008.12.15 13:53:17 LOG7[3839:3083650736]: SO_REUSEADDR option set on accept socket 2008.12.15 13:53:17 LOG3[3839:3083650736]: Error binding ssmtp to 74.125.93.111:587 2008.12.15 13:53:17 LOG3[3839:3083650736]: bind: Cannot assign requested address (99) Here is how my conf file looks like iqbala@ghar:~$ cat /etc/stunnel/stunnel.conf | egrep -v "^;|^$" cert = /etc/stunnel/stunnel.pem foreground = yes sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [ssmtp] accept = smtp.gmail.com:587 connect = 25 Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

5 9

stunnel and hosts.allow
by Yousef Alhashemi 06 Jul '16

06 Jul '16

Hi, This may be a little bit off-topic, but does anyone here use stunnel with pan? My connections to stunnel (in pan) are always refused by libwrap. I was looking for the right rule to add to /etc/hosts.allow but nothing seems to work aside from "ALL : ALL" (which is obviously not good) and "nntps: KNOWN". Is the latter reasonable? The hosts_access(5) manpage is confusing to say the least. It mentions that daemon (the first token on any line) is the name of the daemon running the process, which would be "stunnel" in my case, but using "stunnel : LOCAL" or even "stunnel : ALL" doesn't work. The rule that seems to work, as mentioned, is "nntps : KNOWN" ("nntps" being the group name in stunnel.conf). What's even more confusing to me is that "nntps : LOCAL" does not work either. Nor does "nntps : localhost 127.0.0.1", "nntps : localhost", "nntps : 127.0.0.1", or "nntps : 192.168.1.". Pan is running on the same machine as stunnel so all connections must be coming from localhost. Why do these rules not trigger? Either way, I'd like to know the "least permissive" hosts.allow rule that would allow me to connect to my news provider from pan, and/or whether "nntps : KNOWN" is a safe option. Thanks, Yousef

3 6

Problem with roundrobbin failover mode?
by Matt Wise 02 May '13

02 May '13

I've got dozens of clients connecting with Stunnel to a group of 5 servers. Each system has a config that looks like this: > cert = /etc/stunnel/zookeeper.pem > key = /etc/stunnel/zookeeper.key > CAfile = /etc/stunnel/zookeeper_ca.pem > verify = 2 > delay = yes > sslVersion = TLSv1 > client = yes > setuid = stunnel4 > setgid = stunnel4 > pid = /var/lib/stunnel4/zookeeper.stunnel4.pid > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > TIMEOUTconnect = 2 > session = 86400 > debug = 5 > [zookeeper] > accept = 127.0.0.1:2182 > failover = rr > connect = prod-zookeeper:2182 > connect = prod-zookeeper-1:2182 > connect = prod-zookeeper-2:2182 > connect = prod-zookeeper-3:2182 > connect = prod-zookeeper-4:2182 > connect = prod-zookeeper-5:2182 Essentially the first host is a load balancer, and the next 5 are the actual zookeeper hosts so that we can bypass the ELB if its giving us fits. Now what we're seeing is that almost every connection ends up on prod-zookeeper-5. Over and over and over again, our hosts pick the same system each time. We're running Stunnel 4.52: > Clients allowed=8000 > stunnel 4.52 on i486-pc-linux-gnu platform > Compiled/running with OpenSSL 0.9.8k 25 Mar 2009 > Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6 Any ideas what might be wrong here? Obviously we want the connections to be *roughly* random across the list of hosts... and if one of the hosts goes down, and the connection fails, we want the stunnel service to try again, and randomly pick a new host. It doesn't really seem to be doing that though. --Matt

3 8

Fw: High memory usage problem.
by mkanet＠yahoo.com 28 Mar '13

28 Mar '13

Jeremy, I know there's an android build of stunnel. Im not trying to be funny, but are you running stunnel on your mobile phone? :) The latest android mobile phones include quadcore CPU's with 2GB's of RAM It would be interesting to see how much of a load a mobile phone can handle with a USB to RJ45 Ethernet interface. Edit: I tried sending this earlier, but it doesn't look like it went through. My apologies in case this is a duplicate. ------------------------ Thanks for taking the time to read this. We're operating on a low spec system that can not be modified at this point. stunnel was introduced at the last minute, without consideration to resource requirements and now consumes enough ram to cause the kernel to issue OOM exceptions. So in short, we are trying to trade increased CPU usage for less memory usage and have tried setting “sessions” to 3600 to reduce memory pressure, but unfortunately it doesn't last. Our current solution is to cron a restart of stunnel on a regular basis, but would prefer to limit number of threads or number of cache entries or something else altogether similarly gentler. Thanks again for your consideration and assistance in this! If there's any specific information I can give, please let me know. Regards, Jeremy

3 7

Broken pipes and TCP resets on parallel requests over stunnel
by Jan Bee 22 Feb '13

22 Feb '13

Hi, I'm running stunnel (ubuntu 4.42-1, confirmed with 4.54 that has been built from source) against a backend I've only limited control over which was running fine for a long time. At some point in the last few days, the clients stopped being able to make *concurrent* HTTP requests (by different threads) over the stunnel. The client applications using the tunnel enounter a 'Connection refused' error. The issue has been isolated to curl requests (instead of the original client application). Running a tcpdump on both, loopback and uplink, showed that every additional request results in an ACK from the stunnel to both the client and the remote side and a few ms later a RST, ACK is sent in the *same* direction (again from the stunnel to both client and remote end). The stunnel log shows an error about a broken pipe whenever these failures occur: Feb 18 11:09:24 x2 stunnel: LOG7[555:139702117717760]: Socket closed on read Feb 18 11:09:24 x2 stunnel: LOG7[555:139702117717760]: Sending SSL write shutdown Feb 18 11:09:24 x2 stunnel: LOG7[555:139702117717760]: SSL alert (write): warning: close notify Feb 18 11:09:24 x2 stunnel: LOG6[555:139702117717760]: SSL_shutdown successfully sent close_notify Feb 18 11:09:24 x2 stunnel: LOG5[555:139702117717760]: Error detected on socket (read) file descriptor: Broken pipe (32) Feb 18 11:09:24 x2 stunnel: LOG5[555:139702117717760]: Connection reset: 1320 bytes sent to SSL, 48625 bytes sent to socket Feb 18 11:09:24 x2 stunnel: LOG7[555:139702117717760]: Service xtunnel finished (4 left) An strace on the stunnel shows: 6425 <... setsockopt resumed> ) = 0 6425 close(18 <unfinished ...> 6465 poll([{fd=15, events=POLLOUT}, {fd=22, events=POLLIN}], 2, 43200000 <unfinished ...> 6425 <... close resumed> ) = 0 6465 <... poll resumed> ) = 2 ([{fd=15, revents=POLLOUT|POLLERR|POLLHUP}, {fd=22, revents=POLLIN}]) 6425 sendto(13, "<31>Feb 18 11:34:35 stunnel: LOG7[6395:140601236756224]: Service xtunnel finished (4 left)", 99, MSG_NOSIGNAL, NULL, 0 <unf inished ...> 6465 getsockopt(15, SOL_SOCKET, SO_ERROR, [32], [4]) = 0 6425 <... sendto resumed> ) = 99 6465 futex(0x7fe045ec3754, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...> 6425 futex(0x7fe045ec3754, FUTEX_WAKE_PRIVATE, 1 <unfinished ...> 6465 <... futex resumed> ) = -1 EAGAIN (Resource temporarily unavailable) 6425 <... futex resumed> ) = 0 6465 sendto(13, "<29>Feb 18 11:34:35 stunnel: LOG5[6395:140601236686592]: Error detected on socket (read) file descriptor: Broken pipe (32)", 122, MSG_NOSIGNAL, NULL, 0 <unfinished ...> 6425 write(2, "2013.02.15 11:34:35 LOG7[6395:140601236756224]: Service xtunnel finished (4 left)\n", 91 <unfinished ...> 6465 <... sendto resumed> ) = 122 6425 <... write resumed> ) = 91 6465 futex(0x7fe045ec3754, FUTEX_WAKE_PRIVATE, 1 <unfinished ...> 6425 sendto(13, "<31>Feb 18 11:34:35 stunnel: LOG7[6395:140601236756224]: str_stats: 0 block(s), 0 byte(s)", 89, MSG_NOSIGNAL, NULL, 0 <unfinished ...> 6465 <... futex resumed> ) = 0 6465 write(2, "2013.02.15 11:34:35 LOG5[6395:140601236686592]: Error detected on socket (read) file descriptor: Broken pipe (32)\n", 114 <unfinished ...> $ ps auxww|grep stunnel4 shows: root 28587 0.1 0.0 437844 7780 ? Ss 09:37 0:11 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf root 29170 0.0 0.0 43876 1180 ? S 09:37 0:00 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf root 29171 0.0 0.0 43876 1180 ? S 09:37 0:00 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf root 29172 0.0 0.0 43876 1180 ? S 09:37 0:00 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf root 29173 0.0 0.0 43876 1180 ? S 09:37 0:00 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf root 29174 0.0 0.0 43876 1180 ? S 09:37 0:00 /usr/bin/stunnel4 /etc/xtunnel/stunnel.conf The stunnel config looks like this: foreground=yes debug=7 pid=/var/run/xtunnel.pid client=yes CAfile=/etc/ssl/certs/xtunnel-chains.pem verify=3 engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:libopencryptoki.so.0 engineCtrl=INIT engineCtrl=PIN:XXXXXX [xtunnel] engineNum=1 key=id_4 cert=/etc/xtunnel/client-cert.pem accept=127.0.0.1:9999 connect=192.168.200.1:8443 Does anyone have an idea what could be going wrong here or how to troubleshoot this any further? Thanks! Jan

1 0

Stunnel in pgsql mode, libpq, and SSL session caching..
by Matt Wise 18 Feb '13

18 Feb '13

Is there any level of SSL Session Caching when using Stunnel in pgsql mode, and using libpq-based Postgres clients? If not, I'm wondering what tuning we can do on the Stunnel side to get the best performance if we have alot of clients that connect very fequently to the servers.. --matt

1 0

STUNNEL --- How to chose the AES cipher with TLS v1.2
by Editor 15 Feb '13

15 Feb '13

Hi to all: In reading the FAQ and looking at the sample configuration file, I do not see an example of how to correctly configure the application to use the more current AES-256 or the AES-128 cipher configurations. I do have the current OpenSSL on the host (a Sun SPARC box). The idea is to use this host as a SSL proxy for a number of services. I did see this reference: options = CIPHER_SERVER_PREFERENCE But not how to then set the SSL cipher except as I found on Google. There was this on the MAN page but it seems to fail in my configuration: ciphers = cipherlist Select permitted SSL ciphers. A colon delimited list of the ciphers to allow in the SSL connection. For example DES-CBC3-SHA:IDEA-CBC-MD5 Thanks. Kevin Reference Ciphers supported by OpenSSL: http://www.openssl.org/docs/apps/ciphers.html

2 1

stunnel port question
by Stewart Anderson 13 Feb '13

13 Feb '13

Hi all, ty in advance for any help. I have a service that I can connect to a destination over stunnel, but I am not able to get the ack I expect. Internal sending service => stunnel => external listening service I think the problem may be that the firewall is blocking inbound traffic. I need to specify a specific port for the firewall team to open so that traffic can get back to my stunnel service, since every time stunnel starts it will be making a connection from a different port on the external facing side of the SSL encapsulation service/pipe/whatever you want to call it!! What would be the best way to configure stunnel for that scenario. I can see the INETD mode but that does not seem to be what I am looking for, I can also see the transparent option but not sure what that really does. Any advice appreciated. Regards Stewart Your Hospital needs YOU! We need you to register as a Public, Patient or Staff member and help shape the future of your healthcare. Call 0800 280 2581 to register by phone or you can email bradfordhospitals(a)capitaregistrars.com<mailto:bradfordhospitals@capitaregistrars.com> and ask to be registered as a new member. For more information about our hospitals and Foundation Trust Membership please visit www.bradfordhospitals.nhs.uk<http://www.bradfordhospitals.nhs.uk> This message is confidential. It may also contain privileged information. The contents of this e-mail and any attachments are intended for the named addressee only. Unless you are the named addressee or authorised to receive the e-mail of the named addressee you may not disclose, use or copy the contents of the e-mail. If you are not the person for whom the message was intended, please notify the sender immediately at Bradford Teaching Hospitals NHS Foundation Trust and delete the material from your computer. You must not use the message for any other purpose, nor disclose its contents to any person other than the intended recipient. Bradford Teaching Hospitals NHS Foundation Trust does not accept responsibility for this message and any views or opinions contained in this e-mail are solely those of the author unless expressly stated otherwise.

1 0

Stunnel over a separate proxy?
by Alex Gottschalk 12 Feb '13

12 Feb '13

I've successfully deployed stunnel4 to wrap rsync for transferring data between remote sites and a central repository. The issue I'm running into, is that some of these sites mandate use of a proxy (HTTP or SOCKS5 usually) for outbound network connections. It seems like there is some proxy support in stunnel with the protocol{Host,Authentication,etc} configuration options, but I have had zero luck getting them to work. For example, I've tried making a simple SOCKS5 proxy using ssh, that I'm successfully able to send HTTP traffic over: ssh -g -D1080 proxy-host # create the proxy, open port 1080 on a public interface then in the client stunnel.conf: [rsync] protocol = connect protocolHost = proxy-host:1080 accept = 127.0.0.1:873 connect = rsync-destination:443 Keep in mind this is an already-working stunnel - the only difference is the addition of the protocol and protocolHost lines above. When I run stunnel in the foreground with that configuration change, I get the following error trying to run rsync: $ rsync -v dev.inst.kvpdata rsync://localhost/putdata/ rsync: read error: Connection reset by peer (104) rsync error: error in rsync protocol data stream (code 12) at io.c(605) [sender=2.6.9] And no log messages appear in stunnel's stderr whatsoever. What am I doing wrong? I get identical results using an HTTP proxy with squid, instead of the socks5 proxy. Thanks, please let me know if there's any more information I should include to help with figuring this out. Alex Gottschalk

3 4

transfer() loop executes not transferring any data and truncated data when using unix sockets
by Stephen Balukoff 08 Feb '13

08 Feb '13

Hello! Recently we started seeing some erroneous behavior in one of our load balancer configurations in which we're using stunnel for SSL tunnel termination with web clients. Specifically, the setup looks like the following: Web client ---(SSL)---> stunnel ---(unix socket)--> haproxy ---(tcp/http)---> web server After extensive troubleshooting we were able to determine that when the following parameters are present: * Client forces non-keepalive connection * Client generates a POST request, the response to which (generated by the back-end web server) is greater than about 8k * stunnel and haproxy communicate via unix socket ...then most responses end up being truncated by an extraneous TCP RST packet from stunnel, and the following log lines are generated: Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: transfer() loop executes not transferring any data Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: please report the problem to Michal.Trojnara(a)mirt.net Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: stunnel 4.54 on x86_64-unknown-linux-gnu platform Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6 Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: protocol=TLSv1, SSL_pending=0 Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: sock_open_rd=n, sock_open_wr=Y Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: SSL_RECEIVED_SHUTDOWN=n, SSL_SENT_SHUTDOWN=Y Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: sock_can_rd=Y, sock_can_wr=n Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: ssl_can_rd=n, ssl_can_wr=n Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: read_wants_read=Y, read_wants_write=n Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: write_wants_read=n, write_wants_write=n Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: shutdown_wants_read=n, shutdown_wants_write=n Jan 23 15:24:17 ds420a stunnel: LOG3[22586:139835614443264]: socket input buffer: 0 byte(s), ssl input buffer: 0 byte(s) The work arounds we have found are either: 1. Make stunnel and haproxy communicate over a TCP socket bound to the loopback interface (less ideal, as then we're limited to 65k connections) 2. Add the "reset=no" parameter to our stunnel.conf (which seems to fix the problem, but makes me wonder if we're not opening ourselves up to other problems-- like really getting stuck in an infinite loop that that watchdog is intended to avoid.) In any case based on what "reset=no" is supposed to do as well as where that first line of the error output above is being generated in the code, it's clear that the main client data transfer loop in client.c (starting line 519) is being called too often with no data to transfer, which triggers the infinite loop detection in the transfer() function (client.c, starting line 832). My best hypothesis at this point is that the transfer() code was written only with TCP sockets in mind, and that something about the unix socket in use here is triggering that loop too often. Maybe s_poll_wait on line 541 is being called with parameters which are right for a TCP socket but inappropriate for a unix socket? At this point though, we're at the limit of my socket programming ability, so I'm a little stuck. (Would like to have simply fixed this and submitted a patch... but cest la vie, eh.) We'd like to avoid using a TCP socket to communicate between stunnel and haproxy simply because it's a little less efficient, and because there's an artificial 65k limit on the number of back-end connections we can support per loopback IP if we do that. Alternatively, if someone could verify that "reset=no" is an acceptable / safe work around in this case, I'd appreciate that (though, of course, I'd prefer my logs not to get spammed on every connection. :P ) Is there any other data I can provide to help troubleshoot and fix this? Thanks, Stephen -- Stephen Balukoff Blue Box Group, LLC (800)613-4305 x807

3 3