Hello,
I'm new to the list so I'm sorry if this isn't the right place to report
this.
I had a server stop responding to stunnel connections sometime yesterday
and the resolution was ultimately to reboot the server and everything
was okay. Restarting the stunnel service was not enough to get things
working again.
I isolated the problem to stunnel by checking that the underlying
service (a Java web application) would respond from the localhost
machine (it did) but an openssl s_client connection to
localhost:stunnel-port would connect but not proceed past the
CONNECTED(3) state. Ultimately, it would time-out.
stunnel was not logging anything to syslog when these connections came
in. Outgoing stunnel connections seemed to be okay.
Looking through the log file, I could see that there were some odd
messages coming from stunnel in the daemon.log file suggesting that
there might be a memory leak. I won't post them here unless requested,
as they may represent a potential security issue.
My concern is that a service-restart for stunnel was not sufficient.
This suggests a problem which goes deeper than the stunnel service. Is
it possible for stunnel to break in such a way that it continues to be
broken after a restart?
I'm sorry, in retrospect, I was not 100% sure that the service did
indeed stop and launch a new process when running /etc/init.d/stunnel
restart, but there were no errors and the service-runner did report that
the service was restarted.
My (simplified) configuration and version information is posted below.
Please let me know if there is any other information I might be able to
provide in order to investigate this.
Note that this is a package-managed version of stunnel, provided by the
Debian package-maintainers.
Thanks,
-chris
PS Thanks for a wonderful product. I've relied on stunnel for years to
proxy these unencrypted AJP connections for me. Cheers for all your
great work.
Configuration:
=== CUT ===
cert = /etc/stunnel/stunnel.crt
key = /etc/stunnel/stunnel.pem
sslVersion = TLSv1.2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4-ajp.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 4
CAfile = /etc/stunnel/stunnel-ajp-trusted.pem
[now, a series of 4 services, all configured similarly]
accept=public-port
connect=localhost:private-port
=== CUT ===
Version:
stunnel 5.39 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.1.0c 10 Nov 2016
Running with OpenSSL 1.1.0j 20 Nov 2018
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI
Auth:LIBWRAP
Global options:
debug = daemon.notice
pid = /var/run/stunnel4.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = FIPS (with "fips = yes")
ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no")
curve = prime256v1
debug = notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
Linux kernel version:
Linux [hostname] 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27)
x86_64 GNU/Linux
This is running on a bare metal server.
