Has anyone tested this scenario with a number of stunnel clients and
servers chained in a row with failover capability. The problem is that
Stunnel in server mode accepts a connection and performs the SSL
handshake before it checks if the connect endpoint is reachable.
This causes the downlink client peer wrongly assumes that the link is up
and therefore would
not try the alternative failover endpoint.
You will only observe this problem if you cascade several nodes in a row Ex:
Dummy TCP Client <-> Stunnel1 (client) <-> Stunnel2 (server) <-> Stunnel3
(client) <-> Dummy SSL Server
In this scenario, dummy client connects to S1, S1 connects to S2 (SSL), S2
tries to connect to
S3 but since Dummy SSL server is down, S3 rejects but this rejection is not
bouncing back to
Dummy Client because S2 has down the downlink handshake and therefore S1
assumes everything is OK.
So, the ultimate question is how can we tell Stunnel to first try to
connect to endpoints and
then send a SYN-ACK back to downlink TCP connection request.
This way, a client sends a SYN to Stunnel, Stunnel holds on 3-way
handshake, tries to connect to the uplink and completes the downlink
handshake only if the uplink connection is OK.
