stunnel-users September 2021

stunnel-users@stunnel.org

13 participants
13 discussions

Session reuse problem
by Alen Loncaric 10 Sep '21

10 Sep '21

Hi guys, any reason my stunnel would not reuse sessions? 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): before SSL initialization 2021.09.09 13:14:00 LOG6[8]: writesocket: Socket is closed 2021.09.09 13:14:00 LOG7[9]: Initializing application specific data for session authenticated 2021.09.09 13:14:00 LOG5[8]: Connection closed: 170 byte(s) sent to TLS, 32768 byte(s) sent to socket 2021.09.09 13:14:00 LOG7[8]: Remote descriptor (FD=10) closed 2021.09.09 13:14:00 LOG7[8]: Local descriptor (FD=3) closed 2021.09.09 13:14:00 LOG7[8]: Service [squid] finished 2021.09.09 13:14:00 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:00 LOG7[ui]: FD=4 events=0x1 revents=0x1 2021.09.09 13:14:00 LOG7[ui]: FD=10 events=0x1 revents=0x0 2021.09.09 13:14:00 LOG7[ui]: Dispatching a signal from the signal pipe 2021.09.09 13:14:00 LOG7[ui]: Processing SIGCHLD 2021.09.09 13:14:00 LOG7[ui]: Retrieving pid statuses with waitpid() 2021.09.09 13:14:00 LOG6[ui]: Process 1933 finished with code 0 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read server hello 2021.09.09 13:14:00 LOG6[9]: Certificate verification disabled 2021.09.09 13:14:00 LOG6[9]: Certificate verification disabled 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read server certificate 2021.09.09 13:14:00 LOG6[9]: Client certificate not requested 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read server done 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write client key exchange 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write change cipher spec 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read server session ticket 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read change cipher spec 2021.09.09 13:14:00 LOG7[9]: TLS state (connect): SSLv3/TLS read finished 2021.09.09 13:14:00 LOG7[9]: New session callback 2021.09.09 13:14:00 LOG7[9]: Peer certificate was cached (2037 bytes) 2021.09.09 13:14:00 LOG6[9]: Session id: DC783240F69C6910A2F8B9829504840EF619E30A14FEA982C944FBFB6828555F 2021.09.09 13:14:00 LOG7[9]: 1 client connect(s) requested 2021.09.09 13:14:00 LOG7[9]: 1 client connect(s) succeeded 2021.09.09 13:14:00 LOG7[9]: 0 client renegotiation(s) requested 2021.09.09 13:14:00 LOG7[9]: 0 session reuse(s) 2021.09.09 13:14:00 LOG6[9]: TLS connected: new session negotiated 2021.09.09 13:14:00 LOG6[9]: TLSv1.2 ciphersuite: AES128-GCM-SHA256 (128-bit encryption) 2021.09.09 13:14:00 LOG3[9]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2021.09.09 13:14:00 LOG7[9]: Compression: null, expansion: null 2021.09.09 13:14:01 LOG6[9]: Read socket closed (readsocket) 2021.09.09 13:14:01 LOG7[9]: Sending close_notify alert 2021.09.09 13:14:01 LOG6[9]: socket fd: Broken pipe (32) 2021.09.09 13:14:01 LOG7[9]: TLS alert (write): warning: close notify 2021.09.09 13:14:01 LOG6[9]: SSL_shutdown successfully sent close_notify alert 2021.09.09 13:14:01 LOG6[9]: writesocket: Socket is closed 2021.09.09 13:14:01 LOG5[9]: Connection closed: 170 byte(s) sent to TLS, 32768 byte(s) sent to socket 2021.09.09 13:14:01 LOG7[9]: Remote descriptor (FD=10) closed 2021.09.09 13:14:01 LOG7[9]: Local descriptor (FD=3) closed 2021.09.09 13:14:01 LOG7[9]: Service [squid] finished 2021.09.09 13:14:01 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:01 LOG7[ui]: FD=4 events=0x1 revents=0x1 2021.09.09 13:14:01 LOG7[ui]: FD=10 events=0x1 revents=0x0 2021.09.09 13:14:01 LOG7[ui]: Dispatching a signal from the signal pipe 2021.09.09 13:14:01 LOG7[ui]: Processing SIGCHLD 2021.09.09 13:14:01 LOG7[ui]: Retrieving pid statuses with waitpid() 2021.09.09 13:14:01 LOG6[ui]: Process 1934 finished with code 0 2021.09.09 13:14:03 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:03 LOG7[ui]: FD=4 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[ui]: FD=10 events=0x1 revents=0x1 2021.09.09 13:14:03 LOG7[ui]: Service [squid] accepted (FD=3) from 127.0.0.1:49567 2021.09.09 13:14:03 LOG7[10]: Service [squid] started 2021.09.09 13:14:03 LOG7[10]: Setting local socket options (FD=3) 2021.09.09 13:14:03 LOG7[10]: Option TCP_NODELAY set on local socket 2021.09.09 13:14:03 LOG5[10]: Service [squid] accepted connection from 127.0.0.1:49567 2021.09.09 13:14:03 LOG6[10]: s_connect: connecting 44.44.44.44:522 2021.09.09 13:14:03 LOG7[10]: s_connect: s_poll_wait 44.44.44.44:522: waiting 10 seconds 2021.09.09 13:14:03 LOG7[10]: FD=6 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[10]: FD=10 events=0x5 revents=0x0 2021.09.09 13:14:03 LOG5[10]: s_connect: connected 44.44.44.44:522 2021.09.09 13:14:03 LOG5[10]: Service [squid] connected remote server from 10.1.3.57:42843 2021.09.09 13:14:03 LOG7[10]: Setting remote socket options (FD=10) 2021.09.09 13:14:03 LOG7[10]: Option TCP_NODELAY set on remote socket 2021.09.09 13:14:03 LOG7[10]: Remote descriptor (FD=10) initialized 2021.09.09 13:14:03 LOG6[10]: SNI: sending servername: 44.44.44.44 2021.09.09 13:14:03 LOG6[10]: Peer certificate not required 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): before SSL initialization 2021.09.09 13:14:03 LOG7[10]: Initializing application specific data for session authenticated 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read server hello 2021.09.09 13:14:03 LOG6[10]: Certificate verification disabled 2021.09.09 13:14:03 LOG6[10]: Certificate verification disabled 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read server certificate 2021.09.09 13:14:03 LOG6[10]: Client certificate not requested 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read server done 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write client key exchange 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write change cipher spec 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read server session ticket 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read change cipher spec 2021.09.09 13:14:03 LOG7[10]: TLS state (connect): SSLv3/TLS read finished 2021.09.09 13:14:03 LOG7[10]: New session callback 2021.09.09 13:14:03 LOG7[10]: Peer certificate was cached (2037 bytes) 2021.09.09 13:14:03 LOG6[10]: Session id: 85FD50E2A9D57B12D315C834EBA949CF015B7776C6A18486B06CE53F4C52D689 2021.09.09 13:14:03 LOG7[10]: 1 client connect(s) requested 2021.09.09 13:14:03 LOG7[10]: 1 client connect(s) succeeded 2021.09.09 13:14:03 LOG7[10]: 0 client renegotiation(s) requested 2021.09.09 13:14:03 LOG7[10]: 0 session reuse(s) 2021.09.09 13:14:03 LOG6[10]: TLS connected: new session negotiated 2021.09.09 13:14:03 LOG6[10]: TLSv1.2 ciphersuite: AES128-GCM-SHA256 (128-bit encryption) 2021.09.09 13:14:03 LOG3[10]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2021.09.09 13:14:03 LOG7[10]: Compression: null, expansion: null 2021.09.09 13:14:03 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:03 LOG7[ui]: FD=4 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[ui]: FD=10 events=0x1 revents=0x1 2021.09.09 13:14:03 LOG7[ui]: Service [squid] accepted (FD=3) from 127.0.0.1:49569 2021.09.09 13:14:03 LOG7[11]: Service [squid] started 2021.09.09 13:14:03 LOG7[11]: Setting local socket options (FD=3) 2021.09.09 13:14:03 LOG7[11]: Option TCP_NODELAY set on local socket 2021.09.09 13:14:03 LOG5[11]: Service [squid] accepted connection from 127.0.0.1:49569 2021.09.09 13:14:03 LOG6[11]: s_connect: connecting 44.44.44.44:522 2021.09.09 13:14:03 LOG7[11]: s_connect: s_poll_wait 44.44.44.44:522: waiting 10 seconds 2021.09.09 13:14:03 LOG7[11]: FD=6 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[11]: FD=10 events=0x5 revents=0x0 2021.09.09 13:14:03 LOG5[11]: s_connect: connected 44.44.44.44:522 2021.09.09 13:14:03 LOG5[11]: Service [squid] connected remote server from 10.1.3.57:42845 2021.09.09 13:14:03 LOG6[10]: Read socket closed (readsocket) 2021.09.09 13:14:03 LOG7[11]: Setting remote socket options (FD=10) 2021.09.09 13:14:03 LOG7[11]: Option TCP_NODELAY set on remote socket 2021.09.09 13:14:03 LOG7[11]: Remote descriptor (FD=10) initialized 2021.09.09 13:14:03 LOG7[10]: Sending close_notify alert 2021.09.09 13:14:03 LOG6[11]: SNI: sending servername: 44.44.44.44 2021.09.09 13:14:03 LOG6[10]: socket fd: Broken pipe (32) 2021.09.09 13:14:03 LOG6[11]: Peer certificate not required 2021.09.09 13:14:03 LOG7[10]: TLS alert (write): warning: close notify 2021.09.09 13:14:03 LOG6[10]: SSL_shutdown successfully sent close_notify alert 2021.09.09 13:14:03 LOG6[10]: writesocket: Socket is closed 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): before SSL initialization2021.09.09 13:14:03 LOG5[10]: Connection closed: 170 byte(s) sent to TLS, 32768 byte(s) sent to socket 2021.09.09 13:14:03 LOG7[11]: Initializing application specific data for session authenticated 2021.09.09 13:14:03 LOG7[10]: Remote descriptor (FD=10) closed 2021.09.09 13:14:03 LOG7[10]: Local descriptor (FD=3) closed 2021.09.09 13:14:03 LOG7[10]: Service [squid] finished 2021.09.09 13:14:03 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:03 LOG7[ui]: FD=4 events=0x1 revents=0x1 2021.09.09 13:14:03 LOG7[ui]: FD=10 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[ui]: Dispatching a signal from the signal pipe 2021.09.09 13:14:03 LOG7[ui]: Processing SIGCHLD 2021.09.09 13:14:03 LOG7[ui]: Retrieving pid statuses with waitpid() 2021.09.09 13:14:03 LOG6[ui]: Process 1937 finished with code 0 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write client hello 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read server hello 2021.09.09 13:14:03 LOG6[11]: Certificate verification disabled 2021.09.09 13:14:03 LOG6[11]: Certificate verification disabled 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read server certificate 2021.09.09 13:14:03 LOG6[11]: Client certificate not requested 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read server done 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write client key exchange 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write change cipher spec 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS write finished 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read server session ticket 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read change cipher spec 2021.09.09 13:14:03 LOG7[11]: TLS state (connect): SSLv3/TLS read finished 2021.09.09 13:14:03 LOG7[11]: New session callback 2021.09.09 13:14:03 LOG7[11]: Peer certificate was cached (2037 bytes) 2021.09.09 13:14:03 LOG6[11]: Session id: B171BF0D4CDB808D50C3CE4CDAA6AE53F2396068A9BD947D8277294F91CCFBFE 2021.09.09 13:14:03 LOG7[11]: 1 client connect(s) requested 2021.09.09 13:14:03 LOG7[11]: 1 client connect(s) succeeded 2021.09.09 13:14:03 LOG7[11]: 0 client renegotiation(s) requested 2021.09.09 13:14:03 LOG7[11]: 0 session reuse(s) 2021.09.09 13:14:03 LOG6[11]: TLS connected: new session negotiated 2021.09.09 13:14:03 LOG6[11]: TLSv1.2 ciphersuite: AES128-GCM-SHA256 (128-bit encryption) 2021.09.09 13:14:03 LOG3[11]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2021.09.09 13:14:03 LOG7[11]: Compression: null, expansion: null 2021.09.09 13:14:03 LOG6[11]: Read socket closed (readsocket) 2021.09.09 13:14:03 LOG7[11]: Sending close_notify alert 2021.09.09 13:14:03 LOG6[11]: socket fd: Broken pipe (32) 2021.09.09 13:14:03 LOG7[11]: TLS alert (write): warning: close notify 2021.09.09 13:14:03 LOG6[11]: SSL_shutdown successfully sent close_notify alert 2021.09.09 13:14:03 LOG6[11]: writesocket: Socket is closed 2021.09.09 13:14:03 LOG5[11]: Connection closed: 170 byte(s) sent to TLS, 32768 byte(s) sent to socket 2021.09.09 13:14:03 LOG7[11]: Remote descriptor (FD=10) closed 2021.09.09 13:14:03 LOG7[11]: Local descriptor (FD=3) closed 2021.09.09 13:14:03 LOG7[11]: Service [squid] finished 2021.09.09 13:14:03 LOG7[ui]: Found 1 ready file descriptor(s) 2021.09.09 13:14:03 LOG7[ui]: FD=4 events=0x1 revents=0x1 2021.09.09 13:14:03 LOG7[ui]: FD=10 events=0x1 revents=0x0 2021.09.09 13:14:03 LOG7[ui]: Dispatching a signal from the signal pipe 2021.09.09 13:14:03 LOG7[ui]: Processing SIGCHLD 2021.09.09 13:14:03 LOG7[ui]: Retrieving pid statuses with waitpid() 2021.09.09 13:14:03 LOG6[ui]: Process 1938 finished with code 0 If i test with s_client: openssl s_client -connect 44.44.44.44:522 -reconnect I see TLS reused every time. Thank you!

1 0

stunnel logfile and setuid/setgid
by Norbert Hanke 02 Sep '21

02 Sep '21

Hi, I'm new to this list and hope I don't raise a question that has been raised many times before. I searched the archive and couldn't find that discussed previously... I want to configure stunnel using setuid = nobody setgid = nobody while having it write its output to its own logfile, not using syslog, with output = /var/log/stunnel.log log = append syslog = no This works when user nobody has write-access to an existing logfile, or user nobody is allowed to create the file in the directory. Both is not a good idea: user nobody should not have write access there. I could limit potential damage by having a separate directory with such access to nobody, but that is still kind of wrong. Or I could create a separate user only for stunnel and give that user full access to a separate directory: that would be more secure, only a hijacked (hopefully not) stunnel could tamper with its own logfiles. Shouldn't stunnel create and/or open the logfile while it is still running as root, and only then switch to user nobody? Or is there an option that I did not see so far allowing for what I'm trying? Thanks for any help. Regards, Norbert

1 0

Stunnel 5.60 started via Stunnel TLS wrapper on Windows 10 machine doesn't seem to be working
by ling＠aliko.com 01 Sep '21

01 Sep '21

Hi, I am trying to get Stunnel 5.60 started automatically as a service. My stunnel.conf is stored under C:\Program Files (x86)\stunnel\config works fine if I run stunnel.exe manually from CMD or bring up the GUI and reload configuration. Now I would like it to start automatically after reboots. I tried running stunnel.exe -install which installs the Stunnel TLS wrapper service. Starting the service does not however do anything. The "Path to execute" it installs for the service is "C:\Program Files (x86)\stunnel\config" -service -install. I don't see anything in the log. I can see that the stunnel.exe process is running in task manager. But running netstat -ao shows that no port is being listened to by the PID. Tried removing my stunnel.conf file and the service will still starts but stunnel doesn't seem to be doing anything. What could be the problem?

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users September 2021