December 2023 - stunnel-users

Connect multiple clients to one server port
by egig＠gmv.com 12 Dec '23

12 Dec '23

Hi all I was wondering if there is a way to connect multiple stunnel clients running on different machines to the same stunnel server service, also running on a different machine. All the clients must connect to the same server port. I have tried it with my current config but I haven't been able to make it work, is this even possible?? Thanks, Esteban.

3 4

Accepted connection and then TIMEOUTconnection exceeded:
by trashrap22＠gmail.com 07 Dec '23

07 Dec '23

Hi All, I can ssh to my VM with terminal etc. However my stunnel has something stopping the packet flow? What could be the problem and what should I check / troubleshoot: client log file: 2023.12.07 07:21:05 LOG7[0]: Service [Sql_Silicon] started 2023.12.07 07:21:05 LOG7[0]: Setting local socket options (FD=636) 2023.12.07 07:21:05 LOG7[0]: Option TCP_NODELAY set on local socket 2023.12.07 07:21:05 LOG5[0]: Service [Sql_Silicon] accepted connection from 127.0.0.1:50474 2023.12.07 07:21:05 LOG6[0]: s_connect: connecting <IP>:<Port> 2023.12.07 07:21:05 LOG7[0]: s_connect: s_poll_wait <IP>:<Port>: waiting 10 seconds 2023.12.07 07:21:05 LOG7[0]: FD=676 ifds=rwx ofds=--- 2023.12.07 07:21:15 LOG3[0]: s_connect: s_poll_wait <IP>:<Port>: TIMEOUTconnect exceeded 2023.12.07 07:21:15 LOG3[0]: No more addresses to connect 2023.12.07 07:21:15 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2023.12.07 07:21:15 LOG7[0]: local_rfd/local_wfd reset (FD=636) 2023.12.07 07:21:15 LOG7[0]: Local descriptor (FD=636) closed 2023.12.07 07:21:15 LOG7[0]: Service [Sql_Silicon] finished (0 left) My VM is a linux server, on startup of stunnel I get this concerning message which might be the cause? However, I checked and stunnel4:stunnel4 has permissions on the folder and psk file. 2023.12.07 07:40:45 LOG4[ui]: Insecure file permissions on /var/lib/stunnel4/pskSQL_.txt server log file on start service: 2023.12.07 07:40:45 LOG7[ui]: Clients allowed=500 2023.12.07 07:40:45 LOG5[ui]: stunnel 5.56 on x86_64-pc-linux-gnu platform 2023.12.07 07:40:45 LOG5[ui]: Compiled with OpenSSL 1.1.1k 25 Mar 2021 2023.12.07 07:40:45 LOG5[ui]: Running with OpenSSL 1.1.1w 11 Sep 2023 2023.12.07 07:40:45 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 2023.12.07 07:40:45 LOG7[ui]: errno: (*__errno_location ()) 2023.12.07 07:40:45 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2023.12.07 07:40:45 LOG5[ui]: UTF-8 byte order mark not detected 2023.12.07 07:40:45 LOG5[ui]: FIPS mode disabled 2023.12.07 07:40:45 LOG7[ui]: Compression disabled 2023.12.07 07:40:45 LOG7[ui]: No PRNG seeding was required 2023.12.07 07:40:45 LOG4[ui]: Insecure file permissions on /var/lib/stunnel4/pskSQL_.txt 2023.12.07 07:40:45 LOG6[ui]: PSKsecrets line 1: 64-byte hexadecimal key configured for identity "siliconServer" 2023.12.07 07:40:45 LOG6[ui]: Initializing service [SQL-<port>] 2023.12.07 07:40:45 LOG6[ui]: PSK identities: 1 retrieved 2023.12.07 07:40:45 LOG7[ui]: Ciphers: PSK 2023.12.07 07:40:45 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.12.07 07:40:45 LOG7[ui]: TLS options: 0x02100004 (+0x00000000, -0x00000000) 2023.12.07 07:40:45 LOG7[ui]: No certificate or private key specified 2023.12.07 07:40:45 LOG6[ui]: DH initialization needed for DHE-PSK-AES256-GCM-SHA384 2023.12.07 07:40:45 LOG7[ui]: DH initialization 2023.12.07 07:40:45 LOG7[ui]: No certificate available to load DH parameters 2023.12.07 07:40:45 LOG6[ui]: Using dynamic DH parameters 2023.12.07 07:40:45 LOG7[ui]: ECDH initialization 2023.12.07 07:40:45 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.12.07 07:40:45 LOG5[ui]: Configuration successful 2023.12.07 07:40:45 LOG7[ui]: Binding service [SQL-<port>] 2023.12.07 07:40:45 LOG7[ui]: Listening file descriptor created (FD=9) 2023.12.07 07:40:45 LOG7[ui]: Setting accept socket options (FD=9) 2023.12.07 07:40:45 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2023.12.07 07:40:45 LOG6[ui]: Service [SQL-<port>] (FD=9) bound to <IP>:<port> 2023.12.07 07:40:45 LOG5[ui]: Switched to chroot directory: /var/lib/stunnel4/ 2023.12.07 07:40:45 LOG7[main]: Created pid file /stunnel.pid 2023.12.07 07:40:45 LOG7[cron]: Cron thread initialized 2023.12.07 07:40:45 LOG6[cron]: Executing cron jobs 2023.12.07 07:40:45 LOG5[cron]: Updating DH parameters

2 1

Stunnel load balancing through F5
by caspernetherlands＠gmail.com 05 Dec '23

05 Dec '23

Hello, Was wondering if anyone has tried to setup an HA like setup, specifically active/passive through two Stunnel servers and F5 load balancers. The problem I have is that TCP health checks (active checks) from the F5 are causing session initiation all the way to the 3rd party on the other side and this is causing a lot of unnecessary TCP traffic at the transport layer. The good thing is that the F5 closes these TCP sessions, but the problem is the 3rd party thinks someone is trying to brute force or something. Does anyone know how to maintain the TCP active health checks that the F5 does, but at the same time not cause a session initiation all the way to the 3rd party? Or if it’s not possible to stop the session initiation, would there be any option where something can be adjusted in the stunnel side so that the other side sees only one TCP health check as opposed to multiple every few seconds?

3 3

Connection failed: no suitable signature algorithm
by Martin K. 01 Dec '23

01 Dec '23

I'm trying to understand this error: SSL_accept: ssl/t1_lib.c:2827: error:14201076:SSL routines:tls_choose_sigalg:no suitable signature algorithm How can I fix that? Is it because of the openssl version? I'm using Stunnel 5.71 on both sides. The server-side stunnel is built from source.

1 0