Hi,

 

I’m running Hybrid-7.2 on two PCs, one of which has a dynamic IP, as Hybrid wants a static IP and not hostname in its connect section, we are trying to use stunnel to encrypt server<->server communication.

 

 

Server 1 specs (To which I’m connecting) running FreeBSD 6.3:

***********************************************

#stunnel -version

stunnel 4.05 on amd64-unknown-freebsd5.3 PTHREAD+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004

 

Global options

cert            = /usr/local/etc/stunnel/stunnel.pem

ciphers         = ALL:!ADH:+RC4:@STRENGTH

debug           = 5

key             = /usr/local/etc/stunnel/stunnel.pem

pid             = /var/tmp/stunnel.pid

RNDbytes        = 64

RNDfile         = /dev/urandom

RNDoverwrite    = yes

 

#gcc –v

Using built-in specs.

Configured with: FreeBSD/amd64 system compiler

Thread model: posix

gcc version 3.4.6 [FreeBSD] 20060305

 

#uname

FreeBSD 6.3-STABLE FreeBSD 6.3-STABLE #6: Tue Jan 22 13:23:51 GMT 2008

root@:/usr/obj/usr/src/sys/SVR1  amd64

 

 

 

 

Server 2 specs (From which I’m connecting via stunnel as a client) running OpenBSD 4.2:

******************************************************************

#stunnel -version

stunnel 4.20 on i386-unknown-openbsd4.2 with OpenSSL 0.9.7j 04 May 2006

Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

 

Global options

debug           = 5

pid             = /usr/local/var/run/stunnel/stunnel.pid

RNDbytes        = 64

RNDfile         = /dev/arandom

RNDoverwrite    = yes

 

Service-level options

cert            = /etc/stunnel/stunnel.pem

ciphers         = ALL:!ADH:+RC4:@STRENGTH

key             = /etc/stunnel/stunnel.pem

session         = 300 seconds

sslVersion      = SSLv3 for client, all for server

TIMEOUTbusy     = 300 seconds

TIMEOUTclose    = 60 seconds

TIMEOUTconnect  = 10 seconds

TIMEOUTidle     = 43200 seconds

verify          = none

 

# gcc -v

Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd4.2/3.3.5/specs

Configured with:

Thread model: single

gcc version 3.3.5 (propolice)

 

 

# cat stunnel.conf:

 

cert = /etc/ssl/private/stunnel.pem

key = /etc/ssl/private/rsa.key

setuid = _stunnel

setgid = _stunnel

pid = /var/run/stunnel.pid

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

debug = 7

foreground = yes

[irc]

client = yes

accept  = localhost:994

connect = xxx.xxx.xxx.xxx:994

 

 

 

Here’s the debug logged to stderr:

 

# stunnel

2008.02.08 19:34:54 LOG7[11904:2237644800]: Snagged 64 random bytes from /dev/arandom

2008.02.08 19:34:54 LOG7[11904:2237644800]: RAND_status claims sufficient entropy for the PRNG

2008.02.08 19:34:54 LOG7[11904:2237644800]: PRNG seeded successfully

2008.02.08 19:34:54 LOG7[11904:2237644800]: Certificate: /etc/ssl/private/stunnel.pem

2008.02.08 19:34:54 LOG7[11904:2237644800]: Certificate loaded

2008.02.08 19:34:54 LOG7[11904:2237644800]: Key file: /etc/ssl/private/rsa.key

2008.02.08 19:34:54 LOG7[11904:2237644800]: Private key loaded

2008.02.08 19:34:54 LOG7[11904:2237644800]: SSL context initialized for service irc

2008.02.08 19:34:54 LOG5[11904:2237644800]: stunnel 4.20 on i386-unknown-openbsd4.2 with OpenSSL 0.9.7j 04 May 2006

2008.02.08 19:34:54 LOG5[11904:2237644800]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

2008.02.08 19:34:54 LOG6[11904:2237644800]: file ulimit = 128 (can be changed with 'ulimit -n')

2008.02.08 19:34:54 LOG6[11904:2237644800]: poll() used - no FD_SETSIZE limit for file descriptors

2008.02.08 19:34:54 LOG5[11904:2237644800]: 61 clients allowed

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 6 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 7 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 8 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: SO_REUSEADDR option set on accept socket

2008.02.08 19:34:54 LOG7[11904:2237644800]: irc bound to 127.0.0.1:994

2008.02.08 19:34:54 LOG7[11904:2237644800]: Created pid file /var/run/stunnel.pid

2008.02.08 19:35:15 LOG7[11904:2237644800]: irc accepted FD=9 from 127.0.0.1:8579

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc started

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 9 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: TCP_NODELAY option set on local socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 10 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 11 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: Connection from 127.0.0.1:8579 permitted by libwrap

2008.02.08 19:35:15 LOG5[11904:2336256000]: irc accepted connection from 127.0.0.1:8579

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 10 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc connecting 69.50.175.50:994

2008.02.08 19:35:15 LOG7[11904:2336256000]: connect_wait: waiting 10 seconds

2008.02.08 19:35:15 LOG7[11904:2237644800]: Cleaning up the signal pipe

2008.02.08 19:35:15 LOG6[11904:2237644800]: Child process 26562 finished with code 0

2008.02.08 19:35:15 LOG7[11904:2336256000]: connect_wait: connected

2008.02.08 19:35:15 LOG5[11904:2336256000]: irc connected remote server from 192.168.1.101:42954

2008.02.08 19:35:15 LOG7[11904:2336256000]: Remote FD=10 initialized

2008.02.08 19:35:15 LOG7[11904:2336256000]: TCP_NODELAY option set on remote socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): before/connect initialization

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write client hello A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read server hello A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read server certificate A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read server done A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write client key exchange A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write change cipher spec A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write finished A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 flush data

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read finished A

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 items in the session cache

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 client connects (SSL_connect())

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 client connects that finished

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 client renegotiations requested

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server connects (SSL_accept())

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server connects that finished

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server renegotiations requested

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache hits

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache misses

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache timeouts

2008.02.08 19:35:15 LOG6[11904:2336256000]: SSL connected: new session negotiated

2008.02.08 19:35:15 LOG6[11904:2336256000]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

2008.02.08 19:35:15 LOG3[11904:2336256000]: SSL_read: Connection reset by peer (54)

2008.02.08 19:35:15 LOG5[11904:2336256000]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc finished (0 left)

 

 

What is going on here with “SSL_read: Connection reset by peer (54)”?

This process keeps repeating itself without the ircd’s linking.

 

 

 

-          S