On Thu, May 12, 2022 at 12:24:15AM -0000, rick.gregson@gmail.com wrote:
Hi All,
I have recently configured stunnel on a Windows Server, it has been configured using a certificate from our internal CA and appears to be functioning ok. However we have a load balancer that is doing a health check against the service and is polling S-Tunnel availability every 5 seconds each time a poll occurs I am seeing the error posted below in the logs.
2022.05.12 10:22:55 LOG3[4113]: SSL_read: ssl/record/rec_layer_s3.c:308: error:0A000126:SSL routines::unexpected eof while reading 2022.05.12 10:22:55 LOG5[4113]: Connection reset: 217 byte(s) sent to TLS, 49 byte(s) sent to socket
Can I please have some advice on how to stop this error?
If what your load balancer is doing is creating a connection, maybe sending a couple of TLS packets, and then closing the connection without the proper TLS shutdown notifications, then it is expected for stunnel to log something like this: "somebody said they wanted to talk to me, but then they just stopped without telling me they were going to stop; please check to see if something went wrong on the other side, this connection did not follow the established protocol".
You could try using e.g. tcpdump or wireshark to capture the TCP packets for a session from your load balancer to stunnel, see what packets are sent and at which stage of the connection your load balancer decides to break it off. In a perfect world, you would then be able to configure your load balancer's behavior to send more packets, if it turns out that it does indeed not send all the close notifications correctly.
BTW, just as an aside, take a look at something I wrote some time ago on this list about "just connect and disconnect" service health checks:
https://www.stunnel.org/mailman3/hyperkitty/list/stunnel-users@stunnel.org/t...
...and look for "So, three points here" - the archive does not seem to allow me to link directly to my reply.
Hope this helps!
G'luck, Peter