Hi Eric,
Thanks for the very detailed reply! I had a conversation direct with one of the stunnel devs, she confirmed that there's a bug in the tests and supplied a patch. I guess this will be released in the next version. It only affects the tests, so the current version is fine, as long as you don't try to run the tests during installation.
Regards,
Ian Bamforth Senior Software Engineer Operations & Planning Systems Division
T: +44 (0)113 344 3970tel:00441133443970 M: +44 (0)7852 404240tel:00447852404240 E: Ian.Bamforth@tracsis.commailto:Ian.Bamforth@tracsis.com W: www.tracsis.comhttps://www.tracsis.com www.tracsisops.comhttp://www.tracsisops.com
Follow Us [https://static.tracsis.com/email/lin2.png]https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:1420795682492,tas:tracsis [https://static.tracsis.com/email/twi2.png] https://www.twitter.com/tracsis
Tracsis plc Leeds Innovation Centre 103 Clarendon Road Leeds LS2 9DF
[https://static.tracsis.com/email/award4.png] Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.
From: Eric S Eberhard flash@vicsmba.com Sent: 09 July 2018 22:20 To: Ian Bamforth Ian.Bamforth@tracsis.com; stunnel-users@stunnel.org Subject: RE: [stunnel-users] Intermittent error in 042_inetd
The 50% could be because the server side is not fully updated - we have this problem a lot with very large companies that should know better (and in reality should overlap instead of changing over - meaning allow SSLv3 for 3 months or something while also accepting TLSv2.
A very good way to test is to get a telnet program. Then "telnent localhost port#" - the port # being the port number stunnel is running on. This will remove all variables except stunnel and allow you to see the output. It could be you are connecting fine and failing some other authentication like a login - which you can see often with telnet. And set your firewall to not allow telnet on port 23. Also, we have found stunnel MUCH more reliable under inetd (if you are on Unix of course) than as a stand-alone server. A little performance loss that is unnoticeable to us - big customers exchange 2-4 million XML documents a day (using stunnel) so inetd is definitely not the most efficient way, but the machines are so darn fast it seems not to matter.
The certificates have become more painful but I have never had to use an official signed one. I make my own with openssl. However, there are intermediate ones that are needed from whomever you connect to if they have a signed certificate - say from Verisign - you may need your certificate and Verisigns, etc - in a chain.
I use "cacert" to set to a large file of .pem certificates - which I simply download from the Web (available all over, some work, some don't. When you get one that works ... then use it. You can modify them by adding anything not found in the file. Supposedly the cacert file I have now is good till 2020 for the big names.
You can also use openssl to get the certificate from the server - just ask and you shall receive. It should have the entire chain.
I used to have on massive cacert for everyone and it was getting out of hand. As tacky as it is, I just make a cacert.pem file for every connection (e.g. Walmart, Fedex, Target, whatever). This allows working connections to keep working while you fiddle with a tricky one.
Eric
Eric S Eberhard VICS (Vertical Integrated Computer Systems) Voice: 928 567 3529 Cell : 928 301 7537 (not reliable except for text or if not home) 2933 W Middle Verde Rd Camp Verde, AZ 86322
From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ian Bamforth Sent: Wednesday, July 04, 2018 9:00 AM To: stunnel-users@stunnel.orgmailto:stunnel-users@stunnel.org Subject: [stunnel-users] Intermittent error in 042_inetd
Afternoon,
Until recently we'd disabled `make test` because of certificate problems - we've re-enabled it (using `make check`) but are getting intermittent failures (around 50% of CI runs). Below is the output from the logs - I can't see what's gone wrong, can anyone shed any light?
2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648 2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ()) 2018.07.04 09:59:36 LOG7[ui]: Compression disabled 2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required 2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02004004 (+0x00004000, -0x00000000) 2018.07.04 09:59:36 LOG7[ui]: Private key check succeeded 2018.07.04 09:59:36 LOG7[ui]: ECDH initialization 2018.07.04 09:59:36 LOG7[ui]: ECDH initialized with curve prime256v1 2018.07.04 09:59:36 LOG7[ui]: Binding service [server] 2018.07.04 09:59:36 LOG7[ui]: Listening file descriptor created (FD=6) 2018.07.04 09:59:36 LOG7[ui]: Setting accept socket options (FD=6) 2018.07.04 09:59:36 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2018.07.04 09:59:36 LOG7[main]: Created pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid 2018.07.04 09:59:36 LOG7[cron]: Cron thread initialized 2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s) 2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x0 2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x1 2018.07.04 09:59:36 LOG7[main]: Service [server] accepted (FD=3) from 127.0.0.1:58890 2018.07.04 09:59:36 LOG7[0]: Service [server] started 2018.07.04 09:59:36 LOG7[0]: Setting local socket options (FD=3) 2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on local socket 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization 2018.07.04 09:59:36 LOG7[0]: SNI: no virtual services defined 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server hello 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client key exchange 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read change cipher spec 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read finished 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change cipher spec 2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished 2018.07.04 09:59:36 LOG7[0]: New session callback 2018.07.04 09:59:36 LOG7[0]: 1 server accept(s) requested 2018.07.04 09:59:36 LOG7[0]: 1 server accept(s) succeeded 2018.07.04 09:59:36 LOG7[0]: 0 server renegotiation(s) requested 2018.07.04 09:59:36 LOG7[0]: 0 session reuse(s) 2018.07.04 09:59:36 LOG7[0]: 1 internal session cache item(s) 2018.07.04 09:59:36 LOG7[0]: 0 internal session cache fill-up(s) 2018.07.04 09:59:36 LOG7[0]: 0 internal session cache miss(es) 2018.07.04 09:59:36 LOG7[0]: 0 external session cache hit(s) 2018.07.04 09:59:36 LOG7[0]: 0 expired session(s) retrieved 2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null 2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=10) 2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket 2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) initialized 2018.07.04 09:59:36 LOG7[0]: TLS alert (read): warning: close notify 2018.07.04 09:59:36 LOG7[0]: Sent socket write shutdown 2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) closed 2018.07.04 09:59:36 LOG7[0]: Local descriptor (FD=3) closed 2018.07.04 09:59:36 LOG7[0]: Service [server] finished (0 left) 2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s) 2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1 2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0 2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe 2018.07.04 09:59:36 LOG7[main]: Processing SIGCHLD 2018.07.04 09:59:36 LOG7[main]: Retrieving pid statuses with waitpid() 2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648 2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ()) 2018.07.04 09:59:36 LOG7[ui]: Compression disabled 2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required 2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02000004 (+0x00000000, -0x00000000) 2018.07.04 09:59:36 LOG7[ui]: No certificate or private key specified 2018.07.04 09:59:36 LOG7[0]: Service [inetd client] started 2018.07.04 09:59:36 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:4433: waiting 10 seconds 2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=3) 2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket 2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) initialized 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): before SSL initialization 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server done 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec 2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read finished 2018.07.04 09:59:36 LOG7[0]: New session callback 2018.07.04 09:59:36 LOG7[0]: Peer certificate was cached (1241 bytes) 2018.07.04 09:59:36 LOG7[0]: 1 client connect(s) requested 2018.07.04 09:59:36 LOG7[0]: 1 client connect(s) succeeded 2018.07.04 09:59:36 LOG7[0]: 0 client renegotiation(s) requested 2018.07.04 09:59:36 LOG7[0]: 0 session reuse(s) 2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null 2018.07.04 09:59:36 LOG7[0]: Sending close_notify alert 2018.07.04 09:59:36 LOG7[0]: TLS alert (write): warning: close notify 2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) closed 2018.07.04 09:59:36 LOG7[0]: Service [inetd client] finished (0 left) 2018.07.04 09:59:36 LOG7[0]: Deallocating section defaults 2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s) 2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1 2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0 2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe 2018.07.04 09:59:36 LOG7[main]: Processing SIGNAL_TERMINATE 2018.07.04 09:59:36 LOG7[main]: Leak detection table utilization: 86/997, 8.63% 2018.07.04 09:59:36 LOG7[main]: Removed pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid 2018.07.04 09:59:36 LOG7[main]: Deallocating section defaults
Regards,
Ian Bamforth Senior Software Engineer Operations & Planning Systems Division
T: +44 (0)113 344 3970tel:00441133443970 M: +44 (0)7852 404240tel:00447852404240 E: Ian.Bamforth@tracsis.commailto:Ian.Bamforth@tracsis.com W: www.tracsis.comhttps://www.tracsis.com www.tracsisops.comhttp://www.tracsisops.com
Follow Us [https://static.tracsis.com/email/lin2.png]https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:1420795682492,tas:tracsis [https://static.tracsis.com/email/twi2.png] https://www.twitter.com/tracsis
Tracsis plc Leeds Innovation Centre 103 Clarendon Road Leeds LS2 9DF
[https://static.tracsis.com/email/award4.png] Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.