Hi Eric,

 

Thanks for the very detailed reply!  I had a conversation direct with one of the stunnel devs, she confirmed that there’s a bug in the tests and supplied a patch.  I guess this will be released in the next version.  It only affects the tests, so the current version is fine, as long as you don’t try to run the tests during installation.

 

Regards,

Ian Bamforth
Senior Software Engineer
Operations & Planning Systems Division

T: 
+44 (0)113 344 3970
M:
+44 (0)7852 404240
E: 
Ian.Bamforth@tracsis.com
W:
www.tracsis.com
www.tracsisops.com

Follow Us
https://static.tracsis.com/email/lin2.png  https://static.tracsis.com/email/twi2.png

Tracsis plc

Leeds Innovation Centre
103 Clarendon Road
Leeds
LS2 9DF

https://static.tracsis.com/email/award4.png
Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.

 

From: Eric S Eberhard <flash@vicsmba.com>
Sent: 09 July 2018 22:20
To: Ian Bamforth <Ian.Bamforth@tracsis.com>; stunnel-users@stunnel.org
Subject: RE: [stunnel-users] Intermittent error in 042_inetd

 

The 50% could be because the server side is not fully updated – we have this problem a lot with very large companies that should know better (and in reality should overlap instead of changing over – meaning allow SSLv3 for 3 months or something while also accepting TLSv2.

 

A very good way to test is to get a telnet program.  Then “telnent localhost port#” – the port # being the port number stunnel is running on.  This will remove all variables except stunnel and allow you to see the output.  It could be you are connecting fine and failing some other authentication like a login – which you can see often with telnet.  And set your firewall to not allow telnet on port 23.  Also, we have found stunnel MUCH more reliable under inetd (if you are on Unix of course) than as a stand-alone server.  A little performance loss that is unnoticeable to us – big customers exchange 2-4 million XML documents a day (using stunnel) so inetd is definitely not the most efficient way, but the machines are so darn fast it seems not to matter.

 

The certificates have become more painful but I have never had to use an official signed one.  I make my own with openssl.  However, there are intermediate ones that are needed from whomever you connect to if they have a signed certificate – say from Verisign – you may need your certificate and Verisigns, etc – in a chain. 

 

I use “cacert” to set to a large file of .pem certificates – which I simply download from the Web (available all over, some work, some don’t.  When you get one that works … then use it.  You can modify them by adding anything not found in the file.  Supposedly the cacert file I have now is good till 2020 for the big names.

 

You can also use openssl to get the certificate from the server – just ask and you shall receive.   It should have the entire chain.

 

I used to have on massive cacert for everyone and it was getting out of hand.  As tacky as it is, I just make a cacert.pem file for every connection (e.g. Walmart, Fedex, Target, whatever).  This allows working connections to keep working while you fiddle with a tricky one.

 

Eric

 

 

Eric S Eberhard

VICS (Vertical Integrated Computer Systems)

Voice: 928 567 3529

Cell    : 928 301 7537  (not reliable except for text or if not home)

2933 W Middle Verde Rd

Camp Verde, AZ  86322

 

From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Ian Bamforth
Sent: Wednesday, July 04, 2018 9:00 AM
To: stunnel-users@stunnel.org
Subject: [stunnel-users] Intermittent error in 042_inetd

 

Afternoon,

 

Until recently we’d disabled `make test` because of certificate problems – we’ve re-enabled it (using `make check`) but are getting intermittent failures (around 50% of CI runs). Below is the output from the logs – I can’t see what’s gone wrong, can anyone shed any light?

 

2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648

2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())

2018.07.04 09:59:36 LOG7[ui]: Compression disabled

2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required

2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK

2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02004004 (+0x00004000, -0x00000000)

2018.07.04 09:59:36 LOG7[ui]: Private key check succeeded

2018.07.04 09:59:36 LOG7[ui]: ECDH initialization

2018.07.04 09:59:36 LOG7[ui]: ECDH initialized with curve prime256v1

2018.07.04 09:59:36 LOG7[ui]: Binding service [server]

2018.07.04 09:59:36 LOG7[ui]: Listening file descriptor created (FD=6)

2018.07.04 09:59:36 LOG7[ui]: Setting accept socket options (FD=6)

2018.07.04 09:59:36 LOG7[ui]: Option SO_REUSEADDR set on accept socket

2018.07.04 09:59:36 LOG7[main]: Created pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid

2018.07.04 09:59:36 LOG7[cron]: Cron thread initialized

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: Service [server] accepted (FD=3) from 127.0.0.1:58890

2018.07.04 09:59:36 LOG7[0]: Service [server] started

2018.07.04 09:59:36 LOG7[0]: Setting local socket options (FD=3)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on local socket

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: SNI: no virtual services defined

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server hello

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client key exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read change cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read finished

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: New session callback

2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) requested

2018.07.04 09:59:36 LOG7[0]:      1 server accept(s) succeeded

2018.07.04 09:59:36 LOG7[0]:      0 server renegotiation(s) requested

2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)

2018.07.04 09:59:36 LOG7[0]:      1 internal session cache item(s)

2018.07.04 09:59:36 LOG7[0]:      0 internal session cache fill-up(s)

2018.07.04 09:59:36 LOG7[0]:      0 internal session cache miss(es)

2018.07.04 09:59:36 LOG7[0]:      0 external session cache hit(s)

2018.07.04 09:59:36 LOG7[0]:      0 expired session(s) retrieved

2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null

2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=10)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) initialized

2018.07.04 09:59:36 LOG7[0]: TLS alert (read): warning: close notify

2018.07.04 09:59:36 LOG7[0]: Sent socket write shutdown

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) closed

2018.07.04 09:59:36 LOG7[0]: Local descriptor (FD=3) closed

2018.07.04 09:59:36 LOG7[0]: Service [server] finished (0 left)

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe

2018.07.04 09:59:36 LOG7[main]: Processing SIGCHLD

2018.07.04 09:59:36 LOG7[main]: Retrieving pid statuses with waitpid()

2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648

2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())

2018.07.04 09:59:36 LOG7[ui]: Compression disabled

2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required

2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK

2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02000004 (+0x00000000, -0x00000000)

2018.07.04 09:59:36 LOG7[ui]: No certificate or private key specified

2018.07.04 09:59:36 LOG7[0]: Service [inetd client] started

2018.07.04 09:59:36 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:4433: waiting 10 seconds

2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=3)

2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) initialized

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): before SSL initialization

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server done

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec

2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read finished

2018.07.04 09:59:36 LOG7[0]: New session callback

2018.07.04 09:59:36 LOG7[0]: Peer certificate was cached (1241 bytes)

2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) requested

2018.07.04 09:59:36 LOG7[0]:      1 client connect(s) succeeded

2018.07.04 09:59:36 LOG7[0]:      0 client renegotiation(s) requested

2018.07.04 09:59:36 LOG7[0]:      0 session reuse(s)

2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null

2018.07.04 09:59:36 LOG7[0]: Sending close_notify alert

2018.07.04 09:59:36 LOG7[0]: TLS alert (write): warning: close notify

2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) closed

2018.07.04 09:59:36 LOG7[0]: Service [inetd client] finished (0 left)

2018.07.04 09:59:36 LOG7[0]: Deallocating section defaults

2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)

2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1

2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0

2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe

2018.07.04 09:59:36 LOG7[main]: Processing SIGNAL_TERMINATE

2018.07.04 09:59:36 LOG7[main]: Leak detection table utilization: 86/997, 8.63%

2018.07.04 09:59:36 LOG7[main]: Removed pid file /opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid

2018.07.04 09:59:36 LOG7[main]: Deallocating section defaults

 

Regards,

Ian Bamforth
Senior Software Engineer
Operations & Planning Systems Division

T: 
+44 (0)113 344 3970
M:
+44 (0)7852 404240
E: 
Ian.Bamforth@tracsis.com
W:
www.tracsis.com
www.tracsisops.com

Follow Us
https://static.tracsis.com/email/lin2.png  https://static.tracsis.com/email/twi2.png

Tracsis plc

Leeds Innovation Centre
103 Clarendon Road
Leeds
LS2 9DF

https://static.tracsis.com/email/award4.png
Tracsis Operations and Planning Systems Division is a Division of Tracsis plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited (05047148), Safety Information Systems Limited trading as COMPASS (02588404) and Tracsis Retail and Operations Limited (04225250), all subsidiaries of Tracsis plc with a registered office at Leeds Innovation Centre,103 Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email and its attachments may be confidential and are intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Please contact the sender if you believe you have received this email in error.