I have problems with stunnel on OS Windows. After a successful connection with stunnel, the connection drops after approximately 9 minutes of inactivity. On Linux, this problem was solved by changing this parametrs:

net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 30
net.ipv4.tcp_keepalive_probes = 20

I don't have access to the server side router, so I can't change anything. Stunnel log:

2023.01.25 17:18:10 LOG7[1]: Service [test] started
2023.01.25 17:18:10 LOG7[1]: Setting local socket options (FD=964)
2023.01.25 17:18:10 LOG7[1]: Option TCP_NODELAY set on local socket
2023.01.25 17:18:10 LOG5[1]: Service [test] accepted connection from 127.0.0.1:50145
2023.01.25 17:18:10 LOG6[1]: s_connect: connecting 225.179.85.93:18572
2023.01.25 17:18:10 LOG7[1]: s_connect: s_poll_wait 225.179.85.93:18572: waiting 10 seconds
2023.01.25 17:18:10 LOG7[1]: FD=716 ifds=rwx ofds=---
2023.01.25 17:18:10 LOG5[1]: s_connect: connected 225.179.85.93:18572
2023.01.25 17:18:10 LOG5[1]: Service [onegomed] connected remote server from 192.168.1.84:50146
2023.01.25 17:18:10 LOG7[1]: Setting remote socket options (FD=716)
2023.01.25 17:18:10 LOG7[1]: Option TCP_NODELAY set on remote socket
2023.01.25 17:18:10 LOG7[1]: Remote descriptor (FD=716) initialized
2023.01.25 17:18:10 LOG6[1]: SNI: sending servername: 225.179.85.93
2023.01.25 17:18:10 LOG6[1]: Peer certificate not required
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): before SSL initialization
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write client hello
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write client hello
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server hello
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): TLSv1.3 read encrypted extensions
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG6[1]: Certificate verification disabled
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server certificate
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): TLSv1.3 read server certificate verify
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read finished
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write change cipher spec
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS write finished
2023.01.25 17:18:10 LOG7[1]:      2 client connect(s) requested
2023.01.25 17:18:10 LOG7[1]:      2 client connect(s) succeeded
2023.01.25 17:18:10 LOG7[1]:      0 client renegotiation(s) requested
2023.01.25 17:18:10 LOG7[1]:      0 session reuse(s)
2023.01.25 17:18:10 LOG6[1]: TLS connected: new session negotiated
2023.01.25 17:18:10 LOG6[1]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption)
2023.01.25 17:18:10 LOG6[1]: Peer temporary key: X25519, 253 bits
2023.01.25 17:18:10 LOG7[1]: Compression: null, expansion: null
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG7[1]: New session callback
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG6[1]: Session id:     8E91DBE369D9E16221CCA288A7C1F652AB045BAE96C19B4240B1B7F710069CCE
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server session ticket
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSL negotiation finished successfully
2023.01.25 17:18:10 LOG7[1]: Initializing application specific data for session authenticated
2023.01.25 17:18:10 LOG7[1]: New session callback
2023.01.25 17:18:10 LOG7[1]: Deallocating application specific data for session connect address
2023.01.25 17:18:10 LOG6[1]: Session id:     6UIA254BF9D027B3D4BE5F966BDE9DE2058CF167C4EF0CD5A460958B698DF322
2023.01.25 17:18:10 LOG7[1]: TLS state (connect): SSLv3/TLS read server session ticket
2023.01.25 17:33:25 LOG3[1]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2023.01.25 17:33:25 LOG5[1]: Connection reset: 5184 byte(s) sent to TLS, 10344 byte(s) sent to socket
2023.01.25 17:33:25 LOG7[1]: Remote descriptor (FD=716) closed
2023.01.25 17:33:25 LOG7[1]: Local descriptor (FD=964) closed
2023.01.25 17:33:25 LOG7[1]: Service [test] finished (0 left)`

I tried:

  1. changing the windows registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveInterval HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TdxPrematureConnectIndDisabled HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetting\KeepAliveTimeout HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSetting\ServerInfoTimeout

  2. changing stunnel config on client side:

    socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1

  3. changing parametrs on linux server side:

    net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 30 net.ipv4.tcp_keepalive_probes = 20

  4. add server cert on stunnel client config;

  5. downgrade and update stunnel.

 
--
Gordon Stevenson
Отправлено из Почты Mail.ru