Hi
I have a strange issue with stunnel 5.09 – which connects up to a F5 loadbalancer/SSL-offloading engine. In my config, I specify that the protocol must be TLSv1 – from Linux, I can connect – but it does not work from
Windows..
Linux log:
2015.02.10 15:58:29 LOG7[22779]: Service [rb20] accepted (FD=3) from 127.0.0.1:33247
2015.02.10 15:58:29 LOG7[22887]: Service [rb20] started
2015.02.10 15:58:29 LOG5[22887]: Service [rb20] accepted connection from 127.0.0.1:33247
2015.02.10 15:58:29 LOG6[22887]: s_connect: connecting A.B.C.D:443
2015.02.10 15:58:29 LOG7[22887]: s_connect: s_poll_wait A.B.C.D:443: waiting 10 seconds
2015.02.10 15:58:29 LOG5[22887]: s_connect: connected A.B.C.D:443
2015.02.10 15:58:29 LOG5[22887]: Service [rb20] connected remote server from 10.11.12.101:33477
2015.02.10 15:58:29 LOG7[22887]: Remote socket (FD=11) initialized
2015.02.10 15:58:29 LOG6[22887]: SNI: sending servername: host.domain.com
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): before/connect initialization
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 write client hello A
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 read server hello A
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 read finished A
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 write change cipher spec A
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 write finished A
2015.02.10 15:58:29 LOG7[22887]: SSL state (connect): SSLv3 flush data
2015.02.10 15:58:29 LOG7[22887]: 1 items in the session cache
2015.02.10 15:58:29 LOG7[22887]: 5 client connects (SSL_connect())
2015.02.10 15:58:29 LOG7[22887]: 5 client connects that finished
2015.02.10 15:58:29 LOG7[22887]: 0 client renegotiations requested
2015.02.10 15:58:29 LOG7[22887]: 0 server connects (SSL_accept())
2015.02.10 15:58:29 LOG7[22887]: 0 server connects that finished
2015.02.10 15:58:29 LOG7[22887]: 0 server renegotiations requested
2015.02.10 15:58:29 LOG7[22887]: 4 session cache hits
2015.02.10 15:58:29 LOG7[22887]: 0 external session cache hits
2015.02.10 15:58:29 LOG7[22887]: 0 session cache misses
2015.02.10 15:58:29 LOG7[22887]: 0 session cache timeouts
2015.02.10 15:58:29 LOG6[22887]: SSL connected: previous session reused
2015.02.10 15:58:29 LOG7[22779]: Service [rb20] accepted (FD=12) from 127.0.0.1:33249
2015.02.10 15:58:29 LOG6[22887]: Read socket closed (read hangup)
2015.02.10 15:58:29 LOG7[22887]: Sending close_notify alert
2015.02.10 15:58:29 LOG7[22887]: SSL alert (write): warning: close notify
2015.02.10 15:58:29 LOG6[22887]: SSL_shutdown successfully sent close_notify alert
2015.02.10 15:58:29 LOG7[22888]: Service [rb20] started
2015.02.10 15:58:29 LOG5[22888]: Service [rb20] accepted connection from 127.0.0.1:33249
2015.02.10 15:58:29 LOG6[22888]: s_connect: connecting A.B.C.D:443
2015.02.10 15:58:29 LOG7[22888]: s_connect: s_poll_wait A.B.C.D:443: waiting 10 seconds
2015.02.10 15:58:29 LOG5[22888]: s_connect: connected A.B.C.D:443
2015.02.10 15:58:29 LOG5[22888]: Service [rb20] connected remote server from 10.11.12.101:33479
2015.02.10 15:58:29 LOG7[22888]: Remote socket (FD=13) initialized
2015.02.10 15:58:29 LOG6[22888]: SNI: sending servername: ssl39.dmsave.com
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): before/connect initialization
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 write client hello A
2015.02.10 15:58:29 LOG6[22887]: SSL socket closed (SSL_read)
2015.02.10 15:58:29 LOG7[22887]: Sent socket write shutdown
2015.02.10 15:58:29 LOG5[22887]: Connection closed: 136 byte(s) sent to SSL, 52 byte(s) sent to socket
2015.02.10 15:58:29 LOG7[22887]: Remote socket (FD=11) closed
2015.02.10 15:58:29 LOG7[22887]: Local socket (FD=3) closed
2015.02.10 15:58:29 LOG7[22887]: Service [rb20] finished (1 left)
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 read server hello A
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 read finished A
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 write change cipher spec A
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 write finished A
2015.02.10 15:58:29 LOG7[22888]: SSL state (connect): SSLv3 flush data
2015.02.10 15:58:29 LOG7[22888]: 1 items in the session cache
2015.02.10 15:58:29 LOG7[22888]: 6 client connects (SSL_connect())
2015.02.10 15:58:29 LOG7[22888]: 6 client connects that finished
2015.02.10 15:58:29 LOG7[22888]: 0 client renegotiations requested
2015.02.10 15:58:29 LOG7[22888]: 0 server connects (SSL_accept())
2015.02.10 15:58:29 LOG7[22888]: 0 server connects that finished
2015.02.10 15:58:29 LOG7[22888]: 0 server renegotiations requested
2015.02.10 15:58:29 LOG7[22888]: 5 session cache hits
2015.02.10 15:58:29 LOG7[22888]: 0 external session cache hits
2015.02.10 15:58:29 LOG7[22888]: 0 session cache misses
2015.02.10 15:58:29 LOG7[22888]: 0 session cache timeouts
2015.02.10 15:58:29 LOG6[22888]: SSL connected: previous session reused
Windows log:
2015.02.10 16:07:36 LOG7[9528]: Service [rb20] accepted (FD=1128) from 127.0.0.1:50353
2015.02.10 16:07:36 LOG7[9528]: Creating a new thread
2015.02.10 16:07:36 LOG7[9528]: New thread created
2015.02.10 16:07:36 LOG7[7056]: Service [rb20] started
2015.02.10 16:07:36 LOG5[7056]: Service [rb20] accepted connection from 127.0.0.1:50353
2015.02.10 16:07:36 LOG6[7056]: s_connect: connecting A.B.C.D:443
2015.02.10 16:07:36 LOG7[7056]: s_connect: s_poll_wait A.B.C.D:443: waiting 10 seconds
2015.02.10 16:07:36 LOG5[7056]: s_connect: connected A.B.C.D:443
2015.02.10 16:07:36 LOG5[7056]: Service [rb20] connected remote server from 192.168.225.103:50354
2015.02.10 16:07:36 LOG7[7056]: Remote socket (FD=1124) initialized
2015.02.10 16:07:36 LOG6[7056]: SNI: sending servername: host.domain.com
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): before/connect initialization
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 write client hello A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 read server hello A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 read server certificate A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 read server done A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 write client key exchange A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 write change cipher spec A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 write finished A
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 flush data
2015.02.10 16:07:36 LOG7[7056]: SSL state (connect): SSLv3 read finished A
2015.02.10 16:07:36 LOG7[7056]: 1 items in the session cache
2015.02.10 16:07:36 LOG7[7056]: 1 client connects (SSL_connect())
2015.02.10 16:07:36 LOG7[7056]: 1 client connects that finished
2015.02.10 16:07:36 LOG7[7056]: 0 client renegotiations requested
2015.02.10 16:07:36 LOG7[7056]: 0 server connects (SSL_accept())
2015.02.10 16:07:36 LOG7[7056]: 0 server connects that finished
2015.02.10 16:07:36 LOG7[7056]: 0 server renegotiations requested
2015.02.10 16:07:36 LOG7[7056]: 0 session cache hits
2015.02.10 16:07:36 LOG7[7056]: 0 external session cache hits
2015.02.10 16:07:36 LOG7[7056]: 0 session cache misses
2015.02.10 16:07:36 LOG7[7056]: 0 session cache timeouts
2015.02.10 16:07:36 LOG7[7056]: Peer certificate was cached (1521 bytes)
2015.02.10 16:07:36 LOG6[7056]: SSL connected: new session negotiated
2015.02.10 16:07:36 LOG6[7056]: Negotiated TLSv1 ciphersuite RC4-MD5 (128-bit encryption)
2015.02.10 16:07:36 LOG7[7056]: Compression: null, expansion: null
2015.02.10 16:07:36 LOG6[7056]: Read socket closed (readsocket)
2015.02.10 16:07:36 LOG7[7056]: Sending close_notify alert
2015.02.10 16:07:36 LOG7[7056]: SSL alert (write): warning: close notify
2015.02.10 16:07:36 LOG6[7056]: SSL_shutdown successfully sent close_notify alert
2015.02.10 16:07:36 LOG7[9528]: Service [rb20] accepted (FD=1132) from 127.0.0.1:50355
2015.02.10 16:07:36 LOG7[9528]: Creating a new thread
2015.02.10 16:07:36 LOG7[9528]: New thread created
2015.02.10 16:07:36 LOG7[2164]: Service [rb20] started
2015.02.10 16:07:36 LOG5[2164]: Service [rb20] accepted connection from 127.0.0.1:50355
2015.02.10 16:07:36 LOG6[2164]: s_connect: connecting A.B.C.D:443
2015.02.10 16:07:36 LOG7[2164]: s_connect: s_poll_wait A.B.C.D:443: waiting 10 seconds
2015.02.10 16:07:36 LOG5[2164]: s_connect: connected A.B.C.D:443
2015.02.10 16:07:36 LOG5[2164]: Service [rb20] connected remote server from 192.168.225.103:50356
2015.02.10 16:07:36 LOG7[2164]: Remote socket (FD=1152) initialized
2015.02.10 16:07:36 LOG6[2164]: SNI: sending servername: host.domain.com
2015.02.10 16:07:36 LOG7[2164]: SSL state (connect): before/connect initialization
2015.02.10 16:07:36 LOG7[2164]: SSL state (connect): SSLv3 write client hello A
2015.02.10 16:07:36 LOG6[7056]: SSL socket closed (SSL_read)
2015.02.10 16:07:36 LOG7[7056]: Sent socket write shutdown
2015.02.10 16:07:36 LOG5[7056]: Connection closed: 89 byte(s) sent to SSL, 52 byte(s) sent to socket
2015.02.10 16:07:36 LOG7[7056]: Remote socket (FD=1124) closed
2015.02.10 16:07:36 LOG7[7056]: Local socket (FD=1128) closed
2015.02.10 16:07:36 LOG7[7056]: Service [rb20] finished (1 left)
The main difference I can see, is that on Linux I get:
2015.02.10 15:58:29 LOG6[22887]: SSL connected: previous session reused
Whereas Windows gives me:
2015.02.10 16:07:36 LOG7[7056]: Peer certificate was cached (1521 bytes)
2015.02.10 16:07:36 LOG6[7056]: SSL connected: new session negotiated
Any idea why this happens ? The final result is that connections are possible from linux – but not Windows – and this is a problem for me…
Regards
/Brian