All,
I'm hoping that someone can assist with this.
I'm using Stunnel on 2 different systems: Mac and FC 13 to front-end my web server for a custom database system. It works flawlessly except for uploading large binary files.
The problem comes when trying to upload say a 2.5MB image file. The number of bytes actually transferred to the exec program is usually under 1K or right at about 33K. Using Firefox on Windows works all the time. I can observe the transfer by watching the stunnel.log file. When the data is piped into the openSSL engine, the number of bytes written to socket is being picked up by the exec program and processed so the loss is between the browser and the output side of Stunnel.
The message itself is a multi-part message that is not mime-encoded. The part with the image is set in the boundary properly and contains the JPEG binary. (Thanks to HTTPwatch!)
My Stunnel Version is:
[root@linux log]# stunnel -version stunnel 4.33 on i386-redhat-linux-gnu with OpenSSL 1.0.0a-fips 1 Jun 2010 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = daemon.notice pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!aNULL:!eNULL:!SSLv2 session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
My configuration file on the Linux box is:
cert = /etc/stunnel/server.crt key = /etc/stunnel/server.key debug = 7 output = /var/log/stunnel.log ;socket = l:SO_LINGER=1:60 ;socket = r:TCP_NODELAY=1 client = no sslVersion = SSLv3 [https] libwrap = no accept = 443 exec = /usr/qmsys/bin/qm execargs = /usr/qmsys/bin/qm -b7 -quiet -aPAVUK "P.HTTP" options = DONT_INSERT_EMPTY_FRAGMENTS TIMEOUTidle = 30 TIMEOUTbusy = 5 TIMEOUTclose = 0
*** A RANDOM SUCCESSFUL TRANSFER *** 2010.10.15 10:03:12 LOG7[946:3078133552]: Service https accepted FD=0 from 24.171.161.99:1998 2010.10.15 10:03:12 LOG7[946:3078241136]: Service https started 2010.10.15 10:03:12 LOG7[946:3078241136]: FD=0 in non-blocking mode 2010.10.15 10:03:12 LOG5[946:3078241136]: Service https accepted connection from 24.171.161.99:1998 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): before accept initialization 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 read client hello A 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 write server hello A 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 write change cipher spec A 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 write finished A 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 flush data 2010.10.15 10:03:12 LOG7[946:3078241136]: SSL state (accept): SSLv3 read finished A 2010.10.15 10:03:12 LOG7[946:3078241136]: 8 items in the session cache 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 client connects (SSL_connect()) 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 client connects that finished 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 client renegotiations requested 2010.10.15 10:03:12 LOG7[946:3078241136]: 35 server connects (SSL_accept()) 2010.10.15 10:03:12 LOG7[946:3078241136]: 35 server connects that finished 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 server renegotiations requested 2010.10.15 10:03:12 LOG7[946:3078241136]: 27 session cache hits
2010.10.15 10:03:12 LOG7[946:3078241136]: 0 external session cache hits 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 session cache misses 2010.10.15 10:03:12 LOG7[946:3078241136]: 0 session cache timeouts 2010.10.15 10:03:12 LOG6[946:3078241136]: SSL accepted: previous session reused 2010.10.15 10:03:12 LOG6[946:3078241136]: Local mode child started (PID=1179) 2010.10.15 10:03:12 LOG7[946:3078241136]: Remote FD=13 initialized 2010.10.15 10:03:13 LOG7[946:3078241136]: Socket closed on read 2010.10.15 10:03:13 LOG7[946:3078241136]: SSL write shutdown 2010.10.15 10:03:13 LOG7[946:3078241136]: SSL alert (write): warning: close notify 2010.10.15 10:03:13 LOG6[946:3078241136]: SSL_shutdown successfully sent close_notify 2010.10.15 10:03:13 LOG6[946:3078241136]: s_poll_wait timeout: connection close 2010.10.15 10:03:13 LOG5[946:3078241136]: Connection closed: 2895 bytes sent to SSL, 2469539 bytes sent to socket 2010.10.15 10:03:13 LOG7[946:3078241136]: Service https finished (0 left) 2010.10.15 10:03:13 LOG7[946:3078133552]: Cleaning up the signal pipe 2010.10.15 10:03:13 LOG6[946:3078133552]: Child process 1179 finished with code 0 2010.10.15 10:03:13 LOG7[946:3078133552]: Signal pipe is empty
*** MOST OF THE TIME - AN UNSUCCESSFUL TRANSFER ***
2010.10.15 10:05:01 LOG7[946:3078133552]: Service https accepted FD=0 from 24.171.161.99:1985 2010.10.15 10:05:01 LOG7[946:3077921648]: Service https started 2010.10.15 10:05:01 LOG7[946:3077921648]: FD=0 in non-blocking mode 2010.10.15 10:05:01 LOG5[946:3077921648]: Service https accepted connection from 24.171.161.99:1985 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): before/ accept initialization 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 read client hello A 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 write server hello A 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 write change cipher spec A 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 write finished A 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 flush data 2010.10.15 10:05:01 LOG7[946:3077921648]: SSL state (accept): SSLv3 read finished A 2010.10.15 10:05:01 LOG7[946:3077921648]: 9 items in the session cache 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 client connects (SSL_connect()) 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 client connects that finished 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 client renegotiations requested 2010.10.15 10:05:01 LOG7[946:3077921648]: 44 server connects (SSL_accept()) 2010.10.15 10:05:01 LOG7[946:3077921648]: 44 server connects that finished 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 server renegotiations requested 2010.10.15 10:05:01 LOG7[946:3077921648]: 35 session cache hits 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 external session cache hits 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 session cache misses 2010.10.15 10:05:01 LOG7[946:3077921648]: 0 session cache timeouts 2010.10.15 10:05:01 LOG6[946:3077921648]: SSL accepted: previous session reused 2010.10.15 10:05:01 LOG6[946:3077921648]: Local mode child started (PID=1213) 2010.10.15 10:05:01 LOG7[946:3077921648]: Remote FD=13 initialized 2010.10.15 10:05:04 LOG7[946:3077921648]: Socket closed on read 2010.10.15 10:05:04 LOG7[946:3077921648]: SSL write shutdown 2010.10.15 10:05:04 LOG7[946:3077921648]: SSL alert (write): warning: close notify 2010.10.15 10:05:04 LOG6[946:3077921648]: SSL_shutdown successfully sent close_notify 2010.10.15 10:05:04 LOG6[946:3077921648]: s_poll_wait timeout: connection close 2010.10.15 10:05:04 LOG5[946:3077921648]: Connection closed: 2895 bytes sent to SSL, 66703 bytes sent to socket 2010.10.15 10:05:04 LOG7[946:3077921648]: Service https finished (0 left) 2010.10.15 10:05:04 LOG7[946:3078133552]: Cleaning up the signal pipe 2010.10.15 10:05:04 LOG6[946:3078133552]: Child process 1213 finished with code 0 2010.10.15 10:05:04 LOG7[946:3078133552]: Signal pipe is empty
***
All test cases are the same upload of the same image file. In all tests the number of bytes sent to socket matches what the exec program is receiving in its pipe.
My feeling is that there is a connection issue between the browser and Stunnel. The successful upload of the test occurs sometimes with all browsers and appears to always work with Firefox for Windows. It has a 90% failure rate on Safari for Windows, Safari for Mac, Opera for Windows, Opera for Mac, etc.
In all cases of testing, the number of bytes "sent to socket" is received by my exec program and consists of a truncated message from the browser. It appears that the data is simply being truncated somewhere in the Stunnel process.
Any help is always appreciated! If there are more tests to be run to track down the problem, please advise and I will run them.
Regards,
Bill
Bill Crowell, President Pavuk Technologies, LLC PO Box 33097 Charlotte, NC 28233-3097 Office +1 704.248.0024 Mobile +1 704.607.6077 Skype pavuk.com