I am using stunnel as a proxy to support SoapUI mock services which are used to test an SSL based application.  The SoapUI and stunnel proxy are running on an AWS Ubuntu 14.04 EC2 Instance communicating to a Tomcat server running on a second AWS Ubuntu 14.04 EC2 Instance.  The target application uses a wildcard SSL Certificate and works successfully when accessed using a desktop browser (Chrome or Firefox).

 

The issue I am encountering is that the stunnel connection logs a “SSL closed on SSL_read” message as soon as the cipher suite is negotiated as shown in the following stunnel.log:

 

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Clients allowed=2000

2016.11.14 21:34:19 LOG5[5287:140430154716992]: stunnel 4.53 on x86_64-pc-linux-gnu platform

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Compiled with OpenSSL 1.0.1e 11 Feb 2013

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Running  with OpenSSL 1.0.1f 6 Jan 2014

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Update OpenSSL shared libraries or rebuild stunnel

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Reading configuration from file /etc/stunnel/stunnel.conf

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Compression not enabled

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Snagged 64 random bytes from /home/ubuntu/.rnd

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Wrote 1024 new random bytes to /home/ubuntu/.rnd

2016.11.14 21:34:19 LOG7[5287:140430154716992]: PRNG seeded successfully

2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section [resourceServer]

2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate: /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file: /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to /etc/ssl/certs

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs revocation lookup directory

2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004

2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section [tpserver]

2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate: /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file: /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to /etc/ssl/certs

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs revocation lookup directory

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Could not load DH parameters from /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Using hardcoded DH parameters

2016.11.14 21:34:19 LOG7[5287:140430154716992]: DH initialized with 2048-bit key

2016.11.14 21:34:19 LOG7[5287:140430154716992]: ECDH initialized with curve prime256v1

2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Configuration successful

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [resourceServer] (FD=12) bound to 127.0.0.1:8080

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [tpserver] (FD=13) bound to 127.0.0.1:8444

2016.11.14 21:34:19 LOG7[5293:140430154716992]: Created pid file /var/run/stunnel4.pid

2016.11.14 21:34:25 LOG7[5293:140430154716992]: Service [resourceServer] accepted (FD=3) from 127.0.0.1:41256

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer] started

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Waiting for a libwrap process

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Acquired libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Releasing libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Released libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer] permitted by libwrap from 127.0.0.1:41256

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer] accepted connection from 127.0.0.1:41256

2016.11.14 21:34:25 LOG6[5293:140430154827520]: connect_blocking: connecting 52.43.245.161:8443

2016.11.14 21:34:25 LOG7[5293:140430154827520]: connect_blocking: s_poll_wait 52.43.245.161:8443: waiting 10 seconds

2016.11.14 21:34:25 LOG5[5293:140430154827520]: connect_blocking: connected 52.43.245.161:8443

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer] connected remote server from 172.31.44.97:34077

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Remote socket (FD=15) initialized

2016.11.14 21:34:25 LOG7[5293:140430154827520]: SNI: host name: 52.43.245.161

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate verification: depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted: depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate verification: depth=0, /CN=*.greenbuttonalliance.org

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted: depth=0, /CN=*.greenbuttonalliance.org

2016.11.14 21:34:25 LOG6[5293:140430154827520]: SSL connected: new session negotiated

2016.11.14 21:34:25 LOG6[5293:140430154827520]: Negotiated TLSv1/SSLv3 ciphersuite: AES128-SHA (128-bit encryption)

2016.11.14 21:34:25 LOG6[5293:140430154827520]: Compression: null, expansion: null

2016.11.14 21:34:45 LOG7[5293:140430154827520]: SSL closed on SSL_read

2016.11.14 21:34:45 LOG7[5293:140430154827520]: Sent socket write shutdown

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Socket closed on read

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Sending close_notify alert

2016.11.14 21:34:56 LOG6[5293:140430154827520]: SSL_shutdown successfully sent close_notify alert

2016.11.14 21:34:56 LOG5[5293:140430154827520]: Connection closed: 342 byte(s) sent to SSL, 250 byte(s) sent to socket

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Remote socket (FD=15) closed

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Local socket (FD=3) closed

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Service [resourceServer] finished (0 left)

 

The stunnel.conf file contains the following configuration:

 

; **************************************************************************

; * Service defaults may also be specified in individual service sections  *

; **************************************************************************

CApath = /etc/ssl/certs

 

; **************************************************************************

; * Logging                                                                                                                            *

; **************************************************************************

 

debug = 7

output = /home/ubuntu/Git/energyos/OpenESPI-GreenButtonCMDTest/SOAPUI/stunnel.log

 

 

; **************************************************************************

; * Service definitions (at least one service has to be defined)                            *

; **************************************************************************

 

 

; **************************************************************************

; * Resource Server                                                                                                           *

; **************************************************************************

[resourceServer]

accept=localhost:8080

connect=52.43.245.161:8443

ciphers=AES128-SHA

client = yes

cert=/etc/stunnel/stunnel.pem

verify=0

 

[tpserver]

accept=127.0.0.1:8444

connect=localhost:8081

cert=/etc/stunnel/stunnel.pem

verify=0

client=no

ciphers=AES128-SHA

 

Are there any additional stunnel logging options or debugging techniques you can recommend to help determine why the session is being closed?  Does stunnel support wildcard based certificates (i.e. *.greenbuttonalliance.org)?

 

Best regards,

Don

Donald F. Coffin

Technical Manager

 

Green Button Alliance

2335 Dunwoody Crossing Suite E

Dunwoody, GA 30338-8221

 

http://www.greenbuttonalliance.org

(949) 636-8571 Mobile