Hello,

We recently implemented Stunnel on Centos 5.6 for ssl offloading for our java application.  The application has applets to communicate java objects over https to a tomcat server on the server side.  We have it setup in front of our Alteon/Radware load balancer.   This hardware load balancer is capable of ssl load balancing, but has produced a very specific packet reset that only presents itself in ssl processing. We decided to implement Stunnel in front of this load balancer to fix this problem.  Ssl offloading was working great with Stunnel until we ran into Java 7.   if I run any version of our applets on java 6 they work.  If i run java 7 they do not work.

I have tried googling and looking for this error but I have only found some references to SNI... is this correct?  Is there anything I can do. 

Please forgive me if i have omitted any details  I will be more than happy to include a packet capture or other details if needed.

I compiled stunnel with the following options
./configure --disable-libwrap --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc --with-ssl=/usr/local/ssl

also i compiled OpenSSL 1.0.0d with the following
./Configure threads shared linux-generic64

stunnel -version
No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.42 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0d 8 Feb 2011
Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6
stunnel 4.42 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0d 8 Feb 2011
Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6

Global option defaults
debug           = daemon.notice
pid             = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level option defaults
ciphers         = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH
curve           = prime256v1
session         = 300 seconds
sslVersion      = TLSv1 for client, all for server
stack           = 65536 bytes
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none
str_stats: 112 block(s), 4046 byte(s)


stunnel.conf
cert=/etc/stunnel/stunnel.pem
debug=7
output=/var/log/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
accept=0.0.0.0:443
connect=172.16.18.100:80
session         = 300
TIMEOUTbusy     = 300
TIMEOUTconnect  = 10
TIMEOUTidle     = 43200
client          = no


stunnel.log
2011.08.22 16:58:49 LOG7[438154:47689394220768]: Service https accepted FD=2 from 10.0.11.27:46830
2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https started
2011.08.22 16:58:49 LOG7[438154:1104877888]: Option TCP_NODELAY set on local socket
2011.08.22 16:58:49 LOG5[438154:1104877888]: Service https accepted connection from 10.0.11.27:46830
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): before/accept initialization
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 read client hello A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write server hello A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write certificate A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write key exchange A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write certificate request A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 flush data
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL alert (read): fatal: internal error
2011.08.22 16:58:49 LOG3[438154:1104877888]: SSL_accept: 14094438: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
2011.08.22 16:58:49 LOG5[438154:1104877888]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https finished (1 left)
2011.08.22 16:58:49 LOG7[438154:1104877888]: str_stats: 0 block(s), 0 byte(s)
2011.08.22 16:59:01 LOG7[438154:1104947520]: Socket closed on read
2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending SSL write shutdown
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (write): warning: close notify
2011.08.22 16:59:01 LOG6[438154:1104947520]: SSL_shutdown successfully sent close_notify
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (read): warning: close notify
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL closed on SSL_read
2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending socket write shutdown
2011.08.22 16:59:01 LOG5[438154:1104947520]: Connection closed: 49445 bytes sent to SSL, 8175 bytes sent to socket



--

 

Thank You,
Andrew Heuneman
Senior Systems Administrator
Reading Plus®/Taylor Associates

Helping students become proficient silent readers.
<http://twitter.com/readingplus>
<http://www.facebook.com/pages/Reading-Plus/165970877038>