Hello all,
I am using stunnel in order to send encrypted http request/response messages to an external system called Tradeweb. Our python program sends the message to stunnel and stunnel sends it to Tradeweb through a proxy.
My version of stunnel is the following
stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011
and it has been installed in a Solaris 10 operating system.
My configuration file looks like this
CAfile=/home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer
client=yes
verify=2
debug=7
output=stunnel.log
[TradeXpress]
# Port on which STUNNEL listens for local connections
accept=stunnelserveripaddress:17000
# Destination address and port of TW data-center
libwrap=no
connect=proxyipaddress:80
protocol=connect
protocolHost=tradewebipaddress:443
I have a python program that sends a http post message to stunnel. When I send the message I can see the following in the log (see below)
The message gets to the other end (tradeweb system), but it looks like the encryption does not work properly.
The relevant lines of the log are (see full log below)
2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate
2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call
2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket
Do you know what is the problem?
Thank you,
Julian
2011.03.14 18:23:54 LOG5[6083:1]: Reading configuration from file stunnel.conf
2011.03.14 18:23:54 LOG7[6083:1]: Snagged 64 random bytes from /home/usr/vptfk/.rnd
2011.03.14 18:23:54 LOG7[6083:1]: Wrote 1024 new random bytes to /home/usr/vptfk/.rnd
2011.03.14 18:23:54 LOG7[6083:1]: PRNG seeded successfully
2011.03.14 18:23:54 LOG7[6083:1]: Loaded verify certificates from /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer
2011.03.14 18:23:54 LOG7[6083:1]: Loaded /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer revocation lookup file
2011.03.14 18:23:54 LOG7[6083:1]: SSL context initialized for service TradeXpress
2011.03.14 18:23:54 LOG5[6083:1]: Configuration successful
2011.03.14 18:23:54 LOG5[6083:1]: No limit detected for the number of clients
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=5 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=6 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=7 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=8 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=9 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=4 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=10 allocated (blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: accept socket: FD=11 allocated (non-blocking mode)
2011.03.14 18:23:54 LOG7[6083:1]: Option SO_REUSEADDR set on accept socket
2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress bound to 0.0.0.0:17000
2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress opened FD=11
2011.03.14 18:23:54 LOG7[6089:1]: Created pid file /home/aps/tfk/stunnel/var/run/stunnel/stunnel.pid
2011.03.14 18:23:54 LOG5[6089:1]: stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011
2011.03.14 18:23:54 LOG5[6089:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2011.03.14 18:23:54 LOG7[6089:1]: Dispatching signals from the signal pipe
2011.03.14 18:23:54 LOG7[6089:1]: Signal pipe is empty
2011.03.14 18:24:19 LOG7[6089:1]: local socket: FD=0 allocated (non-blocking mode)
2011.03.14 18:24:19 LOG7[6089:1]: Service TradeXpress accepted FD=0 from stunnelserveripaddress:61449
2011.03.14 18:24:19 LOG7[6089:2]: Service TradeXpress started
2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress accepted connection from stunnelserveripaddress:61449
2011.03.14 18:24:19 LOG7[6089:2]: remote socket: FD=1 allocated (non-blocking mode)
2011.03.14 18:24:19 LOG6[6089:2]: connect_blocking: connecting proxyipaddress:80
2011.03.14 18:24:19 LOG7[6089:2]: connect_blocking: s_poll_wait proxyipaddress:80: waiting 10 seconds
2011.03.14 18:24:19 LOG5[6089:2]: connect_blocking: connected proxyipaddress:80
2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress connected remote server from stunnelserveripaddress:61450
2011.03.14 18:24:19 LOG7[6089:2]: Remote FD=1 initialized
2011.03.14 18:24:19 LOG5[6089:2]: Negotiations for connect (client side) started
2011.03.14 18:24:19 LOG7[6089:2]: -> CONNECT tradewebipaddress:443 HTTP/1.1
2011.03.14 18:24:19 LOG7[6089:2]: -> Host: tradewebipaddress:443
2011.03.14 18:24:19 LOG7[6089:2]: ->
2011.03.14 18:24:19 LOG7[6089:2]: <- HTTP/1.1 200 Connection established
2011.03.14 18:24:19 LOG6[6089:2]: CONNECT request accepted
2011.03.14 18:24:19 LOG7[6089:2]: <-
2011.03.14 18:24:19 LOG5[6089:2]: Protocol negotiations succeeded
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): before/connect initialization
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client hello A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server hello A
2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.c
2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.com
2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234
2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate request A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server done A
2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client certificate A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client key exchange A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write change cipher spec A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write finished A
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 flush data
2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read finished A
2011.03.14 18:24:19 LOG7[6089:2]: 0 items in the session cache
2011.03.14 18:24:19 LOG7[6089:2]: 1 client connects (SSL_connect())
2011.03.14 18:24:19 LOG7[6089:2]: 1 client connects that finished
2011.03.14 18:24:19 LOG7[6089:2]: 0 client renegotiations requested
2011.03.14 18:24:19 LOG7[6089:2]: 0 server connects (SSL_accept())
2011.03.14 18:24:19 LOG7[6089:2]: 0 server connects that finished
2011.03.14 18:24:19 LOG7[6089:2]: 0 server renegotiations requested
2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache hits
2011.03.14 18:24:19 LOG7[6089:2]: 0 external session cache hits
2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache misses
2011.03.14 18:24:19 LOG7[6089:2]: 0 session cache timeouts
2011.03.14 18:24:19 LOG6[6089:2]: SSL connected: new session negotiated
2011.03.14 18:24:19 LOG6[6089:2]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call
2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket
2011.03.14 18:29:25 LOG7[6089:2]: Service TradeXpress finished (0 left)
RAMIREZ Julián
Technical Consultant
Wall Street Systems http://www.wallstreetsystems.com/ - Empowering Treasury, Trading and Settlement