Hello all,

I am using stunnel in order to send encrypted http request/response messages to an external system called Tradeweb. Our python program sends the message to stunnel and stunnel sends it to Tradeweb through a proxy.

My version of stunnel is the following

stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011

and it has been installed in a Solaris 10 operating system.

 

My configuration file looks like this

 

CAfile=/home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer

client=yes

verify=2

debug=7

output=stunnel.log

 

[TradeXpress]

# Port on which STUNNEL listens for local connections

accept=stunnelserveripaddress:17000

# Destination address and port of TW data-center

libwrap=no

connect=proxyipaddress:80

protocol=connect

protocolHost=tradewebipaddress:443

 

I have a python program that sends a http post message to stunnel. When I send the message I can see the following in the log (see below)

The message gets to the other end (tradeweb system), but it looks like the encryption does not work properly.

The relevant lines of the log are (see full log below)

2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate

 

2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call

2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket

 

Do you know what is the problem?

Thank you,

  Julian

 

2011.03.14 18:23:54 LOG5[6083:1]: Reading configuration from file stunnel.conf

2011.03.14 18:23:54 LOG7[6083:1]: Snagged 64 random bytes from /home/usr/vptfk/.rnd

2011.03.14 18:23:54 LOG7[6083:1]: Wrote 1024 new random bytes to /home/usr/vptfk/.rnd

2011.03.14 18:23:54 LOG7[6083:1]: PRNG seeded successfully

2011.03.14 18:23:54 LOG7[6083:1]: Loaded verify certificates from /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer

2011.03.14 18:23:54 LOG7[6083:1]: Loaded /home/aps/tfk/stunnel/etc/stunnel/tradeweb_ca.cer revocation lookup file

2011.03.14 18:23:54 LOG7[6083:1]: SSL context initialized for service TradeXpress

2011.03.14 18:23:54 LOG5[6083:1]: Configuration successful

2011.03.14 18:23:54 LOG5[6083:1]: No limit detected for the number of clients

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=5 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=6 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=7 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=8 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=9 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: libwrap_init: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=4 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: signal_pipe: FD=10 allocated (blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: accept socket: FD=11 allocated (non-blocking mode)

2011.03.14 18:23:54 LOG7[6083:1]: Option SO_REUSEADDR set on accept socket

2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress bound to 0.0.0.0:17000

2011.03.14 18:23:54 LOG7[6083:1]: Service TradeXpress opened FD=11

2011.03.14 18:23:54 LOG7[6089:1]: Created pid file /home/aps/tfk/stunnel/var/run/stunnel/stunnel.pid

2011.03.14 18:23:54 LOG5[6089:1]: stunnel 4.35 on sparc-sun-solaris2.10 with OpenSSL 0.9.8r 8 Feb 2011

2011.03.14 18:23:54 LOG5[6089:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

2011.03.14 18:23:54 LOG7[6089:1]: Dispatching signals from the signal pipe

2011.03.14 18:23:54 LOG7[6089:1]: Signal pipe is empty

2011.03.14 18:24:19 LOG7[6089:1]: local socket: FD=0 allocated (non-blocking mode)

2011.03.14 18:24:19 LOG7[6089:1]: Service TradeXpress accepted FD=0 from stunnelserveripaddress:61449

2011.03.14 18:24:19 LOG7[6089:2]: Service TradeXpress started

2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress accepted connection from stunnelserveripaddress:61449

2011.03.14 18:24:19 LOG7[6089:2]: remote socket: FD=1 allocated (non-blocking mode)

2011.03.14 18:24:19 LOG6[6089:2]: connect_blocking: connecting proxyipaddress:80

2011.03.14 18:24:19 LOG7[6089:2]: connect_blocking: s_poll_wait proxyipaddress:80: waiting 10 seconds

2011.03.14 18:24:19 LOG5[6089:2]: connect_blocking: connected proxyipaddress:80

2011.03.14 18:24:19 LOG5[6089:2]: Service TradeXpress connected remote server from stunnelserveripaddress:61450

2011.03.14 18:24:19 LOG7[6089:2]: Remote FD=1 initialized

2011.03.14 18:24:19 LOG5[6089:2]: Negotiations for connect (client side) started

2011.03.14 18:24:19 LOG7[6089:2]:  -> CONNECT tradewebipaddress:443 HTTP/1.1

2011.03.14 18:24:19 LOG7[6089:2]:  -> Host: tradewebipaddress:443

2011.03.14 18:24:19 LOG7[6089:2]:  ->

2011.03.14 18:24:19 LOG7[6089:2]:  <- HTTP/1.1 200 Connection established

2011.03.14 18:24:19 LOG6[6089:2]: CONNECT request accepted

2011.03.14 18:24:19 LOG7[6089:2]:  <-

2011.03.14 18:24:19 LOG5[6089:2]: Protocol negotiations succeeded

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): before/connect initialization

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client hello A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server hello A

2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.c

 

2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=1, /C=US/ST=New York/L=New York/O=TradeWeb LLC - The Online Bond Markets/OU=Network Administration/CN=TradeWeb LLC - The Online Bond Markets/emailAddress=bruce.mackinnon@tradeweb.com

2011.03.14 18:24:19 LOG7[6089:2]: Starting certificate verification: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234

2011.03.14 18:24:19 LOG5[6089:2]: Certificate accepted: depth=0, /C=US/ST=New Jersey/L=Jersey City/O=TradeWeb LLC - The Online Bond Markets/OU=STP Production/CN=62.189.50.234

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server certificate request A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read server done A

2011.03.14 18:24:19 LOG7[6089:2]: SSL alert (write): warning: no certificate

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client certificate A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write client key exchange A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write change cipher spec A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 write finished A

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 flush data

2011.03.14 18:24:19 LOG7[6089:2]: SSL state (connect): SSLv3 read finished A

2011.03.14 18:24:19 LOG7[6089:2]:    0 items in the session cache

2011.03.14 18:24:19 LOG7[6089:2]:    1 client connects (SSL_connect())

2011.03.14 18:24:19 LOG7[6089:2]:    1 client connects that finished

2011.03.14 18:24:19 LOG7[6089:2]:    0 client renegotiations requested

2011.03.14 18:24:19 LOG7[6089:2]:    0 server connects (SSL_accept())

2011.03.14 18:24:19 LOG7[6089:2]:    0 server connects that finished

2011.03.14 18:24:19 LOG7[6089:2]:    0 server renegotiations requested

2011.03.14 18:24:19 LOG7[6089:2]:    0 session cache hits

2011.03.14 18:24:19 LOG7[6089:2]:    0 external session cache hits

2011.03.14 18:24:19 LOG7[6089:2]:    0 session cache misses

2011.03.14 18:24:19 LOG7[6089:2]:    0 session cache timeouts

2011.03.14 18:24:19 LOG6[6089:2]: SSL connected: new session negotiated

2011.03.14 18:24:19 LOG6[6089:2]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

2011.03.14 18:29:25 LOG3[6089:2]: SSL_read: 140D5042: error:140D5042:SSL routines:SSL3_CTRL:called a function you should not call

2011.03.14 18:29:25 LOG5[6089:2]: Connection reset: 521 bytes sent to SSL, 0 bytes sent to socket

2011.03.14 18:29:25 LOG7[6089:2]: Service TradeXpress finished (0 left)

 

 

RAMIREZ Julián 

Technical Consultant

Wall Street SystemsEmpowering Treasury, Trading and Settlement