Hello,
I'm new to the list so I'm sorry if this isn't the right place to report this.
I had a server stop responding to stunnel connections sometime yesterday and the resolution was ultimately to reboot the server and everything was okay. Restarting the stunnel service was not enough to get things working again.
I isolated the problem to stunnel by checking that the underlying service (a Java web application) would respond from the localhost machine (it did) but an openssl s_client connection to localhost:stunnel-port would connect but not proceed past the CONNECTED(3) state. Ultimately, it would time-out.
stunnel was not logging anything to syslog when these connections came in. Outgoing stunnel connections seemed to be okay.
Looking through the log file, I could see that there were some odd messages coming from stunnel in the daemon.log file suggesting that there might be a memory leak. I won't post them here unless requested, as they may represent a potential security issue.
My concern is that a service-restart for stunnel was not sufficient. This suggests a problem which goes deeper than the stunnel service. Is it possible for stunnel to break in such a way that it continues to be broken after a restart?
I'm sorry, in retrospect, I was not 100% sure that the service did indeed stop and launch a new process when running /etc/init.d/stunnel restart, but there were no errors and the service-runner did report that the service was restarted.
My (simplified) configuration and version information is posted below. Please let me know if there is any other information I might be able to provide in order to investigate this.
Note that this is a package-managed version of stunnel, provided by the Debian package-maintainers.
Thanks, -chris
PS Thanks for a wonderful product. I've relied on stunnel for years to proxy these unencrypted AJP connections for me. Cheers for all your great work.
Configuration:
=== CUT ===
cert = /etc/stunnel/stunnel.crt key = /etc/stunnel/stunnel.pem sslVersion = TLSv1.2 options = NO_SSLv3 options = NO_TLSv1 options = NO_TLSv1.1 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4-ajp.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 4 CAfile = /etc/stunnel/stunnel-ajp-trusted.pem
[now, a series of 4 services, all configured similarly] accept=public-port connect=localhost:private-port
=== CUT ===
Version: stunnel 5.39 on x86_64-pc-linux-gnu platform Compiled with OpenSSL 1.1.0c 10 Nov 2016 Running with OpenSSL 1.1.0j 20 Nov 2018 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Global options: debug = daemon.notice pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:+3DES:+DH:!aNULL:!SSLv2 (with "fips = no") curve = prime256v1 debug = notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Linux kernel version:
Linux [hostname] 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux
This is running on a bare metal server.