[stunnel-users] Stunnel v4.54 SSL_connect: Peer suddenly disconnected

Team,

I am configuring stunnel for the first time. My Requirement: "NetApp DataFabricManager" application on SLES10 SP4 platform <------ (LDAP over Stunnel) -----> Windows 2003 Active Directory, for Active Directory user authentication.

Stunnel.conf: ----------------------------------------------------------- setuid = root setgid = root

client = yes

debug = 7 output = /root/stunnel.log

cert = /opt/crt_key.pem key = /opt/crt_key.pem

pid = /var/run/stunnel.pid

verify = 3 CAfile = /opt/crt_key.pem

options = NO_SSLv2

[ldap] accept = 389 connect = winad1-197-187:636

[ldap-ha] accept = 8389 connect = winad2-197-189:636 -----------------------------------------------------------

ocm5-197-196:~ # dfm ldap list Address Port Last Use Last Failure ------------------------------------------ ------ -------------------------- -------------------------- 127.0.0.1 389 2013-01-02 14:01:52.000000 127.0.0.1 8389 2013-01-02 13:49:35.000000 ocm5-197-196:~ #

ocm5-197-196:~ # dfm ldap find user1 Warning: Failed to bind to ldap server '127.0.0.1' as user 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact LDAP server Error: Failed to search for user1. ocm5-197-196:~ #

NOTE: If i add active directory server IP in the above list, instead of 127.0.0.1, ldap authentication works fine.

ocm5-197-196:~ # cat /etc/services ... ..... ........ #### This is a Manual Entry made by root user for AD authentication services & Stunnel Integration ######## ldap-ha 8389/tcp # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf] ldap-ha 8389/udp # 2nd LDAP host for DC redundancy [Redirected to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]

ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf

stunnel.log:

2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500 2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on x86_64-unknown-linux-gnu platform 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with OpenSSL 0.9.8a 11 Oct 2005 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD SSL:+ENGINE Auth:none Sockets:POLL+IPv6 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration from file /root/stunnel-4.54/tools/stunnel.conf 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes from /root/.rnd 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new random bytes to /root/.rnd 2013.01.02 14:00:42 LOG7[7102:47010476379680]: PRNG seeded successfully 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service [ldap] 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate: /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates from /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem revocation lookup file 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service [ldap-ha] 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate: /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates from /opt/crt_key.pem 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem revocation lookup file 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Configuration successful 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap] (FD=7) bound to 0.0.0.0:389 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap-ha] (FD=8) bound to 0.0.0.0:8389 2013.01.02 14:00:42 LOG7[7103:47010476379680]: Created pid file /var/run/stunnel.pid 2013.01.02 14:01:52 LOG7[7103:47010476379680]: Service [ldap] accepted (FD=3) from 127.0.0.1:60332 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] started 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] accepted connection from 127.0.0.1:60332 2013.01.02 14:01:52 LOG6[7103:1073809728]: connect_blocking: connecting 192.168.10.7:636 2013.01.02 14:01:52 LOG7[7103:1073809728]: connect_blocking: s_poll_wait 192.168.10.7:636: waiting 10 seconds 2013.01.02 14:01:52 LOG5[7103:1073809728]: connect_blocking: connected 192.168.10.7:636 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] connected remote server from 192.168.10.1:40664 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10) initialized 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect): before/connect initialization 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect): SSLv3 write client hello A 2013.01.02 14:01:52 LOG3[7103:1073809728]: SSL_connect: Peer suddenly disconnected <------------------ 2013.01.02 14:01:52 LOG5[7103:1073809728]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10) closed 2013.01.02 14:01:52 LOG7[7103:1073809728]: Local socket (FD=3) closed 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] finished (0 left)

I initially started with stunnel-4.14 available with SLES10 GA OS media. Noticed peer disconnected issue. I went through the stunnel mailing list archive for related issues, but didn't get much help. Finally upgraded stunnel to v4.54 & to no progress.

google hits mentioned that its configuration issue / client is not accepting sockets.. but finally no clue how to proceed.

Kindly assist "SSL_connect: Peer suddenly disconnected" & SSL handshake work.

Warm Regards, Arun UNIX admin