Hello everybody,
I recompiled the newest "traditional" versions of OpenSSL and stunnel on Solaris, Linux, and HPUX. None of the defaults were changed except for --prefix and --openssldir/--with-ssl and --install_prefix
Simple tests went through without problems on Linux and HPUX. For Solaris I have a big problem. Any help is appreciated, for example a trustworthy Stunnel-3.26 binary statically linked with OpenSSL 0.9.6m for Solaris 2.6 could also help.
Summary =======
Stunnel listens on host medusa 12480 for SSL and forwards plain HTTP to apache on another host (sirius). When I try a HTTPS request to medusa:12480 using a browser or wget, the connection is broken immediately.
When stunnel runs under the system call tracer truss the same commands succeed most of the time. In the truss output one can see an EAGAIN on the -r socket of stunnel. That might indicate that there is a problem when TCP buffers do not fill quickly receiving on the -r side.
Details =======
Client side:
(IP is 192.168.50.153) C:>wget --spider https://medusa:12480 --12:59:18-- https://medusa:12480/ => `index.html' Resolving medusa... 192.168.41.13 Connecting to medusa[192.168.41.13]:12480... connected.
Unable to establish SSL connection.
Unable to establish SSL connection.
Stunnel side:
[mkn@medusa] stunnel-3.26 721$ ./stunnel -p ./stunnel.pem -D 7 -d 12480 -r sirius:80 -f -Pnone 2004.09.08 13:06:52 LOG5[29399:1]: Using 'sirius.80' as tcpwrapper service name 2004.09.08 13:06:52 LOG4[29399:1]: Wrong permissions on ./stunnel.pem 2004.09.08 13:06:52 LOG7[29399:1]: Snagged 64 random bytes from /nfss/home/mkn/.rnd 2004.09.08 13:06:53 LOG7[29399:1]: Wrote 1024 new random bytes to /nfss/home/mkn/.rnd 2004.09.08 13:06:53 LOG7[29399:1]: RAND_status claims sufficient entropy for the PRNG 2004.09.08 13:06:53 LOG6[29399:1]: PRNG seeded successfully 2004.09.08 13:06:53 LOG7[29399:1]: Certificate: ./stunnel.pem 2004.09.08 13:06:53 LOG5[29399:1]: stunnel 3.26 on sparc-sun-solaris2.6 PTHREAD+LIBWRAP with OpenSSL 0.9.6m 17 Mar 2004 2004.09.08 13:06:53 LOG7[29399:1]: No pid file being created 2004.09.08 13:06:53 LOG5[29399:1]: FD_SETSIZE=1024, file ulimit=64 -> 28 clients allowed 2004.09.08 13:06:53 LOG7[29399:1]: SO_REUSEADDR option set on accept socket 2004.09.08 13:06:53 LOG7[29399:1]: sirius.80 bound to 0.0.0.0:12480 2004.09.08 13:06:56 LOG7[29399:1]: sirius.80 accepted FD=7 from 192.168.50.153:1937 2004.09.08 13:06:56 LOG7[29399:4]: sirius.80 started 2004.09.08 13:06:56 LOG5[29399:4]: sirius.80 connected from 192.168.50.153:1937 2004.09.08 13:06:56 LOG7[29399:4]: sirius.80 connecting 192.168.41.223:80 2004.09.08 13:06:56 LOG7[29399:4]: Remote FD=9 initialized 2004.09.08 13:06:56 LOG7[29399:4]: Stunnel manual RSA blinding enabled 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): before/accept initialization 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): SSLv3 read client hello A 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): SSLv3 write server hello A 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): SSLv3 write certificate A 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): SSLv3 write server done A 2004.09.08 13:06:56 LOG7[29399:4]: SSL state (accept): SSLv3 flush data 2004.09.08 13:06:56 LOG3[29399:4]: SSL_accept: Peer suddenly disconnected 2004.09.08 13:06:56 LOG7[29399:4]: sirius.80 finished (0 left)
[mkn@medusa] stunnel-3.26 722$ ./stunnel -V
stunnel 3.26 on sparc-sun-solaris2.6 PTHREAD+LIBWRAP with OpenSSL 0.9.6m 17 Mar 2004
Default behaviour: run in inetd mode (unless -d used) run in background (unless -f used) run in ssl server mode (unless -c used)
Compile time defaults: -v level no verify -a directory (none) -A file (none) -S sources 2 -t timeout 300 seconds -B bytes 64 -D level 5 -P pid dir /opt/stunnel/var/stunnel/ -p pemfile in server mode: stunnel.pem in client mode: none
Socket option defaults: Option Accept Local Remote OS default SO_DEBUG -- -- -- 0 SO_DONTROUTE -- -- -- 0 SO_KEEPALIVE -- -- -- 0 SO_LINGER -- -- -- 0:0 SO_OOBINLINE -- -- -- 0 SO_RCVBUF -- -- -- 8192 SO_SNDBUF -- -- -- 8192 SO_RCVLOWAT -- -- -- -- SO_SNDLOWAT -- -- -- -- SO_RCVTIMEO -- -- -- -- SO_SNDTIMEO -- -- -- -- SO_REUSEADDR 1 -- -- 0 IP_TOS -- -- -- 0 IP_TTL -- -- -- 255 TCP_NODELAY -- -- -- 0
[mkn@medusa] stunnel-3.26 724$ uname -a SunOS medusa 5.6 Generic_105181-39 sun4u sparc SUNW,Ultra-Enterprise
[mkn@medusa] stunnel-3.26 726$ gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.6/2.95.2/specs gcc version 2.95.2 19991024 (release)
When running the same stunnel under truss, I sometimes have success in retrieving the document, but sometimes I get:
(...initialisation omitted...)
poll(0xEFFFD4E0, 2, -1) = 1 fcntl(7, F_GETFL, 0x00000000) = 2 fstat64(7, 0xEFFFF3D8) = 0 getsockopt(7, 65535, 8192, 0xEFFFF4DC, 0xEFFFF4D4) = 0 fstat64(7, 0xEFFFF3D8) = 0 getsockopt(7, 65535, 8192, 0xEFFFF4DC, 0xEFFFF4D8) = 0 setsockopt(7, 65535, 8192, 0xEFFFF4DC, 4) = 0 fcntl(7, F_SETFL, 0x00000082) = 0 accept(7, 0xEFFFF5D0, 0xEFFFF548) = 8 fstat64(7, 0xEFFFF3D8) = 0 getsockopt(7, 65535, 8192, 0xEFFFF4DC, 0xEFFFF4D8) = 0 setsockopt(7, 65535, 8192, 0xEFFFF4DC, 4) = 0 fcntl(7, F_SETFL, 0x00000002) = 0 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 83) = 83 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 1 ] : s i r i u s . 8 0 a c c e p t e d F D = 8 f r o m 1 9 2 . 1 6 8 . 5 0 . 1 5 3 : 2 7 6 3\n fcntl(8, F_SETFD, 0x00000001) = 0 lwp_cond_signal(0xEF66B278) = 0 lwp_cond_wait(0xEF66B278, 0xEF66B288, 0xEF565C48) = 0 lwp_self() = 3 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 52) = 52 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : s i r i u s . 8 0 s t a r t e d\n brk(0x000F73A8) = 0 brk(0x000FF3A8) = 0 getpeername(8, 0x000F56C4, 0xEF20BC78) = 0 getpid() = 2339 [2337] getpeername(8, 0x000DF2E0, 0xEF20B44C) = 0 getsockname(8, 0x000DF2F0, 0xEF20B44C) = 0 open("/etc/hosts.allow", O_RDONLY) Err#2 ENOENT getpid() = 2339 [2337] open("/proc/2339/psinfo", O_RDONLY) = 9 read(9, "\f\0 F H\0\0\005\0\0\t #".., 336) = 336 close(9) = 0 fstat(-1, 0xEF209E40) Err#9 EBADF open("/dev/conslog", O_WRONLY) = 9 fcntl(9, F_SETFD, 0x00000001) = 0 fstat(9, 0xEF209E40) = 0 fstat(9, 0xEF20A8A0) = 0 time() = 1094642471 getpid() = 2339 [2337] putmsg(9, 0xEF209F58, 0xEF209F4C, 0) = 0 open("/etc/.syslog_door", O_RDONLY) = 10 door_info(10, 0xEF209E90) = 0 getpid() = 2339 [2337] door_call(10, 0xEF209E78) = 0 close(10) = 0 open("/etc/hosts.deny", O_RDONLY) Err#2 ENOENT fstat(9, 0xEF20A8A0) = 0 time() = 1094642471 getpid() = 2339 [2337] putmsg(9, 0xEF209F58, 0xEF209F4C, 0) = 0 open("/etc/.syslog_door", O_RDONLY) = 10 door_info(10, 0xEF209E90) = 0 getpid() = 2339 [2337] door_call(10, 0xEF209E78) = 0 close(10) = 0 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 79) = 79 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 5 [ 2 3 3 9 : 4 ] : s i r i u s . 8 0 c o n n e c t e d f r o m 1 9 2 . 1 6 8 . 5 0 . 1 5 3 : 2 7 6 3\n so_socket(2, 2, 0, "", 1) = 10 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 73) = 73 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : s i r i u s . 8 0 c o n n e c t i n g 1 9 2 . 1 6 8 . 4 1 . 2 2 3 : 8 0\n connect(10, 0xEF20BC00, 16) = 0 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 59) = 59 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : R e m o t e F D = 1 0 i n i t i a l i z e d\n time() = 1094642471 getpid() = 2339 [2337] time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 70) = 70 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : S t u n n e l m a n u a l R S A b l i n d i n g e n a b l e d\n time() = 1094642471 brk(0x000FF3A8) = 0 brk(0x001033A8) = 0 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 83) = 83 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : S S L s t a t e ( a c c e p t ) : b e f o r e / a c c e p t i n i t i a l i z a t i o n\n brk(0x001033A8) = 0 brk(0x001093A8) = 0 brk(0x001093A8) = 0 brk(0x0010D3A8) = 0 read(8, 0x00102C78, 11) Err#11 EAGAIN time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 73) = 73 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 3 [ 2 3 3 9 : 4 ] : S S L _ a c c e p t : P e e r s u d d e n l y d i s c o n n e c t e d\n setsockopt(10, 65535, 128, 0xEF20BC78, 8) = 0 close(10) = 0 setsockopt(8, 65535, 128, 0xEF20BC78, 8) = 0 close(8) = 0 time() = 1094642471 getpid() = 2339 [2337] write(4, 0x000E763C, 62) = 62 2 0 0 4 . 0 9 . 0 8 1 3 : 2 1 : 1 1 L O G 7 [ 2 3 3 9 : 4 ] : s i r i u s . 8 0 f i n i s h e d ( 0 l e f t )\n lwp_cond_signal(0xEF66B278) = 0 lwp_cond_wait(0xEF66B278, 0xEF66B288, 0xEF543CA0) = 0 lwp_mutex_unlock(0xEF66B288) = 0 lwp_mutex_lock(0xEF66B288) = 0 time() = 1094642471 lwp_mutex_lock(0xEF66B288) = 0 lwp_cond_broadcast(0xEF670F50) = 0 poll(0xEFFFD4E0, 2, -1) (sleeping...)
With kind regards,
Martin Kneissl _________________________
Atos Worldline GmbH CRM and Telco
Pascalstrasse 19 52076 Aachen Germany
Phone: +49 (0) 2408 148 173 Fax: +49 (0) 2408 148 204 mailto:martin.kneissl@atosorigin.com www.atosworldline.de
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kneißl, Martin wrote:
I recompiled the newest "traditional" versions of OpenSSL and stunnel on Solaris, Linux, and HPUX. None of the defaults were changed except for --prefix and --openssldir/--with-ssl and --install_prefix
What about using my stunnel3 script instead?
BTW: I really would like to know your comments on this script. Does anyone need stunnel 3.x, now?
Best regards, Mike
-
"Kneißl, Martin" -
Michal Trojnara