Problem with Stunnel Working fine on the first connection and not on subsequent connections - stunnel-users

18 Nov 2005


      Have worked on this all day without any glimmer of hope and would appreciate help and feedback!
Regards,
KAM
# Description of your problem. What programs are on which machines, and how are they attempting to communicate. What connections are you attempting to secure in SSL.
I am having problems with the regeneration of stunnel on an old but fairly reliable machine. I am switching from v3 to v4 and it works absolutely perfectly ONCE. The second time it just hangs.
# What version of Stunnel you're using - remember, Stunnel 4.x doesn't take Stunnel 3.x command line options!
4.x
# The list of parameters you are using for stunnel, and if you are running it standalone or from inetd/xinetd.
I am running it in standalone. My conf file is:
cert = /usr/local/ssl/certs/stunnel.pem
key = /usr/local/ssl/certs/stunnel.pem
chroot = /usr/local/var/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
debug = 7
output = stunnel.log
[ssmtp]
accept = 465
connect = 10.10.10.30:25
# Output of "stunnel -f -D 7 <your-parameters>".
Not sure this works on v4.X but here are the logs from the connection:
2005.11.18 19:17:56 LOG7[13166:1024]: ssmtp accepted FD=7 from 66.149.103.32:3542
2005.11.18 19:17:56 LOG7[13171:1026]: ssmtp started
2005.11.18 19:17:56 LOG7[13171:1026]: FD 7 in non-blocking mode
2005.11.18 19:17:56 LOG7[13171:1026]: TCP_NODELAY option set on local socket
2005.11.18 19:17:56 LOG7[13171:1026]: FD 10 in non-blocking mode
2005.11.18 19:17:56 LOG7[13171:1026]: FD 11 in non-blocking mode
2005.11.18 19:17:56 LOG7[13171:1026]: Connection from 66.149.103.32:3542 permitted by libwrap
2005.11.18 19:17:56 LOG5[13171:1026]: ssmtp connected from 66.149.103.32:3542
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): before/accept initialization
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 read client hello A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 write server hello A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 write certificate A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 write server done A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 flush data
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 read client key exchange A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 read finished A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 write change cipher spec A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 write finished A
2005.11.18 19:17:56 LOG7[13171:1026]: SSL state (accept): SSLv3 flush data
2005.11.18 19:17:56 LOG7[13171:1026]: 1 items in the session cache
2005.11.18 19:17:56 LOG7[13171:1026]: 0 client connects (SSL_connect())
2005.11.18 19:17:56 LOG7[13171:1026]: 0 client connects that finished
2005.11.18 19:17:56 LOG7[13171:1026]: 0 client renegotiatations requested
2005.11.18 19:17:56 LOG7[13171:1026]: 1 server connects (SSL_accept())
2005.11.18 19:17:56 LOG7[13171:1026]: 1 server connects that finished
2005.11.18 19:17:56 LOG7[13171:1026]: 0 server renegotiatiations requested
2005.11.18 19:17:56 LOG7[13171:1026]: 0 session cache hits
2005.11.18 19:17:56 LOG7[13171:1026]: 1 session cache misses
2005.11.18 19:17:56 LOG7[13171:1026]: 0 session cache timeouts
2005.11.18 19:17:56 LOG6[13171:1026]: SSL accepted: new session negotiated
2005.11.18 19:17:56 LOG6[13171:1026]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
2005.11.18 19:17:56 LOG7[13171:1026]: FD 10 in non-blocking mode
2005.11.18 19:17:56 LOG7[13171:1026]: ssmtp connecting 10.10.10.30:25
2005.11.18 19:17:56 LOG7[13171:1026]: connect_wait: waiting 10 seconds
2005.11.18 19:17:56 LOG7[13171:1026]: connect_wait: connected
2005.11.18 19:17:56 LOG7[13171:1026]: Remote FD=10 initialized
2005.11.18 19:17:56 LOG7[13171:1026]: TCP_NODELAY option set on remote socket
2005.11.18 19:17:58 LOG7[13171:1026]: Socket closed on read
2005.11.18 19:17:58 LOG7[13171:1026]: SSL write shutdown
2005.11.18 19:17:58 LOG7[13171:1026]: SSL alert (write): warning: close notify
2005.11.18 19:17:58 LOG7[13171:1026]: SSL_shutdown retrying
2005.11.18 19:17:58 LOG7[13171:1026]: SSL doesn't need to read or write
2005.11.18 19:17:58 LOG7[13171:1026]: SSL socket closed on SSL_read
2005.11.18 19:17:58 LOG7[13171:1026]: Socket write shutdown
2005.11.18 19:17:58 LOG5[13171:1026]: Connection closed: 827 bytes sent to SSL, 1362 bytes sent to socket
2005.11.18 19:17:58 LOG7[13171:1026]: ssmtp finished (-1 left)
There is nothing more after this point
# Output of "stunnel -V".
I think you want -version:
/usr/local/sbin/stunnel -version
stunnel 4.14 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004
Global options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
debug = 5
key = /usr/local/etc/stunnel/stunnel.pem
pid = /usr/local/var/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
session = 300 seconds
verify = none
Service-level options
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
# Output of "uname -a".
Linux <removed> 2.2.26 #8 Fri Jul 16 00:42:34 EDT 2004 i686 unknown
# Your libc version if you use Linux.
2.2.5
# Output of "gcc -v".
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
# Output of "openssl version" or "ssleay version" depending on your library. Subscribe to stunnel-users.
OpenSSL 0.9.7e 25 Oct 2004