Hi, I am new to stunnel on a MAC. When I run stunnel with the enabled configuration [mllp-to-dip], I am prompted for a local password and then for my certificate passphrase. I am not able to establish a tunnel. See logs:
Initializing service [mllp-to-dip] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /opt/homebrew/etc/stunnel/test_client.cert.pem [ ] Certificate loaded from file: /opt/homebrew/etc/stunnel/test_client.cert.pem [ ] Loading private key from file: /opt/homebrew/etc/stunnel/test_client_cert.pem [:] Insecure file permissions on /opt/homebrew/etc/stunnel/test_client_cert.pem [ ] Private key loaded from file: /opt/homebrew/etc/stunnel/test_client_cert.pem [ ] Private key check succeeded [:] Service [mllp-to-dip] needs authentication to prevent MITM attacks [ ] DH initialization skipped: client section [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Binding service [mllp-to-dip] [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [mllp-to-dip] to :::6661: Address already in use (48) [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [mllp-to-dip] to 0.0.0.0:6661: Address already in use (48) [!] Binding service [mllp-to-dip] failed [ ] Unbinding service [mllp-to-dip] [ ] Service [mllp-to-dip] closed [ ] Deallocating deployed section defaults [ ] Deallocating section [mllp-to-dip]
Can someone help with my troubleshooting steps?
The message "Address already in use" indicates the core problem. Something *else* is already attached to port 6661. Either another instance of stunnel, or some system service.
-- Mike
Hiya,
Thank you for your message.
I can confirm in your logs says that port number already exists and is being used.
Therefore either find out what service using that port in question or change the port restart your stunnel
Systemctl restart stunnel4
Then to check systemctl status stunnel4
Provide me logs again let's see if still face same issue.
Please note: please make sure added port to incoming and outgoing port to your firewall if use one.
Kind regards, Danny, - system engineer
On Thu, 19 Jan 2023, 9:49 pm Mike Spooner, mikes@aalin.co.uk wrote:
The message "Address already in use" indicates the core problem. Something *else* is already attached to port 6661. Either another instance of stunnel, or some system service.
-- Mike
stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
Hi there! I am facing the same issue. My server is Debian 11, I tried several setup and all of them are working in different operating system like Debian 9/10 & Ubuntu 18. I also tried to restart the stunnel4 but still facing the same problem
[ ] Clients allowed=500 [.] stunnel 5.56 on x86_64-pc-linux-gnu platform [.] Compiled with OpenSSL 1.1.1k 25 Mar 2021 [.] Running with OpenSSL 1.1.1n 15 Mar 2022 [.] Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP [ ] errno: (*__errno_location ()) [.] Reading configuration from file /etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [ssh] [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) [ ] Loading certificate from file: /etc/stunnel/stunnel.pem [ ] Certificate loaded from file: /etc/stunnel/stunnel.pem [ ] Loading private key from file: /etc/stunnel/stunnel.pem [ ] Private key loaded from file: /etc/stunnel/stunnel.pem [ ] Private key check succeeded [ ] DH initialization not needed [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Binding service [ssh] [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [ssh] to 0.0.0.0:443: Address already in use (98) [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [ssh] to :::443: Address already in use (98) [!] Binding service [ssh] failed [ ] Deallocating section defaults [ ] Unbinding service [ssh] [ ] Service [ssh] closed [ ] Deallocating section [ssh]
when i restart the stunnel4 this is the log LOG5[ui]: Compiled with OpenSSL 1.1.1k 25 Mar 2021 LOG5[ui]: Running with OpenSSL 1.1.1n 15 Mar 2022 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf LOG5[ui]: UTF-8 byte order mark not detected LOG5[ui]: FIPS mode disabled LOG5[ui]: Configuration successful LOG5[ui]: Binding service [ssh] to :::443: Address already in use (98) Starting TLS tunnels: /etc/stunnel/stunnel.conf: started (no pid=pidfile specified!) Started LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons).
when a client tries to connect this it what it shows LOG5[1]: Service [ssh] accepted connection from 112.206.147.228:45614 LOG5[1]: s_connect: connected 127.0.0.1:555 LOG5[1]: Service [ssh] connected remote server from 127.0.0.1:56980 LOG5[1]: Connection closed: 514 byte(s) sent to TLS, 115 byte(s) sent to socket LOG3[0]: SSL_accept: Peer suddenly disconnected LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket LOG5[2]: Service [ssh] accepted connection from 112.206.147.228:45616 LOG5[2]: s_connect: connected 127.0.0.1:555 LOG5[2]: Service [ssh] connected remote server from 127.0.0.1:56984 LOG5[2]: Connection closed: 514 byte(s) sent to TLS, 102 byte(s) sent to socket
in the client side the error message is "Cannot read full block, EOF reached.
I would guess that the key message in the log is:
0.0.0.0:443: Address already in use (98)
Check for some other software (or another stunnel instance) already listening on port 443.
-- Mike