At some point in the near past stunnel stopped working on my laptop. The laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the repositories. I enabled debug=7, but I am not getting much from the log:
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Clients allowed=500 2015.05.08 17:12:06 LOG5[10804:140318864611136]: stunnel 4.53 on x86_64-pc-linux-gnu platform 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL 1.0.1e 11 Feb 2013 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Running with OpenSSL 1.0.1f 6 Jan 2014 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Update OpenSSL shared libraries or rebuild stunnel 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Reading configuration from file /etc/stunnel/stunnel.conf 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Compression not enabled 2015.05.08 17:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully 2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service section [telnets] 2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004 2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service section [dsp3270s] 2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Configuration successful 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [telnets] (FD=12) bound to 0.0.0.0:3141 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [dsp3270s] (FD=13) bound to 0.0.0.0:7490 2015.05.08 17:12:06 LOG7[10810:140318864611136]: Created pid file /stunnel4.pid 2015.05.08 17:12:31 LOG7[10810:140318864611136]: Service [telnets] accepted (FD=3) from 127.0.0.1:40090 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] started 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap process 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Acquired libwrap process #0 2015.05.08 17:12:31 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking) 2015.05.08 17:12:31 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Local socket (FD=3) closed 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] finished (0 left) 2015.05.08 17:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) 2015.05.08 17:13:32 LOG7[10810:140318864611136]: Service [dsp3270s] accepted (FD=3) from 127.0.0.1:48534 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] started 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap process 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Acquired libwrap process #1 2015.05.08 17:13:32 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking) 2015.05.08 17:13:32 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Local socket (FD=3) closed 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] finished (0 left) 2015.05.08 17:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
I don't even see the IP address for the outbound connection, so it seems as if it is hitting a problem even before it gets that far. Configuration is pretty simple:
; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail)
; Certificate/key is needed in server mode and optional in client mode cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1
socket = l:TCP_KEEPCNT=5 socket = r:TCP_KEEPCNT=5
socket = l:TCP_KEEPIDLE=10 socket = r:TCP_KEEPIDLE=10
socket = l:TCP_KEEPINTVL=2 socket = r:TCP_KEEPINTVL=2
;compression = zlib
; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log
; Use it for client mode client = yes
; Service-level configuration
[telnets] accept = 3141 ;connect = 192.168.80.11:992 ;connect = DurgeeEnterprises.publicvm.com:992 connect = 192.168.80.5:992
[dsp3270s] accept = 7490 ;connect = 192.168.80.11:246 ;connect = DurgeeEnterprises.publicvm.com:246 connect = 192.168.80.5:246
;[pop3s] ;accept = 995 ;connect = 110
;[imaps] ;accept = 993 ;connect = 143
;[ssmtp] ;accept = 465 ;connect = 25
;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0
; vim:ft=dosini
Any thoughts on how to track this down and get this working?
Dave
Please see highlighted below:
On Fri, May 8, 2015 at 5:27 PM, David H. Durgee dhdurgee@verizon.net wrote:
At some point in the near past stunnel stopped working on my laptop. The laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the repositories. I enabled debug=7, but I am not getting much from the log:
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Clients allowed=500
*2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: stunnel 4.53 on x86_64-pc-linux-gnu platform 2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL 1.0.1e 11 Feb 2013 2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: Running with OpenSSL 1.0.1f 6 Jan 2014 2015.05.08 17 <2015.05.08%2017>:12:06 LOG5[10804:140318864611136]: Update OpenSSL shared libraries or rebuild stunnel*
Is there a reason that you're using libraries from a different compiled Stunnel? In fact, isn't there another Stunnel package you can use that is more up-to-date? If not, perhaps compile your own using the OpenSSL libraries that comes with Mint.
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Reading configuration from file /etc/stunnel/stunnel.conf 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Compression not enabled 2015.05.08 17:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully 2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service section [telnets] *2015.05.08 17 <2015.05.08%2017>:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem*
Warning: the permissions may be too wide-open (should be 700 I assume)
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004 2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service section [dsp3270s] *2015.05.08 17 <2015.05.08%2017>:12:06 LOG4[10804:140318864611136]: Insecure file permissions on /etc/ssl/certs/stunnel.pem*
Same as above, perhaps too wide open, permissions should be 700 I assume.
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: /etc/ssl/certs/stunnel.pem 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded 2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004 2015.05.08 17:12:06 LOG5[10804:140318864611136]: Configuration successful 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [telnets] (FD=12) bound to 0.0.0.0:3141 2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [dsp3270s] (FD=13) bound to 0.0.0.0:7490 2015.05.08 17:12:06 LOG7[10810:140318864611136]: Created pid file /stunnel4.pid 2015.05.08 17:12:31 LOG7[10810:140318864611136]: Service [telnets] accepted (FD=3) from 127.0.0.1:40090 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] started 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap process 2015.05.08 17:12:31 LOG7[10810:140318864770816]: Acquired libwrap process #0
*2015.05.08 17 <2015.05.08%2017>:12:31 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking) 2015.05.08 17 <2015.05.08%2017>:12:31 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.05.08 17 <2015.05.08%2017>:12:31 LOG7[10810:140318864770816]: Local socket (FD=3) closed*
that sounds like SELinux permissions perhaps? Have you tried temporarily disabling SELinux, or perhaps you have a firewall (iptables) set up? You'll have to allow the incoming port and possibly an entry in /etc/services IIRC. I don't know if this helps but this is what I found: https://sites.google.com/site/easylinuxtipsproject/security A link to "ufw" may prove useful, if your system has that installed. Most systems have locked-down privileged ports (any port less than 1024, like in your example).
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] finished (0 left) 2015.05.08 17:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s) 2015.05.08 17:13:32 LOG7[10810:140318864611136]: Service [dsp3270s] accepted (FD=3) from 127.0.0.1:48534 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] started 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap process 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Acquired libwrap process #1 *2015.05.08 17 <2015.05.08%2017>:13:32 LOG3[10810:140318864770816]: Unexpected socket close (read_blocking)*
That sounds like some kind of firewall issue (like above).
2015.05.08 17:13:32 LOG5[10810:140318864770816]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Local socket (FD=3) closed 2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] finished (0 left) 2015.05.08 17:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s), 32 data byte(s), 58 control byte(s)
When in a situation like this, I would first try unprivileged ports with localhost using iperf, just to generate some dummy traffic. A good technique I use when debugging stunnel versus debugging networking or other security issues is to do local traffic only like this:
1. iperf client connect to localhost port 5000 2. Stunnel client listen on port 5000, connect to localhost port 6000 3. Stunnel server listen on port 6000, connect to localhost port 7000 4. iperf server listening on localhost port 7000
As you can see from that, running iperf client for a few seconds, it should be able to connect to the iperf server. If not, stunnel is not working. Debug this FIRST before proceeding to working with non-localhost IP addresses. The actual procedure would be as follows:
1. Download/install iperf 2. Verify iperf works by having one shell run as server, listening on localhost port 7000, and another shell setup iperf client sending on port 7000. If that works, then proceed. Don't use iperf to connect to port 7000 again. 3. Set up two config files, one for stunnel client and one for stunnel server, with different ports and the "client=yes" in the client config file. For easier detection with "ps" or "top", you can copy the executable file to another name (i.e., "s4client" for the stunnel 4 client, and "s4server" for the stunnel 4 server). Similarly for iperf, you can copy the exe to "iperfc" and "iperfs" for iperf server, for easier process detection. 4. Start up the stunnel server first, then stunnel client, with the appropriate config files per the port enumeration mentioned above. 5. Start iperf server listening on port 7000. 6. Start iperf client sending on port 5000. If you get some really large value or nothing, then your stunnel config (client/server) needs to be debugged first before proceeding to non-localhost IPs. I usually get something like 3GB/sec when using a Windows 7 VM inside Windows 7 doing this from DOS prompts with appropriate server/client configs set up. I usually use four windows: two for iperf (c/s), two for stunnel (c/s).
Hope that helps... -Rob
-
David H. Durgee -
Rob Lockhart