TLS alert (read): fatal: bad record mac (windows) - stunnel-users

19 Jul 2018


      Hello!
I am trying to set up stunnel from a windows box to a VPS.
I have working tunnels from a FreeBSD box to the VPS.
On the VPS, the config looks like:
[socks_server]
protocol = socks
PSKsecrets = /my/secret/location/secrets.txt
accept = xxx.xxx.xxx.xxx:xxxx
[ssh]
PSKsecrets = /my/secret/location/hecrets.txt
accept = xxx.xxx.xxx.xxx:xxxx
connect = 127.0.0.1:22
On the windows box, the config looks like this:
[socks_client2]
debug = 7
client = yes
PSKsecrets = c:\my\secret\location\secrets.txt
accept = 127.0.0.1:1080
connect = xxx.xxx.xxx.xxx:xxxx
The log on Windows looks like this:
2018.07.19 13:13:09 LOG5[main]: stunnel 5.48 on x86-pc-msvc-1500 platform
2018.07.19 13:13:09 LOG5[main]: Compiled/running with OpenSSL
1.0.2o-fips  27 Mar 2018
2018.07.19 13:13:09 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI
2018.07.19 13:13:09 LOG5[main]: Reading configuration from file stunnel.conf
2018.07.19 13:13:09 LOG5[main]: UTF-8 byte order mark detected
2018.07.19 13:13:09 LOG5[main]: FIPS mode disabled
2018.07.19 13:13:09 LOG5[main]: Configuration successful
2018.07.19 13:13:11 LOG7[0]: Service [socks_client2] started
2018.07.19 13:13:11 LOG7[0]: Setting local socket options (FD=460)
2018.07.19 13:13:11 LOG7[0]: Option TCP_NODELAY set on local socket
2018.07.19 13:13:11 LOG5[0]: Service [socks_client2] accepted connection
from 127.0.0.1:56598
2018.07.19 13:13:11 LOG6[0]: s_connect: connecting xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:13:11 LOG7[0]: s_connect: s_poll_wait
xxx.xxx.xxx.xxx:xxxx: waiting 10 seconds
2018.07.19 13:13:11 LOG5[0]: s_connect: connected xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:13:11 LOG5[0]: Service [socks_client2] connected remote
server from 192.168.1.65:56599
2018.07.19 13:13:11 LOG7[0]: Setting remote socket options (FD=508)
2018.07.19 13:13:11 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.07.19 13:13:11 LOG7[0]: Remote descriptor (FD=508) initialized
2018.07.19 13:13:11 LOG6[0]: SNI: sending servername: xxx.xxx.xxx.xxx
2018.07.19 13:13:11 LOG6[0]: Peer certificate not required
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): before/connect
initialization
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv2/v3 write client
hello A
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 read server hello A
2018.07.19 13:13:11 LOG6[0]: Client certificate not requested
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 read server done A
2018.07.19 13:13:11 LOG6[0]: PSK client configured for identity "ï»¿user2"
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 write client key
exchange A
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 write change
cipher spec A
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 write finished A
2018.07.19 13:13:11 LOG7[0]: TLS state (connect): SSLv3 flush data
2018.07.19 13:13:11 LOG3[0]: SSL_connect: Peer suddenly disconnected
2018.07.19 13:13:11 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
2018.07.19 13:13:11 LOG7[0]: Deallocating application specific data for
session connect address
2018.07.19 13:13:11 LOG7[0]: Remote descriptor (FD=508) closed
2018.07.19 13:13:11 LOG7[0]: Local descriptor (FD=460) closed
2018.07.19 13:13:11 LOG7[0]: Service [socks_client2] finished (0 left)
2018.07.19 13:13:34 LOG7[1]: Service [socks_client2] started
2018.07.19 13:13:34 LOG7[1]: Setting local socket options (FD=528)
2018.07.19 13:13:34 LOG7[1]: Option TCP_NODELAY set on local socket
2018.07.19 13:13:34 LOG5[1]: Service [socks_client2] accepted connection
from 127.0.0.1:56601
2018.07.19 13:13:34 LOG6[1]: s_connect: connecting xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:13:34 LOG7[1]: s_connect: s_poll_wait
xxx.xxx.xxx.xxx:xxxx: waiting 10 seconds
2018.07.19 13:13:34 LOG5[1]: s_connect: connected xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:13:34 LOG5[1]: Service [socks_client2] connected remote
server from 192.168.1.65:56602
2018.07.19 13:13:34 LOG7[1]: Setting remote socket options (FD=536)
2018.07.19 13:13:34 LOG7[1]: Option TCP_NODELAY set on remote socket
2018.07.19 13:13:34 LOG7[1]: Remote descriptor (FD=536) initialized
2018.07.19 13:13:34 LOG6[1]: SNI: sending servername: xxx.xxx.xxx.xxx
2018.07.19 13:13:34 LOG6[1]: Peer certificate not required
2018.07.19 13:13:34 LOG7[1]: TLS state (connect): before/connect
initialization
2018.07.19 13:13:34 LOG7[1]: TLS state (connect): SSLv2/v3 write client
hello A
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 read server hello A
2018.07.19 13:13:35 LOG6[1]: Client certificate not requested
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 read server done A
2018.07.19 13:13:35 LOG6[1]: PSK client configured for identity "ï»¿user2"
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 write client key
exchange A
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 write change
cipher spec A
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 write finished A
2018.07.19 13:13:35 LOG7[1]: TLS state (connect): SSLv3 flush data
2018.07.19 13:13:35 LOG7[1]: TLS alert (read): fatal: bad record mac
2018.07.19 13:13:35 LOG3[1]: SSL_connect: 140943FC: error:140943FC:SSL
routines:ssl3_read_bytes:sslv3 alert bad record mac
2018.07.19 13:13:35 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
2018.07.19 13:13:35 LOG7[1]: Deallocating application specific data for
session connect address
2018.07.19 13:13:35 LOG7[1]: Remote descriptor (FD=536) closed
2018.07.19 13:13:35 LOG7[1]: Local descriptor (FD=528) closed
2018.07.19 13:13:35 LOG7[1]: Service [socks_client2] finished (0 left)
2018.07.19 13:14:06 LOG7[2]: Service [socks_client2] started
2018.07.19 13:14:06 LOG7[2]: Setting local socket options (FD=1880)
2018.07.19 13:14:06 LOG7[2]: Option TCP_NODELAY set on local socket
2018.07.19 13:14:06 LOG5[2]: Service [socks_client2] accepted connection
from 127.0.0.1:56604
2018.07.19 13:14:06 LOG6[2]: s_connect: connecting xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:14:06 LOG7[2]: s_connect: s_poll_wait
xxx.xxx.xxx.xxx:xxxx: waiting 10 seconds
2018.07.19 13:14:06 LOG5[2]: s_connect: connected xxx.xxx.xxx.xxx:xxxx
2018.07.19 13:14:06 LOG5[2]: Service [socks_client2] connected remote
server from 192.168.1.65:56605
2018.07.19 13:14:06 LOG7[2]: Setting remote socket options (FD=2044)
2018.07.19 13:14:06 LOG7[2]: Option TCP_NODELAY set on remote socket
2018.07.19 13:14:06 LOG7[2]: Remote descriptor (FD=2044) initialized
2018.07.19 13:14:06 LOG6[2]: SNI: sending servername: xxx.xxx.xxx.xxx
2018.07.19 13:14:06 LOG6[2]: Peer certificate not required
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): before/connect
initialization
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv2/v3 write client
hello A
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 read server hello A
2018.07.19 13:14:06 LOG6[2]: Client certificate not requested
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 read server done A
2018.07.19 13:14:06 LOG6[2]: PSK client configured for identity "ï»¿user2"
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 write client key
exchange A
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 write change
cipher spec A
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 write finished A
2018.07.19 13:14:06 LOG7[2]: TLS state (connect): SSLv3 flush data
2018.07.19 13:14:06 LOG7[2]: TLS alert (read): fatal: bad record mac
2018.07.19 13:14:06 LOG3[2]: SSL_connect: 140943FC: error:140943FC:SSL
routines:ssl3_read_bytes:sslv3 alert bad record mac
2018.07.19 13:14:06 LOG5[2]: Connection reset: 0 byte(s) sent to TLS, 0
byte(s) sent to socket
2018.07.19 13:14:06 LOG7[2]: Deallocating application specific data for
session connect address
2018.07.19 13:14:06 LOG7[2]: Remote descriptor (FD=2044) closed
2018.07.19 13:14:06 LOG7[2]: Local descriptor (FD=1880) closed
2018.07.19 13:14:06 LOG7[2]: Service [socks_client2] finished (0 left)