I have an application that sends XML encrypted traffic over TCP to Stunnel. Stunnel is supposed to unencrypt and send to backend application unencrypted, however no traffic is sent. I have used wireshark and I do see the client hello for tls1.2 and the server hello for tls 1.2 so the cipher negotiation is completed.
Here is my config: sslVersionMax = TLSv1.2 options = -NO_SSLv3
[https] accept = 27015 connect = 27001 cert = cert.pem key = key.pem TIMEOUTclose = 0
STunnel Log in Debug 7 2023.01.13 14:03:42 LOG7[16572]: Service [https] started 2023.01.13 14:03:42 LOG7[16572]: Setting local socket options (FD=1888) 2023.01.13 14:03:42 LOG7[16572]: Option TCP_NODELAY set on local socket 2023.01.13 14:03:42 LOG5[16572]: Service [https] accepted connection from xx.xx.xx.xx:62478 2023.01.13 14:03:42 LOG6[16572]: Peer certificate not required 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): before SSL initialization 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): before SSL initialization 2023.01.13 14:03:42 LOG7[16572]: Decrypt session ticket callback 2023.01.13 14:03:42 LOG7[16572]: Initializing application specific data for session authenticated 2023.01.13 14:03:42 LOG7[16572]: SNI: no virtual services defined 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS read client hello 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write server hello 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write certificate 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write key exchange 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write server done 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write server done 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS read client key exchange 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS read change cipher spec 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS read finished 2023.01.13 14:03:42 LOG7[16572]: Generate session ticket callback 2023.01.13 14:03:42 LOG7[16572]: Initializing application specific data for session authenticated 2023.01.13 14:03:42 LOG7[16572]: Deallocating application specific data for session connect address 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write session ticket 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write change cipher spec 2023.01.13 14:03:42 LOG7[16572]: TLS state (accept): SSLv3/TLS write finished 2023.01.13 14:03:42 LOG7[16572]: 33 server accept(s) requested 2023.01.13 14:03:42 LOG7[16572]: 33 server accept(s) succeeded 2023.01.13 14:03:42 LOG7[16572]: 0 server renegotiation(s) requested 2023.01.13 14:03:42 LOG7[16572]: 0 session reuse(s) 2023.01.13 14:03:42 LOG7[16572]: 1 internal session cache item(s) 2023.01.13 14:03:42 LOG7[16572]: 0 internal session cache fill-up(s) 2023.01.13 14:03:42 LOG7[16572]: 0 internal session cache miss(es) 2023.01.13 14:03:42 LOG7[16572]: 0 external session cache hit(s) 2023.01.13 14:03:42 LOG7[16572]: 0 expired session(s) retrieved 2023.01.13 14:03:42 LOG6[16572]: TLS accepted: new session negotiated 2023.01.13 14:03:42 LOG6[16572]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2023.01.13 14:03:42 LOG3[16572]: SSL_get_peer_tmp_key: Peer suddenly disconnected 2023.01.13 14:03:42 LOG7[16572]: Compression: null, expansion: null 2023.01.13 14:03:42 LOG7[16572]: Deallocating application specific data for session connect address 2023.01.13 14:03:42 LOG6[16572]: s_connect: connecting 127.0.0.1:27001 2023.01.13 14:03:42 LOG7[16572]: s_connect: s_poll_wait 127.0.0.1:27001: waiting 10 seconds 2023.01.13 14:03:42 LOG7[16572]: FD=1472 ifds=rwx ofds=--- 2023.01.13 14:03:42 LOG5[16572]: s_connect: connected 127.0.0.1:27001 2023.01.13 14:03:42 LOG6[16572]: persistence: 127.0.0.1:27001 cached 2023.01.13 14:03:42 LOG5[16572]: Service [https] connected remote server from 127.0.0.1:56732 2023.01.13 14:03:42 LOG7[16572]: Setting remote socket options (FD=1472) 2023.01.13 14:03:42 LOG7[16572]: Option TCP_NODELAY set on remote socket 2023.01.13 14:03:42 LOG7[16572]: Remote descriptor (FD=1472) initialized 2023.01.13 14:03:42 LOG6[16572]: SSL_read: Socket is closed 2023.01.13 14:03:42 LOG6[16572]: TLS socket closed (SSL_read) 2023.01.13 14:03:42 LOG7[16572]: Sent socket write shutdown 2023.01.13 14:03:42 LOG5[16572]: Connection closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2023.01.13 14:03:42 LOG7[16572]: Remote descriptor (FD=1472) closed 2023.01.13 14:03:42 LOG7[16572]: Local descriptor (FD=1888) closed 2023.01.13 14:03:42 LOG7[16572]: Service [https] finished (1 left)
Any assistance you can provide would be glorious! _________________________________ Gary Jackson
On 13/01/2023 20:05, Gary Jackson wrote:
2023.01.13 14:03:42 LOG6[16572]: TLS accepted: new session negotiated 2023.01.13 14:03:42 LOG6[16572]: TLSv1.2 ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 (256-bit encryption) 2023.01.13 14:03:42 LOG6[16572]: SSL_read: Socket is closed 2023.01.13 14:03:42 LOG6[16572]: TLS socket closed (SSL_read)
The log says that your stunnel server has successfully negotiated TLS 1.2, and then your TLS client has closed the underlying socket without sending any alert required by RFC 5246.
https://www.rfc-editor.org/rfc/rfc5246#section-7.2
It's hard to guess *why* your client has closed the socket. For example, a prematurely terminated (possibly crashed) client could cause such behavior.
Best regards, Mike
-
Gary Jackson -
Michał Trojnara