I use stunnel as a https proxy for my own http server (*).
The server mode of stunnel 5.x does not work any more. It accepts the connection and then immediatelly closes it without sending back any data. stunnel 4.x is working fine (for many years!), with the same configuration.
Here is my (test) config which shows the problem (host is Ubuntu 16.04):
root@xerus:/tmp# cat stunnel.conf pid = /tmp/stunnel.pid output = /home/fex/spool/stunneld.log debug = debug fips = no foreground = yes
[https] accept = 443 cert = /home/fex/etc/stunnel.pem sslVersion = all TIMEOUTclose = 1 exec = perl execargs = perl -T /home/fex/bin/fexsrv stunnel
root@xerus:/tmp# /opt/stunnel-5.35/bin/stunnel stunnel.conf 2016.08.30 18:58:55 LOG7[ui]: Clients allowed=500 2016.08.30 18:58:55 LOG5[ui]: stunnel 5.35 on x86_64-unknown-linux-gnu platform 2016.08.30 18:58:55 LOG5[ui]: Compiled/running with OpenSSL 1.0.2g-fips 1 Mar 2016 2016.08.30 18:58:55 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2016.08.30 18:58:55 LOG7[ui]: errno: (*__errno_location ()) 2016.08.30 18:58:55 LOG5[ui]: Reading configuration from file /tmp/stunnel.conf 2016.08.30 18:58:55 LOG5[ui]: UTF-8 byte order mark not detected 2016.08.30 18:58:55 LOG5[ui]: FIPS mode disabled 2016.08.30 18:58:55 LOG7[ui]: Compression disabled 2016.08.30 18:58:55 LOG7[ui]: Snagged 64 random bytes from /root/.rnd 2016.08.30 18:58:55 LOG7[ui]: Wrote 1024 new random bytes to /root/.rnd 2016.08.30 18:58:55 LOG7[ui]: PRNG seeded successfully 2016.08.30 18:58:55 LOG6[ui]: Initializing service [https] 2016.08.30 18:58:55 LOG6[ui]: Loading certificate from file: /home/fex/etc/stunnel.pem 2016.08.30 18:58:55 LOG6[ui]: Certificate loaded from file: /home/fex/etc/stunnel.pem 2016.08.30 18:58:55 LOG6[ui]: Loading private key from file: /home/fex/etc/stunnel.pem 2016.08.30 18:58:55 LOG6[ui]: Private key loaded from file: /home/fex/etc/stunnel.pem 2016.08.30 18:58:55 LOG7[ui]: Private key check succeeded 2016.08.30 18:58:55 LOG7[ui]: DH initialization 2016.08.30 18:58:55 LOG7[ui]: Using DH parameters from /home/fex/etc/stunnel.pem 2016.08.30 18:58:55 LOG6[ui]: 1024-bit DH parameters loaded 2016.08.30 18:58:55 LOG7[ui]: ECDH initialization 2016.08.30 18:58:55 LOG7[ui]: ECDH initialized with curve prime256v1 2016.08.30 18:58:55 LOG7[ui]: SSL options: 0x03004004 (+0x03004000, -0x00000000) 2016.08.30 18:58:55 LOG5[ui]: Configuration successful 2016.08.30 18:58:55 LOG7[ui]: Listening file descriptor created (FD=7) 2016.08.30 18:58:55 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2016.08.30 18:58:55 LOG7[ui]: Service [https] (FD=7) bound to 0.0.0.0:443 2016.08.30 18:58:55 LOG7[ui]: Created pid file /tmp/stunnel.pid
(here comes the https client connect)
2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s) 2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x0 2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x1 2016.08.30 18:59:20 LOG7[ui]: Service [https] accepted (FD=3) from 127.0.0.1:44166 2016.08.30 18:59:20 LOG7[0]: Service [https] started 2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on local socket 2016.08.30 18:59:20 LOG5[0]: Service [https] accepted connection from 127.0.0.1:44166 2016.08.30 18:59:20 LOG6[0]: Peer certificate not required 2016.08.30 18:59:20 LOG7[0]: SSL state (accept): before/accept initialization 2016.08.30 18:59:20 LOG7[0]: SNI: no virtual services defined 2016.08.30 18:59:20 LOG7[0]: New session callback 2016.08.30 18:59:20 LOG7[0]: 1 server accept(s) requested 2016.08.30 18:59:20 LOG7[0]: 1 server accept(s) succeeded 2016.08.30 18:59:20 LOG7[0]: 0 server renegotiation(s) requested 2016.08.30 18:59:20 LOG7[0]: 0 session reuse(s) 2016.08.30 18:59:20 LOG7[0]: 0 internal session cache item(s) 2016.08.30 18:59:20 LOG7[0]: 0 internal session cache fill-up(s) 2016.08.30 18:59:20 LOG7[0]: 0 internal session cache miss(es) 2016.08.30 18:59:20 LOG7[0]: 0 external session cache hit(s) 2016.08.30 18:59:20 LOG7[0]: 0 expired session(s) retrieved 2016.08.30 18:59:20 LOG6[0]: SSL accepted: new session negotiated 2016.08.30 18:59:20 LOG6[0]: No peer certificate received 2016.08.30 18:59:20 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-SHA256 (128-bit encryption) 2016.08.30 18:59:20 LOG7[0]: Compression: null, expansion: null 2016.08.30 18:59:20 LOG6[0]: Local mode child started (PID=30833) 2016.08.30 18:59:20 LOG7[0]: Option TCP_NODELAY set on remote socket 2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) initialized 2016.08.30 18:59:20 LOG6[0]: Read socket closed (readsocket) 2016.08.30 18:59:20 LOG7[0]: Sending close_notify alert 2016.08.30 18:59:20 LOG7[0]: SSL alert (write): warning: close notify 2016.08.30 18:59:20 LOG6[0]: SSL_shutdown successfully sent close_notify alert 2016.08.30 18:59:20 LOG7[ui]: Found 1 ready file descriptor(s) 2016.08.30 18:59:20 LOG7[ui]: FD=4 events=0x2001 revents=0x1 2016.08.30 18:59:20 LOG7[ui]: FD=7 events=0x2001 revents=0x0 2016.08.30 18:59:20 LOG7[ui]: Dispatching signals from the signal pipe 2016.08.30 18:59:20 LOG7[ui]: Processing SIGCHLD 2016.08.30 18:59:20 LOG6[ui]: Child process 30833 finished with code 1 2016.08.30 18:59:20 LOG7[ui]: Signal pipe is empty 2016.08.30 18:59:20 LOG3[0]: socket fd: Broken pipe (32) 2016.08.30 18:59:20 LOG6[0]: writesocket: Socket is closed 2016.08.30 18:59:20 LOG5[0]: Connection closed: 0 byte(s) sent to SSL, 23 byte(s) sent to socket 2016.08.30 18:59:20 LOG7[0]: Remote descriptor (FD=11) closed 2016.08.30 18:59:20 LOG7[0]: Local descriptor (FD=3) closed 2016.08.30 18:59:20 LOG7[0]: Service [https] finished (0 left)
The client receives no data at all, the connection is closed by the server (stunnel).
As I wrote: with stunnel 4.27 everything works as expected. Does stunnel 5.x need another configuration?
(*) http://fex.rus.uni-stuttgart.de/
-
Ulli Horlacher