Assistance needed debugging Stunnel AWS EC2 Interface - stunnel-users

15 Nov 2016


      I am using stunnel as a proxy to support SoapUI mock services which are used
to test an SSL based application.  The SoapUI and stunnel proxy are running
on an AWS Ubuntu 14.04 EC2 Instance communicating to a Tomcat server running
on a second AWS Ubuntu 14.04 EC2 Instance.  The target application uses a
wildcard SSL Certificate and works successfully when accessed using a
desktop browser (Chrome or Firefox).
The issue I am encountering is that the stunnel connection logs a "SSL
closed on SSL_read" message as soon as the cipher suite is negotiated as
shown in the following stunnel.log:
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Clients allowed=2000
2016.11.14 21:34:19 LOG5[5287:140430154716992]: stunnel 4.53 on
x86_64-pc-linux-gnu platform
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Compiled with OpenSSL 1.0.1e
11 Feb 2013
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Running  with OpenSSL 1.0.1f
6 Jan 2014
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Update OpenSSL shared
libraries or rebuild stunnel
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Threading:PTHREAD
SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Reading configuration from
file /etc/stunnel/stunnel.conf
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Compression not enabled
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Snagged 64 random bytes from
/home/ubuntu/.rnd
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Wrote 1024 new random bytes
to /home/ubuntu/.rnd
2016.11.14 21:34:19 LOG7[5287:140430154716992]: PRNG seeded successfully
2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section
[resourceServer]
2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate:
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file:
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to
/etc/ssl/certs
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs
revocation lookup directory
2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004
2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section
[tpserver]
2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate:
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file:
/etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to
/etc/ssl/certs
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs
revocation lookup directory
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Could not load DH parameters
from /etc/stunnel/stunnel.pem
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Using hardcoded DH
parameters
2016.11.14 21:34:19 LOG7[5287:140430154716992]: DH initialized with 2048-bit
key
2016.11.14 21:34:19 LOG7[5287:140430154716992]: ECDH initialized with curve
prime256v1
2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004
2016.11.14 21:34:19 LOG5[5287:140430154716992]: Configuration successful
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [resourceServer]
(FD=12) bound to 127.0.0.1:8080
2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [tpserver] (FD=13)
bound to 127.0.0.1:8444
2016.11.14 21:34:19 LOG7[5293:140430154716992]: Created pid file
/var/run/stunnel4.pid
2016.11.14 21:34:25 LOG7[5293:140430154716992]: Service [resourceServer]
accepted (FD=3) from 127.0.0.1:41256
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer]
started
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Waiting for a libwrap
process
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Acquired libwrap process #0
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Releasing libwrap process #0
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Released libwrap process #0
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer]
permitted by libwrap from 127.0.0.1:41256
2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer]
accepted connection from 127.0.0.1:41256
2016.11.14 21:34:25 LOG6[5293:140430154827520]: connect_blocking: connecting
52.43.245.161:8443
2016.11.14 21:34:25 LOG7[5293:140430154827520]: connect_blocking:
s_poll_wait 52.43.245.161:8443: waiting 10 seconds
2016.11.14 21:34:25 LOG5[5293:140430154827520]: connect_blocking: connected
52.43.245.161:8443
2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer]
connected remote server from 172.31.44.97:34077
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Remote socket (FD=15)
initialized
2016.11.14 21:34:25 LOG7[5293:140430154827520]: SNI: host name:
52.43.245.161
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled
2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled
2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA
2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=0, /CN=*.greenbuttonalliance.org
2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled
2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=0, /CN=*.greenbuttonalliance.org
2016.11.14 21:34:25 LOG6[5293:140430154827520]: SSL connected: new session
negotiated
2016.11.14 21:34:25 LOG6[5293:140430154827520]: Negotiated TLSv1/SSLv3
ciphersuite: AES128-SHA (128-bit encryption)
2016.11.14 21:34:25 LOG6[5293:140430154827520]: Compression: null,
expansion: null
2016.11.14 21:34:45 LOG7[5293:140430154827520]: SSL closed on SSL_read
2016.11.14 21:34:45 LOG7[5293:140430154827520]: Sent socket write shutdown
2016.11.14 21:34:56 LOG7[5293:140430154827520]: Socket closed on read
2016.11.14 21:34:56 LOG7[5293:140430154827520]: Sending close_notify alert
2016.11.14 21:34:56 LOG6[5293:140430154827520]: SSL_shutdown successfully
sent close_notify alert
2016.11.14 21:34:56 LOG5[5293:140430154827520]: Connection closed: 342
byte(s) sent to SSL, 250 byte(s) sent to socket
2016.11.14 21:34:56 LOG7[5293:140430154827520]: Remote socket (FD=15) closed
2016.11.14 21:34:56 LOG7[5293:140430154827520]: Local socket (FD=3) closed
2016.11.14 21:34:56 LOG7[5293:140430154827520]: Service [resourceServer]
finished (0 left)
The stunnel.conf file contains the following configuration:
; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************
CApath = /etc/ssl/certs
; **************************************************************************
; * Logging
*
; **************************************************************************
debug = 7
output =
/home/ubuntu/Git/energyos/OpenESPI-GreenButtonCMDTest/SOAPUI/stunnel.log
; **************************************************************************
; * Service definitions (at least one service has to be defined)
*
; **************************************************************************
; **************************************************************************
; * Resource Server
*
; **************************************************************************
[resourceServer]
accept=localhost:8080
connect=52.43.245.161:8443
ciphers=AES128-SHA
client = yes
cert=/etc/stunnel/stunnel.pem
verify=0
[tpserver]
accept=127.0.0.1:8444
connect=localhost:8081
cert=/etc/stunnel/stunnel.pem
verify=0
client=no
ciphers=AES128-SHA
Are there any additional stunnel logging options or debugging techniques you
can recommend to help determine why the session is being closed?  Does
stunnel support wildcard based certificates (i.e.
*.greenbuttonalliance.org)?
Best regards,
Don
Donald F. Coffin
Technical Manager
Green Button Alliance
2335 Dunwoody Crossing Suite E
Dunwoody, GA 30338-8221
http://www.greenbuttonalliance.org http://www.greenbuttonalliance.org/
(949) 636-8571 Mobile