stunnel - client conexion close by TLS alert (write) fatal decode error - stunnel-users

24 Jan 2024


      Hi All!
I would appreciate any clue to solve the problem we are having with a client mode service that stopped working this week (we verified that the service works directly without stunnel).
The error I identify in the trace is the following: "TLS alert (write): fatal: decode error"
Stunnel Config (windows version):
[afip-prod-fce]
 client = yes
 accept = ARSASSRV4DMS06:1031
 connect = serviciosjava.afip.gob.ar:443
 debug = 7
ws: https://serviciosjava.afip.gob.ar/wsfecred/FECredService
Complete trace:
2024.01.24 09:28:46 LOG5[main]: stunnel 5.71 on x64-pc-mingw32-gnu platform
2024.01.24 09:28:46 LOG5[main]: Compiled/running with OpenSSL 3.1.3 19 Sep 2023
2024.01.24 09:28:46 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2024.01.24 09:28:46 LOG5[main]: Reading configuration from file C:\Program Files (x86)\stunnel\config\stunnel.conf
2024.01.24 09:28:46 LOG5[main]: UTF-8 byte order mark detected
2024.01.24 09:28:46 LOG5[main]: FIPS mode disabled
2024.01.24 09:28:46 LOG4[main]: Service [afip-prod-fce] needs authentication to prevent MITM attacks
2024.01.24 09:28:46 LOG5[main]: Configuration successful
2024.01.24 09:29:23 LOG7[0]: Service [afip-prod-fce] started
2024.01.24 09:29:23 LOG7[0]: Setting local socket options (FD=892)
2024.01.24 09:29:23 LOG7[0]: Option TCP_NODELAY set on local socket
2024.01.24 09:29:23 LOG5[0]: Service [afip-prod-fce] accepted connection from 10.70.162.24:57723
2024.01.24 09:29:23 LOG6[0]: s_connect: connecting 200.1.116.19:443
2024.01.24 09:29:23 LOG7[0]: s_connect: s_poll_wait 200.1.116.19:443: waiting 10 seconds
2024.01.24 09:29:23 LOG7[0]: FD=896 ifds=rwx ofds=---
2024.01.24 09:29:24 LOG5[0]: s_connect: connected 200.1.116.19:443
2024.01.24 09:29:24 LOG5[0]: Service [afip-prod-fce] connected remote server from 10.72.0.69:64788
2024.01.24 09:29:24 LOG7[0]: Setting remote socket options (FD=896)
2024.01.24 09:29:24 LOG7[0]: Option TCP_NODELAY set on remote socket
2024.01.24 09:29:24 LOG7[0]: Remote descriptor (FD=896) initialized
2024.01.24 09:29:24 LOG6[0]: SNI: sending servername: serviciosjava.afip.gob.ar
2024.01.24 09:29:24 LOG6[0]: Peer certificate not required
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): before SSL initialization
2024.01.24 09:29:24 LOG7[0]: Initializing application specific data for session authenticated
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
2024.01.24 09:29:24 LOG6[0]: CERT: Certificate verification disabled
2024.01.24 09:29:24 LOG6[0]: CERT: Certificate verification disabled
2024.01.24 09:29:24 LOG6[0]: CERT: Certificate verification disabled
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange
2024.01.24 09:29:24 LOG7[0]: OCSP stapling: Client callback called
2024.01.24 09:29:24 LOG6[0]: OCSP: Certificate chain verification disabled
2024.01.24 09:29:24 LOG6[0]: Client certificate not requested
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read server done
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read change cipher spec
2024.01.24 09:29:24 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2024.01.24 09:29:24 LOG7[0]: New session callback
2024.01.24 09:29:24 LOG7[0]: Peer certificate was cached (6643 bytes)
2024.01.24 09:29:24 LOG6[0]: Session id: D63C79766AC02C9A3E8494AD528954A183E9F7C250856695BA05C16A2219A4B3
2024.01.24 09:29:24 LOG7[0]:      1 client connect(s) requested
2024.01.24 09:29:24 LOG7[0]:      1 client connect(s) succeeded
2024.01.24 09:29:24 LOG7[0]:      0 client renegotiation(s) requested
2024.01.24 09:29:24 LOG7[0]:      0 session reuse(s)
2024.01.24 09:29:24 LOG6[0]: TLS connected: new session negotiated
2024.01.24 09:29:24 LOG6[0]: TLSv1.2 ciphersuite: ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2024.01.24 09:29:24 LOG6[0]: Peer temporary key: ECDH, P-256, 256 bits
2024.01.24 09:29:24 LOG7[0]: Compression: null, expansion: null
2024.01.24 09:29:24 LOG7[0]: Remove session callback
2024.01.24 09:29:24 LOG7[0]: TLS alert (write): fatal: decode error
2024.01.24 09:29:24 LOG6[0]: TLS socket closed (SSL_read)
2024.01.24 09:29:24 LOG7[0]: Sent socket write shutdown
2024.01.24 09:29:24 LOG5[0]: Connection closed: 1755 byte(s) sent to TLS, 634 byte(s) sent to socket
2024.01.24 09:29:24 LOG7[0]: Remote descriptor (FD=896) closed
2024.01.24 09:29:24 LOG7[0]: Local descriptor (FD=892) closed
2024.01.24 09:29:24 LOG7[0]: Service [afip-prod-fce] finished (0 left)
Thank you!
Kind regards,
Rodrigo.