Version 4.29: First connection fails with "Unexpected socket close (read_blocking)" - stunnel-users

26 Feb 2016


      Hi,
I am experiencing an issue with version 4.29, which is the version available on yum for centos6. 
I am getting the following error: "Unexpected socket close (read_blocking)".
This error only occurs once per stunnel instance upon the first connection only.
More recent versions of stunnel do not have this problem, but I am hoping to work around this issue on the default version for this OS.
My hosts.allow and hosts.deny files are both empty. I have tried adding my services to hosts.allow, but it did not have any noticeble effect.
This is the version that I am using (installed with "yum install stunnel"):
$ stunnel -version
stunnel 4.29 on x86_64-redhat-linux-gnu with OpenSSL 1.0.1e-fips 11 Feb 2013
Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug           = 5
pid             = /var/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
Service-level options
cert            = /etc/stunnel/stunnel.pem
ciphers         = FIPS
key             = /etc/stunnel/stunnel.pem
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = TLSv1
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none
This is what my demonstration setup looks like:
nc_client --TCP--> stunnel_client (2000) --SSL--> stunnel_server (2100) --TCP--> nc_server (2200)
Steps to reproduce:
(1) Start the netcat TCP server.
$ nc -l 2200
(2) Leave the server open and open a new terminal for the rest of the commands.
(3) Create “client_config.txt” with the following contents:
pid = /tmp/client_stunnel.pid
debug = 7
output = /tmp/client_stunnel.log
client = yes
ciphers = ALL
fips = no
foreground = no
[CLIENT_PROXY_0]
accept = 0.0.0.0:2000
connect = 127.0.0.1:2100
(4) Create “server_config.txt” with the following contents:
pid = /tmp/server_stunnel.pid
debug = 7
output = /tmp/server_stunnel.log
client = no
ciphers = ALL
fips = no
cert = /tmp/server_stunnel.pem
foreground = no
[SVR_PROXY_0]
accept = 0.0.0.0:2100
connect = 127.0.0.1:2200
(4) Start the stunnel client:
$ cat client_config.txt | stunnel -fd 0
(5) Start the stunnel server:
$ cat server_config.txt | stunnel -fd 0
(6) Send three sequential messages through stunnel to the netcat server:
$ echo "Test 1" | nc 127.0.0.1 2000    
$ echo "Test 2" | nc 127.0.0.1 2000 
$ echo "Test 3" | nc 127.0.0.1 2000
(7) You should see only “Test 3” appear at the netcat server.
“Test 1” will have failed to pass from the stunnel client to the stunnel server and the log will report an "Unexpected socket close (read_blocking)” error.
“Test 2” is not the first connection for the stunnel client, so it will pass through to the stunnel server successfully. But because it is the first connection for the stunnel server, it will fail there with the same error.
“Test 3” is not the first connection for either the stunnel client or stunnel server, so it will make it through successfully to the netcat server. All subsequent connections will work.
Basically my question is: Is there any way to make this setup work on the first connection with version 4.29, or is a new version necessary?
Thanks,
Matthew