i got the SSL setup done with the stunnel, but when i connect from the url i always see this entry in my stunnel.log
2011.02.09 14:52:34 LOG3[2433:139832543721216]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
my stunnel config is
cert=/etc/stunnel/ssl/group-cert.pem key = /etc/stunnel/ssl/l.key ;setuid = nobody ;setgid = nogroup
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
[https] accept=443 connect=80 TIMEOUTclose=0 xforwardedfor=yes
i have just got familiar to stunnel to not sure i that error is ok?
What should be the ideal value for TIMEOUTclose ?
--- On Wed, 2/9/11, Michal Trojnara Michal.Trojnara@mirt.net wrote:
From: Michal Trojnara Michal.Trojnara@mirt.net Subject: Re: [stunnel-users] stunnel, haproxy and ssl cert To: stunnel-users@stunnel.org Date: Wednesday, February 9, 2011, 3:53 PM
Amol wrote:
2011.02.09 14:52:34 LOG3[2433:139832543721216]: transfer: s_poll_wait: TIMEOUTclose exceeded: closing
[cut]
TIMEOUTclose=0
You requested close timeout of 0 seconds and that's exactly what you get.
Mike
-----Inline Attachment Follows-----
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Amol wrote:
What should be the ideal value for TIMEOUTclose ?
The default should be fine for security.
Microsoft decided to refuse to comply with the SSL specification ignore close-notify SSL protocol alert be default: http://msdn.microsoft.com/en-us/library/aa364671%28v=vs.85%29.aspx http://www.mail-archive.com/modssl-users@modssl.org/msg02474.html
You may use lower values (e.g. 0) to deal with broken Microsoft implementations of SSL. The error reported by stunnel means that you might be affected by SSL truncation attack. Microsoft decided to accept this vulnerability. You my do it as well or drop support for their broken version of SSL.
Mike
-
Amol -
Michal Trojnara