[stunnel-users] Connection reset by peer on same local network?

Gabe Martin-Dempesy gabe at mudbugmedia.com
Tue Jan 3 20:48:32 CET 2006 

I'm attempting to setup an encrypted rsync to pull backups off of a  
file server onto a safe backup machine.  To do this I'm using a  
combination of stunnel and rsyncd (It needs to pull root-owned files,  
so -e ssh wouldn't work unless I want to have a backup script  
remotely logging in as root!!)   For now the machines are both on the  
same local network, 10.10.10.0/24, but I'm have weird problems with  
stunnel getting a 'connection reset by peer' after a couple minutes  
of the rsync, halting the transfer prematurely.  Here's what I see in  
the logs:

Client:
Dec 29 10:19:21 backup stunnel[2568]: 8001 connected from  
127.0.0.1:39215
Dec 29 10:21:09 backup stunnel[2568]: SSL_write: Connection reset by  
peer (104)
Dec 29 10:21:09 backup stunnel[2568]: Connection reset: 192532 bytes  
sent to SSL, 5920666 bytes sent to socket


Server:
Dec 29 10:20:00 proto stunnel[30434]: 973 connected from  
10.10.10.20:54054
Dec 29 10:20:00 proto rsyncd[1776]: rsync on xserve from localhost  
(127.0.0.1)
Dec 29 10:21:49 proto stunnel[30434]: SSL socket closed with 16384  
byte(s) in buffer
Dec 29 10:21:49 proto stunnel[30434]: Connection reset: 5953434 bytes  
sent to SSL, 98416 bytes sent to socket
Dec 29 16:21:49 proto rsyncd[1776]: rsync: writefd_unbuffered failed  
to write 4096 bytes: phase "unknown": Connection reset by peer
Dec 29 16:21:49 proto rsyncd[1776]: rsync error: error in rsync  
protocol data stream (code 12) at io.c(666)


Note that the client gets the 'connection reset by peer' a good 40  
seconds before the server notices the disconnect.


Here are the associated stunnel.conf's, which are pretty basic
Client:
cert = /etc/stunnel/backup.crt
key = /etc/stunnel/backup.key
setuid = stunnel
setgid = stunnel
pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
[8001]
accept = 8001
connect = 10.10.10.15:973


Server:
cert = /etc/stunnel/proto.crt
key = /etc/stunnel/proto.key
setuid = stunnel
setgid = stunnel
pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[973]
accept = 973
connect = 127.0.0.1:rsync


Both are using:
stunnel 4.09 on i686-pc-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with  
OpenSSL 0.9.7e 25 Oct 2004
Global options
cert            = /etc/stunnel/stunnel.pem
ciphers         = ALL:!ADH:+RC4:@STRENGTH
debug           = 5
key             = /etc/stunnel/stunnel.pem
pid             = /var/lib/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
session         = 300 seconds
verify          = none
Service-level options
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds


Both of these machines are Gentoo 2005.1, updated to current, using  
the hardened 2.6 profile.  Neither of them use non-standard make flags.

Does anyone have some insight?  There shouldn't be any  
"peer" (besides themselves) in the way between these two boxes to  
disconnect them.

More information about the stunnel-users mailing list