[stunnel-users] Connection reset by peer on same local network?
Gabe Martin-Dempesy
gabe at mudbugmedia.com
Tue Jan 3 20:48:32 CET 2006
I'm attempting to setup an encrypted rsync to pull backups off of a
file server onto a safe backup machine. To do this I'm using a
combination of stunnel and rsyncd (It needs to pull root-owned files,
so -e ssh wouldn't work unless I want to have a backup script
remotely logging in as root!!) For now the machines are both on the
same local network, 10.10.10.0/24, but I'm have weird problems with
stunnel getting a 'connection reset by peer' after a couple minutes
of the rsync, halting the transfer prematurely. Here's what I see in
the logs:
Client:
Dec 29 10:19:21 backup stunnel[2568]: 8001 connected from
127.0.0.1:39215
Dec 29 10:21:09 backup stunnel[2568]: SSL_write: Connection reset by
peer (104)
Dec 29 10:21:09 backup stunnel[2568]: Connection reset: 192532 bytes
sent to SSL, 5920666 bytes sent to socket
Server:
Dec 29 10:20:00 proto stunnel[30434]: 973 connected from
10.10.10.20:54054
Dec 29 10:20:00 proto rsyncd[1776]: rsync on xserve from localhost
(127.0.0.1)
Dec 29 10:21:49 proto stunnel[30434]: SSL socket closed with 16384
byte(s) in buffer
Dec 29 10:21:49 proto stunnel[30434]: Connection reset: 5953434 bytes
sent to SSL, 98416 bytes sent to socket
Dec 29 16:21:49 proto rsyncd[1776]: rsync: writefd_unbuffered failed
to write 4096 bytes: phase "unknown": Connection reset by peer
Dec 29 16:21:49 proto rsyncd[1776]: rsync error: error in rsync
protocol data stream (code 12) at io.c(666)
Note that the client gets the 'connection reset by peer' a good 40
seconds before the server notices the disconnect.
Here are the associated stunnel.conf's, which are pretty basic
Client:
cert = /etc/stunnel/backup.crt
key = /etc/stunnel/backup.key
setuid = stunnel
setgid = stunnel
pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
[8001]
accept = 8001
connect = 10.10.10.15:973
Server:
cert = /etc/stunnel/proto.crt
key = /etc/stunnel/proto.key
setuid = stunnel
setgid = stunnel
pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
[973]
accept = 973
connect = 127.0.0.1:rsync
Both are using:
stunnel 4.09 on i686-pc-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with
OpenSSL 0.9.7e 25 Oct 2004
Global options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
debug = 5
key = /etc/stunnel/stunnel.pem
pid = /var/lib/run/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
session = 300 seconds
verify = none
Service-level options
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
Both of these machines are Gentoo 2005.1, updated to current, using
the hardened 2.6 profile. Neither of them use non-standard make flags.
Does anyone have some insight? There shouldn't be any
"peer" (besides themselves) in the way between these two boxes to
disconnect them.
More information about the stunnel-users
mailing list