[stunnel-users] First SSL_write causing WSAECONNRESET

justin.baidoo justin.baidoo at infoshare-is.com
Fri May 23 11:09:08 CEST 2008


Hi all 

I am new to Stunnel and I’ve spent the past two days trying to work out why
my Stunnel server is resetting the connection on a SSL_write call from an
OpenSSL configured client. I googled the error but nothing regarding this
particular problem came up, most were related to Unix configuration or mail
clients.

I’ve got Stunnel 4.23 running on Windows XP as a server for my custom
application, though I am able to establish a connection, when I attempt an
SSL_write from my custom built client which is running OpenSSL 0.9.8g, I get
a connection reset error message. I’m running this on WinXP and Stunnel is
only running on the server machine and not on the client machine.

The SSL_Write call on the client app returns the expected amount of bytes
are written but Stunnel says the connection has been reset!

Could anyone shed some light on what could be going wrong?

Thanks in advance!

Regards

Justin
----------------------------------------------------------------------------
------------------------------------------
----------------------------------------------------------------------------
------------------------------------------
Here is the stunnel.conf on the server machine:

#Stunnel server configuration file
    key=c:\ssl\testkey.pem
    cert=04.pem

    #up this number to 7 to get full log details
    #leave it at 3 to just get critical error messages
    debug=7
    output=c:\ssl\output.log
    [customappsrv]
    accept=6221
    connect=6112

    CAfile = c:\customapp\cacert.pem
----------------------------------------------------------------------------
------------------------------------------
----------------------------------------------------------------------------
------------------------------------------

This is the output log for Stunnel running on the server machine

8.05.22 17:37:34 LOG7[3812:2840]: ccsrv accepted FD=1820 from
192.168.1.38:3920
2008.05.22 17:37:34 LOG7[3812:2840]: Creating a new thread
2008.05.22 17:37:34 LOG7[3812:2840]: New thread created
2008.05.22 17:37:34 LOG7[3812:2180]: ccsrv started
2008.05.22 17:37:34 LOG7[3812:2180]: FD 1820 in non-blocking mode
2008.05.22 17:37:34 LOG5[3812:2180]: ccsrv accepted connection from
192.168.1.38:3920
2008.05.22 17:37:34 LOG7[3812:2180]: SSL state (accept): before/accept
initialization
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 read client
hello A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 write server
hello A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 write
certificate A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 write server
done A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 flush data
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 read client
key exchange A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 read finished
A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 write change
cipher spec A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 write
finished A
2008.05.22 17:38:31 LOG7[3812:2180]: SSL state (accept): SSLv3 flush data
2008.05.22 17:38:31 LOG7[3812:2180]:    1 items in the session cache
2008.05.22 17:38:31 LOG7[3812:2180]:    0 client connects (SSL_connect())
2008.05.22 17:38:31 LOG7[3812:2180]:    0 client connects that finished
2008.05.22 17:38:31 LOG7[3812:2180]:    0 client renegotiations requested
2008.05.22 17:38:31 LOG7[3812:2180]:    6 server connects (SSL_accept())
2008.05.22 17:38:31 LOG7[3812:2180]:    1 server connects that finished
2008.05.22 17:38:31 LOG7[3812:2180]:    0 server renegotiations requested
2008.05.22 17:38:31 LOG7[3812:2180]:    0 session cache hits
2008.05.22 17:38:31 LOG7[3812:2180]:    0 session cache misses
2008.05.22 17:38:31 LOG7[3812:2180]:    0 session cache timeouts
2008.05.22 17:38:31 LOG6[3812:2180]: SSL accepted: new session negotiated
2008.05.22 17:38:31 LOG6[3812:2180]: Negotiated ciphers: AES256-SHA SSLv3
Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2008.05.22 17:38:31 LOG7[3812:2180]: FD 1808 in non-blocking mode
2008.05.22 17:38:31 LOG7[3812:2180]: ccsrv connecting 127.0.0.1:6112
2008.05.22 17:38:31 LOG7[3812:2180]: connect_wait: waiting 10 seconds
2008.05.22 17:38:31 LOG7[3812:2180]: connect_wait: connected
2008.05.22 17:38:31 LOG5[3812:2180]: ccsrv connected remote server from
127.0.0.1:3681
2008.05.22 17:38:31 LOG7[3812:2180]: Remote FD=1808 initialized
2008.05.22 17:40:55 LOG3[3812:2180]: readsocket: Connection reset by peer
(WSAECONNRESET) (10054)
2008.05.22 17:40:55 LOG5[3812:2180]: Connection reset: 0 bytes sent to SSL,
147 bytes sent to socket
2008.05.22 17:40:55 LOG7[3812:2180]: ccsrv finished (0 left)
----------------------------------------------------------------------------
------------------------------------------
----------------------------------------------------------------------------
------------------------------------------

Here is a code snippet with the SSL client setup code:

int nRet;
    sockaddr_in strSAI;

    m_nServerSocketAddress =
g_clsSocketLib.LookupAddress(m_asServerName.GetChar());

    m_nClientSocketHandle = socket(AF_INET, SOCK_STREAM, 0);
    if (m_nClientSocketHandle == INVALID_SOCKET)
        throw TFLSocketException("socket", WSAGetLastError());

    strSAI.sin_family = AF_INET;
    strSAI.sin_addr.s_addr = m_nServerSocketAddress;
    strSAI.sin_port = htons(m_nPort);

        nRet = connect(m_nClientSocketHandle, (sockaddr*)&strSAI,
sizeof(strSAI));
    init_OpenSSL();
    seed_prng();
    m_ctx = SSL_CTX_new(SSLv23_method());
    if (SSL_CTX_load_verify_locations(m_ctx, CAFILE, NULL)!= 1)
        throw Exception("Error loading CA file and/or directory");
    if (SSL_CTX_set_default_verify_paths(m_ctx) != 1)
        throw Exception("Error loading default CA file and/or directory");
    SSL_CTX_set_verify(m_ctx, SSL_VERIFY_NONE, NULL);
    SSL_CTX_set_options(m_ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
    if (SSL_CTX_set_cipher_list(m_ctx, CIPHER_LIST) != 1)
        throw Exception("Error setting cipher list (no valid ciphers)");
    SSL_CTX_set_mode(m_ctx, SSL_MODE_AUTO_RETRY);
    m_ssl = SSL_new(m_ctx);
    m_sbio=BIO_new(BIO_s_socket());
    BIO_set_fd(m_sbio, m_nClientSocketHandle, BIO_NOCLOSE);
    SSL_set_bio(m_ssl, m_sbio, m_sbio);
    nRet = SSL_connect(m_ssl);
    m_ss = SSL_get1_session(m_ssl);
  SSL_get_peer_certificate(m_ssl);
    if (nRet == SOCKET_ERROR)
    {
        shutdown(m_nClientSocketHandle, SD_BOTH);
        closesocket(m_nClientSocketHandle);
        m_nClientSocketHandle = INVALID_SOCKET;
throw TFLSocketException("connect", WSAGetLastError());
    }
----------------------------------------------------------------------------
------------------------------------------
----------------------------------------------------------------------------
------------------------------------------
Here is the offending call which causes the Connection Reset:
SSL_write(m_ssl, pMessage, nSize);




Infoshare Ltd
Millennium House
21 Eden Street
Kingston upon Thames
Surrey
KT1 1BL
United Kingdom

Phone: 		+ 44 (0) 20 8541 0111
Support:	+ 44 (0) 20 8481 4760
Web:		www.infoshare-is.com
E-mail:		info at infoshare-is.com

Infoshare Ltd is registered in England and Wales.
Registered Office as above.
Registered Number 2877612
VAT Number GB 678 1443 10

The content of this e-mail (and any attachment to it) is confidential. Any views or opinions do not represent the views or opinions of Infoshare Ltd.
If you have received this e-mail in error please notify the sender and delete it. You may not use, copy or disclose the information in any way. 

Infoshare Ltd monitors incoming and outgoing e-mails.

Please consider the environment. Do you really need to print this email?





More information about the stunnel-users mailing list