[stunnel-users] Problem with Stunnel and OpenBSD
Juan J. Martínez
reidrac at usebox.net
Fri May 23 14:13:00 CEST 2008
Hello again,
I've rebooted about two hours ago... and stunnel has done his job
perfectly, but now... the same problem.
I can't see any problem on any log in the system, all seems OK.
It halts again on:
2008.05.23 14:10:22 LOG7[30365:0]: SSL state (accept): before/accept
initialization
Any help or pointer to documentation would be greatly appreciated.
Regards,
Juanjo
PD: excuse my English.
El vie, 23-05-2008 a las 11:18 +0200, Juan J. Martínez escribió:
> Hello list!
>
> I'm long time running stunnel in OpenBSD to convert popa3d into a POP3s
> service, and sometimes I have problems since I upgraded to 4.x.
>
> Yesterday morning, after months without trouble, this started to happen:
>
> 1- When I try to get the mail, the client connects (Evolution 2.22.1.1
> from Linux; but it happens with other clients too).
>
> 2- Then it stalls at:
>
> 2008.05.23 10:47:29 LOG7[16334:0]: SSL state (accept): before/accept
> initialization
>
> 3- After 3 minutes aprox, it continues and then it connects to popa3d
> and the mail is retrieved as expected.
>
> I'm running stunnel 4.24.
>
> I've noticed that just after rebooting the system, it works perfectly,
> but after some time running... the problem appears. Restarting stunnel
> doesn't fix it.
>
> I guess the question it's: why it is stalling at SL state (accept)?
> and... why it works fine just after a reboot?
>
> Here follows some info about my setup...
>
> stunnel.conf:
>
> cert = /etc/ssl/private/stunnel.pem
> chroot = /var/stunnel/
> setuid = _stunnel
> setgid = _stunnel
> pid = /var/run/stunnel.pid
> socket = l:TCP_NODELAY=1
>
> [pop3s]
> accept = 995
> connect = 110
>
> stunnel -version:
>
> stunnel 4.24 on i386-unknown-openbsd3.8 with OpenSSL 0.9.7g 11 Apr 2005
> Threading:FORK SSL:ENGINE Sockets:POLL,IPv6
>
> Global options
> debug = 5
> pid = /var/run/stunnel/stunnel.pid
> RNDbytes = 64
> RNDfile = /dev/urandom
> RNDoverwrite = yes
>
> Service-level options
> cert = /etc/stunnel/stunnel.pem
> ciphers = ALL:!ADH:+RC4:@STRENGTH
> key = /etc/stunnel/stunnel.pem
> session = 300 seconds
> sslVersion = SSLv3 for client, all for server
> TIMEOUTbusy = 300 seconds
> TIMEOUTclose = 60 seconds
> TIMEOUTconnect = 10 seconds
> TIMEOUTidle = 43200 seconds
> verify = none
>
> Output of log running with debug=7, the interesting part it's
> at 2008.05.23 10:47:29:
>
> 2008.05.23 10:47:14 LOG7[28370:0]: Snagged 64 random bytes
> from /dev/arandom
> 2008.05.23 10:47:14 LOG7[28370:0]: RAND_status claims sufficient entropy
> for the PRNG
> 2008.05.23 10:47:14 LOG7[28370:0]: PRNG seeded successfully
> 2008.05.23 10:47:14 LOG7[28370:0]:
> Certificate: /etc/ssl/private/stunnel.pem
> 2008.05.23 10:47:14 LOG7[28370:0]: Certificate loaded
> 2008.05.23 10:47:14 LOG7[28370:0]: Key
> file: /etc/ssl/private/stunnel.pem
> 2008.05.23 10:47:14 LOG7[28370:0]: Private key loaded
> 2008.05.23 10:47:14 LOG7[28370:0]: SSL context initialized for service
> pop3s
> 2008.05.23 10:47:14 LOG5[28370:0]: stunnel 4.24 on
> i386-unknown-openbsd3.8 with OpenSSL 0.9.7g 11 Apr 2005
> 2008.05.23 10:47:14 LOG5[28370:0]: Threading:FORK SSL:ENGINE
> Sockets:POLL,IPv6
> 2008.05.23 10:47:14 LOG6[28370:0]: file ulimit = 128 (can be changed
> with 'ulimit -n')
> 2008.05.23 10:47:14 LOG6[28370:0]: poll() used - no FD_SETSIZE limit for
> file descriptors
> 2008.05.23 10:47:14 LOG5[28370:0]: 61 clients allowed
> 2008.05.23 10:47:14 LOG7[28370:0]: FD 6 in non-blocking mode
> 2008.05.23 10:47:14 LOG7[28370:0]: FD 7 in non-blocking mode
> 2008.05.23 10:47:14 LOG7[28370:0]: FD 8 in non-blocking mode
> 2008.05.23 10:47:14 LOG7[28370:0]: SO_REUSEADDR option set on accept
> socket
> 2008.05.23 10:47:14 LOG7[28370:0]: pop3s bound to 0.0.0.0:995
> 2008.05.23 10:47:14 LOG7[17739:0]: Created pid file /var/run/stunnel.pid
> 2008.05.23 10:47:29 LOG7[17739:0]: pop3s accepted FD=9 from
> 147.156.98.148:53957
> 2008.05.23 10:47:29 LOG7[16334:0]: pop3s started
> 2008.05.23 10:47:29 LOG7[16334:0]: FD 9 in non-blocking mode
> 2008.05.23 10:47:29 LOG7[16334:0]: TCP_NODELAY option set on local
> socket
> 2008.05.23 10:47:29 LOG5[16334:0]: pop3s accepted connection from
> 147.156.98.148:53957
> 2008.05.23 10:47:29 LOG7[16334:0]: SSL state (accept): before/accept
> initialization
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 read client
> hello A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 write
> server hello A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 write
> certificate A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 write
> server done A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 flush data
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 read client
> key exchange A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 read
> finished A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 write
> change cipher spec A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 write
> finished A
> 2008.05.23 10:51:18 LOG7[16334:0]: SSL state (accept): SSLv3 flush data
> 2008.05.23 10:51:18 LOG7[16334:0]: 1 items in the session cache
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 client connects (SSL_connect())
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 client connects that finished
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 client renegotiations requested
> 2008.05.23 10:51:18 LOG7[16334:0]: 1 server connects (SSL_accept())
> 2008.05.23 10:51:18 LOG7[16334:0]: 1 server connects that finished
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 server renegotiations requested
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 session cache hits
> 2008.05.23 10:51:18 LOG7[16334:0]: 1 session cache misses
> 2008.05.23 10:51:18 LOG7[16334:0]: 0 session cache timeouts
> 2008.05.23 10:51:18 LOG6[16334:0]: SSL accepted: new session negotiated
> 2008.05.23 10:51:18 LOG6[16334:0]: Negotiated ciphers: AES256-SHA SSLv3
> Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
> 2008.05.23 10:51:18 LOG7[16334:0]: FD 8 in non-blocking mode
> 2008.05.23 10:51:18 LOG7[16334:0]: pop3s connecting 127.0.0.1:110
> 2008.05.23 10:51:18 LOG5[16334:0]: pop3s connected remote server from
> 127.0.0.1:31725
> 2008.05.23 10:51:18 LOG7[16334:0]: Remote FD=8 initialized
> 2008.05.23 10:51:20 LOG7[16334:0]: Socket closed on read
> 2008.05.23 10:51:20 LOG7[16334:0]: SSL write shutdown
> 2008.05.23 10:51:20 LOG7[16334:0]: SSL alert (write): warning: close
> notify
> 2008.05.23 10:51:20 LOG6[16334:0]: SSL socket closed on SSL_shutdown
> 2008.05.23 10:51:20 LOG7[16334:0]: Socket write shutdown
> 2008.05.23 10:51:20 LOG5[16334:0]: Connection closed: 22453 bytes sent
> to SSL, 120 bytes sent to socket
> 2008.05.23 10:51:20 LOG7[17739:0]: Cleaning up the signal pipe
> 2008.05.23 10:51:20 LOG7[17739:0]: Process 16334 finished with code 0 (0
> left)
> 2008.05.23 10:51:45 LOG5[17739:0]: Received signal 15; terminating
> 2008.05.23 10:51:45 LOG7[17739:0]: removing pid
> file /var/run/stunnel.pid
> 2008.05.23 10:51:45 LOG3[17739:0]: /var/run/stunnel.pid: No such file or
> directory (2)
>
--
desarrollo y sistemas: http://www.usebox.net/
página personal: http://www.usebox.net/jjm/
More information about the stunnel-users
mailing list