[stunnel-users] problem with -fd option on Linux

Sorkin, David david.sorkin at citi.com
Tue Nov 10 21:46:14 CET 2009


I'd like to report an interesting problem I found that occurs on Linux but not Solaris when using the -fd 0 option to read the stunnel configuration in from stdin.

I am using stunnel to establish client tunnels on the fly for one time use by programs such as rsync. The client config file is generated automatically with some dynamic parameters. After the client tunnel is established a client program connects to the specified port on localhost.

This works fine on Solaris but on Linux I found that the client program has to be invoked *twice* before it works.

My work around is to write the config to a temp file and starting stunnel with the location of the file as its argument instead of writing to its standard input.

I am using tcp wrappers to protect the stunnel servers and to limit the connects to the client to localhost.

This isn't an issue for me anymore but it took a bit of troubleshooting to figure out. On Solaris I am running the same version of stunnel, openssl, etc... all compiled very similarly. One difference could be iconv but I don't know enough about it to say.

Regards,
David Sorkin


Debug log from the first client invocation:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Nov 10 15:37:02 test03 stunnel: LOG5[32303:182894071744]: stunnel 4.27 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
Nov 10 15:37:02 test03 stunnel: LOG5[32303:182894071744]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP
Nov 10 15:37:02 test03 stunnel: LOG6[32303:182894071744]: file ulimit = 1024 (can be changed with 'ulimit -n')
Nov 10 15:37:02 test03 stunnel: LOG6[32303:182894071744]: poll() used - no FD_SETSIZE limit for file descriptors
Nov 10 15:37:02 test03 stunnel: LOG5[32303:182894071744]: 500 clients allowed
Nov 10 15:37:03 test03 stunnel: LOG3[32309:1073809760]: Unexpected socket close (read_blocking)
Nov 10 15:37:03 test03 stunnel: LOG5[32309:1073809760]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Nov 10 15:37:03 test03 stunnel: LOG5[32309:182894071744]: Received signal 15; terminating


My client config is similar to the following:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
debug = local4.info
foreground = no
sslVersion = TLSv1
RNDfile = /dev/random
RNDoverwrite = no
pid = %s

[stunnel]
client = yes
key = /path/to/private_key.pem
cert = /path/to/public_key_cert.pem
verify = 0
accept = 127.0.0.1:12345        # ephemeral port
connect = remote_host:123       # well known port
ciphers = AES256-SHA


Server Config:
^^^^^^^^^^^^^^
debug = local4.info
foreground = no
pid = /var/run/stunnel.pid
sslVersion = TLSv1
RNDfile = /dev/random
RNDoverwrite = no

[rsync]
client = no
key = /path/to/private_key.pem
cert = /path/to/public_key_cert.pem
CAfile = /path/to/authority_certs.pem
verify = 3
accept = 123
exec = /usr/bin/rsync
execargs = rsync --daemon --no-detach
ciphers = AES256-SHA


hosts.allow
^^^^^^^^^^^^
stunnel: 127.0.0.1
rsync: <ip of authorized server>


>  /usr/local/bin/stunnel -version
stunnel 4.27 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP

Global options
debug           = 5
pid             = /var/run/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /usr/local/etc/stunnel.pem
ciphers         = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key             = /usr/local/etc/stunnel.pem
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

>  /usr/local/bin/stunnel -sockets
Socket option defaults:
    Option          Accept    Local     Remote    OS default
    SO_DEBUG            --        --        --             0
    SO_DONTROUTE        --        --        --             0
    SO_KEEPALIVE        --        --        --             0
    SO_LINGER           --        --        --    0:0
    SO_OOBINLINE        --        --        --             0
    SO_RCVBUF           --        --        --         87380
    SO_SNDBUF           --        --        --         16384
    SO_RCVLOWAT         --        --        --             1
    SO_SNDLOWAT         --        --        --             1
    SO_RCVTIMEO         --        --        --         0:0
    SO_SNDTIMEO         --        --        --         0:0
    SO_REUSEADDR             1    --        --             0
    SO_BINDTODEVICE     --        --        --        --
    IP_TOS              --        --        --             0
    IP_TTL              --        --        --            64
    TCP_NODELAY         --        --        --             0

> uname -a
Linux test1 2.6.9-89.0.11.ELsmp #1 SMP Mon Aug 31 11:00:34 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux


--
David Sorkin <david.sorkin at citi.com>
CATE - Network Engineering
(908) 563-0017





More information about the stunnel-users mailing list