[stunnel-users] Connections begin resetted
Roman Medina-Heigl Hernandez
roman at rs-labs.com
Fri Oct 23 22:06:54 CEST 2009
Please, Ludolf, any idea about my question?
Thank you.
Cheers,
-Román
Roman Medina-Heigl Hernandez escribió:
> Hello,
>
> Till some recent time, I was using "socat"
> (http://www.dest-unreach.org/socat/) to create a SSL-wrapper (in a way
> similar to what "stunnel" does). I was using:
> ===
> socat -ly -d -d
> openssl-listen:443,bind=X.X.X.X,fork,reuseaddr,cipher=HIGH:3DES:MD5,cert=server-cert.pem,key=server-key.pem,verify=0
> tcp4:Y.Y.Y.Y:P
> ===
>
> It was working pretty well, without interruptions, although it got some
> estability problems when passing 1-2 months (server apparently get stuck).
> So I decided to give a try to "stunnel".
>
> I switched to "stunnel" and problems arise... I'm experimenting *very*
> frequent connection cuts. If I examine daemon.log (I'm using Debian 5), I have:
>
> Oct 20 12:06:36 hetzner stunnel: LOG3[3677:3083029392]: SSL_read: 140EC071:
> error:140EC071:SSL routines:SSL2_READ_INTERNAL:bad mac decode
> Oct 20 12:06:36 hetzner stunnel: LOG5[3677:3083029392]: Connection reset:
> 315484 bytes sent to SSL, 50471 bytes sent to socket
>
> So it seems stunnel is closing the connection due to a "bad mac decode"
> error. My environment (client and server) have not changed, I only switched
> "the transport" (socat -> stunnel). Any idea why is it failing now?
> Moreover, if I switch back to socat, cuts disappear. Is stunnel buggy? Am I
> missing some config/tunning at the SSL/socket level?
>
> My current config is:
>
> roman at hetzner:~$ stunnel4 -sockets
> Socket option defaults:
> Option Accept Local Remote OS default
> SO_DEBUG -- -- -- 0
> SO_DONTROUTE -- -- -- 0
> SO_KEEPALIVE -- -- -- 0
> SO_LINGER -- -- -- 0:0
> SO_OOBINLINE -- -- -- 0
> SO_RCVBUF -- -- -- 87380
> SO_SNDBUF -- -- -- 16384
> SO_RCVLOWAT -- -- -- 1
> SO_SNDLOWAT -- -- -- 1
> SO_RCVTIMEO -- -- -- 0:0
> SO_SNDTIMEO -- -- -- 0:0
> SO_REUSEADDR 1 -- -- 0
> SO_BINDTODEVICE -- -- -- --
> IP_TOS -- -- -- 0
> IP_TTL -- -- -- 64
> TCP_NODELAY -- -- -- 0
>
> root at hetzner:~# stunnel4 -version
> stunnel 4.22 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007
> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
>
> Global options
> debug = 5
> pid = /var/run/stunnel4.pid
> RNDbytes = 64
> RNDfile = /dev/urandom
> RNDoverwrite = yes
>
> Service-level options
> cert = /etc/stunnel/stunnel.pem
> ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
> key = /etc/stunnel/stunnel.pem
> session = 300 seconds
> stack = 65536 bytes
> sslVersion = SSLv3 for client, all for server
> TIMEOUTbusy = 300 seconds
> TIMEOUTclose = 60 seconds
> TIMEOUTconnect = 10 seconds
> TIMEOUTidle = 43200 seconds
> verify = none
>
> My stunnel.conf is very simple. Apart from cert setup, the tunnel is
> something like:
> ===
> [tunelserv]
> accept = X.X.X:X:443
> connect = X.X.X.X:P
> ===
>
> Any idea? Thank you in advance.
>
> Cheers,
> -Roman
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
--
Saludos,
-Roman
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
More information about the stunnel-users
mailing list