[stunnel-users] SSL3_READ_BYTES:tlsv1 alert internal error

Andrew Heuneman andrew at readingplus.com
Tue Aug 23 04:14:07 CEST 2011


Hello,

We recently implemented Stunnel on Centos 5.6 for ssl offloading for our
java application.  The application has applets to communicate java objects
over https to a tomcat server on the server side.  We have it setup in front
of our Alteon/Radware load balancer.   This hardware load balancer is
capable of ssl load balancing, but has produced a very specific packet reset
that only presents itself in ssl processing. We decided to implement Stunnel
in front of this load balancer to fix this problem.  Ssl offloading was
working great with Stunnel until we ran into Java 7.   if I run any version
of our applets on java 6 they work.  If i run java 7 they do not work.

I have tried googling and looking for this error but I have only found some
references to SNI... is this correct?  Is there anything I can do.

Please forgive me if i have omitted any details  I will be more than happy
to include a packet capture or other details if needed.

I compiled stunnel with the following options
./configure --disable-libwrap --bindir=/usr/sbin --sbindir=/usr/sbin
--sysconfdir=/etc --with-ssl=/usr/local/ssl

also i compiled OpenSSL 1.0.0d with the following
./Configure threads shared linux-generic64

stunnel -version
No limit detected for the number of clients
signal_pipe: FD=3 allocated (non-blocking mode)
signal_pipe: FD=4 allocated (non-blocking mode)
stunnel 4.42 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0d 8 Feb 2011
Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6
stunnel 4.42 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0d 8 Feb 2011
Threading:PTHREAD SSL:ENGINE Auth:none Sockets:POLL,IPv6

Global option defaults
debug           = daemon.notice
pid             = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level option defaults
ciphers         = ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH
curve           = prime256v1
session         = 300 seconds
sslVersion      = TLSv1 for client, all for server
stack           = 65536 bytes
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none
str_stats: 112 block(s), 4046 byte(s)


stunnel.conf
cert=/etc/stunnel/stunnel.pem
debug=7
output=/var/log/stunnel.log
socket=l:TCP_NODELAY=1
socket=r:TCP_NODELAY=1
[https]
accept=0.0.0.0:443
connect=172.16.18.100:80
session         = 300
TIMEOUTbusy     = 300
TIMEOUTconnect  = 10
TIMEOUTidle     = 43200
client          = no


stunnel.log
2011.08.22 16:58:49 LOG7[438154:47689394220768]: Service https accepted FD=2
from 10.0.11.27:46830
2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https started
2011.08.22 16:58:49 LOG7[438154:1104877888]: Option TCP_NODELAY set on local
socket
2011.08.22 16:58:49 LOG5[438154:1104877888]: Service https accepted
connection from 10.0.11.27:46830
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept):
before/accept initialization
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 read
client hello A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write
server hello A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write
certificate A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write
key exchange A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 write
certificate request A
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL state (accept): SSLv3 flush
data
2011.08.22 16:58:49 LOG7[438154:1104877888]: SSL alert (read): fatal:
internal error
2011.08.22 16:58:49 LOG3[438154:1104877888]: SSL_accept: 14094438:
error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
2011.08.22 16:58:49 LOG5[438154:1104877888]: Connection reset: 0 bytes sent
to SSL, 0 bytes sent to socket
2011.08.22 16:58:49 LOG7[438154:1104877888]: Service https finished (1 left)
2011.08.22 16:58:49 LOG7[438154:1104877888]: str_stats: 0 block(s), 0
byte(s)
2011.08.22 16:59:01 LOG7[438154:1104947520]: Socket closed on read
2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending SSL write shutdown
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (write): warning:
close notify
2011.08.22 16:59:01 LOG6[438154:1104947520]: SSL_shutdown successfully sent
close_notify
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL alert (read): warning:
close notify
2011.08.22 16:59:01 LOG7[438154:1104947520]: SSL closed on SSL_read
2011.08.22 16:59:01 LOG7[438154:1104947520]: Sending socket write shutdown
2011.08.22 16:59:01 LOG5[438154:1104947520]: Connection closed: 49445 bytes
sent to SSL, 8175 bytes sent to socket



-- 



Thank You,
Andrew Heuneman
Senior Systems Administrator
Reading PlusĀ®/Taylor Associates

Helping students become proficient silent readers.
<http://twitter.com/readingplus>
<http://www.facebook.com/pages/Reading-Plus/165970877038>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110822/49f24381/attachment.html>


More information about the stunnel-users mailing list