[stunnel-users] Stunnel v4.54 SSL_connect: Peer suddenly disconnected
Arun Kumar
arunkumc at gmail.com
Wed Jan 2 15:05:31 CET 2013
Brian,
Thank you for the inputs. I tried without client parameter & notice unknown
protocol. I am not sure which "protocol" to use in stunnel.conf in my case.
comment out client = yes
restarted stunnel process.
ocm5-197-196:~ # dfm ldap find user1
Warning: Failed to bind to ldap server '127.0.0.1' as user
'CN=Administrator,CN=Users,DC=core,DC=dir,DC=telstra,DC=com': Can't contact
LDAP server
Error: Failed to search for user1.
ocm5-197-196:~ # cat /root/stunnel.log
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Clients allowed=500
2013.01.02 19:31:43 LOG5[18156:46934667927072]: stunnel 4.54 on
x86_64-unknown-linux-gnu platform
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Compiled/running with
OpenSSL 0.9.8a 11 Oct 2005
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Threading:PTHREAD
SSL:+ENGINE Auth:none Sockets:POLL+IPv6
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Reading configuration from
file /root/stunnel-4.54/tools/stunnel.conf
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Compression not enabled
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Snagged 64 random bytes
from /root/.rnd
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Wrote 1024 new random bytes
to /root/.rnd
2013.01.02 19:31:43 LOG7[18156:46934667927072]: PRNG seeded successfully
2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap]
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate:
/opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates
from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem
revocation lookup file
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH
parameters from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH
parameters
2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with
2048-bit key
2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve
prime256v1
2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service
[ldap-ha]
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate:
/opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates
from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem
revocation lookup file
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH
parameters from /opt/crt_key.pem
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH
parameters
2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with
2048-bit key
2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with curve
prime256v1
2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
2013.01.02 19:31:43 LOG5[18156:46934667927072]: Configuration successful
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap] (FD=7) bound
to 0.0.0.0:389
2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap-ha] (FD=8)
bound to 0.0.0.0:8389
2013.01.02 19:31:43 LOG7[18157:46934667927072]: Created pid file
/var/run/stunnel.pid
2013.01.02 19:32:02 LOG7[18157:46934667927072]: Service [ldap] accepted
(FD=3) from 127.0.0.1:39760
2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] started
2013.01.02 19:32:02 LOG5[18157:1073809728]: Service [ldap] accepted
connection from 127.0.0.1:39760
2013.01.02 19:32:02 LOG7[18157:1073809728]: SSL state (accept):
before/accept initialization
2013.01.02 19:32:02 LOG3[18157:1073809728]: SSL_accept: 140760FC:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
<----------
2013.01.02 19:32:02 LOG5[18157:1073809728]: Connection reset: 0 byte(s)
sent to SSL, 0 byte(s) sent to socket
2013.01.02 19:32:02 LOG7[18157:1073809728]: Local socket (FD=3) closed
2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] finished (0 left)
appreciate your help.
Warm Regards,
Arun kumar c
On Wed, Jan 2, 2013 at 7:29 PM, Brian Wilkins <bwilkins at gmail.com> wrote:
> It thinks your server is a client. Remove client = yes. You need to have a
> client instance if stunnel and a server instance of stunnel. I am not too
> keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the
> traffic and then it gets down selected to unencrypted on the receiving end.
>
> Brian
>
>
> On Wednesday, January 2, 2013, Arun Kumar wrote:
>
>> Team,
>>
>> I am configuring stunnel for the first time.
>> My Requirement: "NetApp DataFabricManager" application on SLES10 SP4
>> platform <------ (LDAP over Stunnel) -----> Windows 2003 Active
>> Directory, for Active Directory user authentication.
>>
>>
>> Stunnel.conf:
>> -----------------------------------------------------------
>> setuid = root
>> setgid = root
>>
>> client = yes
>>
>> debug = 7
>> output = /root/stunnel.log
>>
>> cert = /opt/crt_key.pem
>> key = /opt/crt_key.pem
>>
>> pid = /var/run/stunnel.pid
>>
>> verify = 3
>> CAfile = /opt/crt_key.pem
>>
>> options = NO_SSLv2
>>
>> [ldap]
>> accept = 389
>> connect = winad1-197-187:636
>>
>> [ldap-ha]
>> accept = 8389
>> connect = winad2-197-189:636
>> -----------------------------------------------------------
>>
>> ocm5-197-196:~ # dfm ldap list
>> Address Port Last Use
>> Last Failure
>> ------------------------------------------ ------
>> -------------------------- --------------------------
>> 127.0.0.1 389 2013-01-02
>> 14:01:52.000000
>> 127.0.0.1 8389 2013-01-02
>> 13:49:35.000000
>> ocm5-197-196:~ #
>>
>>
>> ocm5-197-196:~ # dfm ldap find user1
>> Warning: Failed to bind to ldap server '127.0.0.1' as user
>> 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact
>> LDAP server
>> Error: Failed to search for user1.
>> ocm5-197-196:~ #
>>
>> NOTE: If i add active directory server IP in the above list, instead of
>> 127.0.0.1, ldap authentication works fine.
>>
>> ocm5-197-196:~ # cat /etc/services
>> ...
>> .....
>> ........
>> #### This is a Manual Entry made by root user for AD authentication
>> services & Stunnel Integration ########
>> ldap-ha 8389/tcp # 2nd LDAP host for DC redundancy [Redirected
>> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
>> ldap-ha 8389/udp # 2nd LDAP host for DC redundancy [Redirected
>> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
>>
>>
>> ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf
>>
>>
>> stunnel.log:
>>
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500
>> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on
>> x86_64-unknown-linux-gnu platform
>> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with
>> OpenSSL 0.9.8a 11 Oct 2005
>> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD
>> SSL:+ENGINE Auth:none Sockets:POLL+IPv6
>> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration
>> from file /root/stunnel-4.54/tools/stunnel.conf
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes
>> from /root/.rnd
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new random
>> bytes to /root/.rnd
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: PRNG seeded successfully
>> 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service
>> [ldap]
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate:
>> /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates
>> from /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem
>> revocation lookup file
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004
>> 2013.01.02 14:00:42 LOG6[7102:47010476379680]: Initializing service
>> [ldap-ha]
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate:
>> /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Certificate loaded
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Key file: /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Private key loaded
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded verify certificates
>> from /opt/crt_key.pem
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Loaded /opt/crt_key.pem
>> revocation lookup file
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: SSL options set: 0x01000004
>> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Configuration successful
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap] (FD=7)
>> bound to 0.0.0.0:389
>> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Service [ldap-ha] (FD=8)
>> bound to 0.0.0.0:8389
>> 2013.01.02 14:00:42 LOG7[7103:47010476379680]: Created pid file
>> /var/run/stunnel.pid
>> 2013.01.02 14:01:52 LOG7[7103:47010476379680]: Service [ldap] accepted
>> (FD=3) from 127.0.0.1:60332
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] started
>> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] accepted
>> connection from 127.0.0.1:60332
>> 2013.01.02 14:01:52 LOG6[7103:1073809728]: connect_blocking: connecting
>> 192.168.10.7:636
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: connect_blocking: s_poll_wait
>> 192.168.10.7:636: waiting 10 seconds
>> 2013.01.02 14:01:52 LOG5[7103:1073809728]: connect_blocking: connected
>> 192.168.10.7:636
>> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Service [ldap] connected
>> remote server from 192.168.10.1:40664
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10)
>> initialized
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect):
>> before/connect initialization
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: SSL state (connect): SSLv3
>> write client hello A
>> 2013.01.02 14:01:52 LOG3[7103:1073809728]: SSL_connect: Peer suddenly
>> disconnected
>> <------------------
>> 2013.01.02 14:01:52 LOG5[7103:1073809728]: Connection reset: 0 byte(s)
>> sent to SSL, 0 byte(s) sent to socket
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Remote socket (FD=10) closed
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Local socket (FD=3) closed
>> 2013.01.02 14:01:52 LOG7[7103:1073809728]: Service [ldap] finished (0
>> left)
>>
>>
>> I initially started with stunnel-4.14 available with SLES10 GA OS media.
>> Noticed peer disconnected issue.
>> I went through the stunnel mailing list archive for related issues, but
>> didn't get much help.
>> Finally upgraded stunnel to v4.54 & to no progress.
>>
>> google hits mentioned that its configuration issue / client is not
>> accepting sockets.. but finally no clue how to proceed.
>>
>> Kindly assist "SSL_connect: Peer suddenly disconnected" & SSL handshake
>> work.
>>
>> Warm Regards,
>> Arun
>> UNIX admin
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130102/7e756b95/attachment.html>
More information about the stunnel-users
mailing list