[stunnel-users] Stunnel v4.54 SSL_connect: Peer suddenly disconnected
Brian Wilkins
bwilkins at gmail.com
Wed Jan 2 15:08:59 CET 2013
There is a list of ciphers you need to list along with ssl options perhaps.
Also try setting your sslVersion on both ends.
On Wednesday, January 2, 2013, Arun Kumar wrote:
> Brian,
>
> Thank you for the inputs. I tried without client parameter & notice
> unknown protocol. I am not sure which "protocol" to use in stunnel.conf in
> my case.
>
> comment out client = yes
>
> restarted stunnel process.
>
> ocm5-197-196:~ # dfm ldap find user1
> Warning: Failed to bind to ldap server '127.0.0.1' as user
> 'CN=Administrator,CN=Users,DC=core,DC=dir,DC=telstra,DC=com': Can't contact
> LDAP server
> Error: Failed to search for user1.
>
> ocm5-197-196:~ # cat /root/stunnel.log
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Clients allowed=500
> 2013.01.02 19:31:43 LOG5[18156:46934667927072]: stunnel 4.54 on
> x86_64-unknown-linux-gnu platform
> 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Compiled/running with
> OpenSSL 0.9.8a 11 Oct 2005
> 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Threading:PTHREAD
> SSL:+ENGINE Auth:none Sockets:POLL+IPv6
> 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Reading configuration from
> file /root/stunnel-4.54/tools/stunnel.conf
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Compression not enabled
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Snagged 64 random bytes
> from /root/.rnd
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Wrote 1024 new random
> bytes to /root/.rnd
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: PRNG seeded successfully
> 2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service [ldap]
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate:
> /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates
> from /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem
> revocation lookup file
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH
> parameters from /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH
> parameters
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with
> 2048-bit key
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with
> curve prime256v1
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
> 2013.01.02 19:31:43 LOG6[18156:46934667927072]: Initializing service
> [ldap-ha]
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate:
> /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Certificate loaded
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Key file: /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Private key loaded
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded verify certificates
> from /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Loaded /opt/crt_key.pem
> revocation lookup file
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Could not load DH
> parameters from /opt/crt_key.pem
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Using hardcoded DH
> parameters
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: DH initialized with
> 2048-bit key
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: ECDH initialized with
> curve prime256v1
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: SSL options set: 0x01000004
> 2013.01.02 19:31:43 LOG5[18156:46934667927072]: Configuration successful
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap] (FD=7)
> bound to 0.0.0.0:389
> 2013.01.02 19:31:43 LOG7[18156:46934667927072]: Service [ldap-ha] (FD=8)
> bound to 0.0.0.0:8389
> 2013.01.02 19:31:43 LOG7[18157:46934667927072]: Created pid file
> /var/run/stunnel.pid
> 2013.01.02 19:32:02 LOG7[18157:46934667927072]: Service [ldap] accepted
> (FD=3) from 127.0.0.1:39760
> 2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] started
> 2013.01.02 19:32:02 LOG5[18157:1073809728]: Service [ldap] accepted
> connection from 127.0.0.1:39760
> 2013.01.02 19:32:02 LOG7[18157:1073809728]: SSL state (accept):
> before/accept initialization
> 2013.01.02 19:32:02 LOG3[18157:1073809728]: SSL_accept: 140760FC:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> <----------
> 2013.01.02 19:32:02 LOG5[18157:1073809728]: Connection reset: 0 byte(s)
> sent to SSL, 0 byte(s) sent to socket
> 2013.01.02 19:32:02 LOG7[18157:1073809728]: Local socket (FD=3) closed
> 2013.01.02 19:32:02 LOG7[18157:1073809728]: Service [ldap] finished (0
> left)
>
> appreciate your help.
>
> Warm Regards,
> Arun kumar c
>
> On Wed, Jan 2, 2013 at 7:29 PM, Brian Wilkins <bwilkins at gmail.com> wrote:
>
> It thinks your server is a client. Remove client = yes. You need to have a
> client instance if stunnel and a server instance of stunnel. I am not too
> keen on ldap, but I assume it is unencrypted so use stunnel to tunnel the
> traffic and then it gets down selected to unencrypted on the receiving end.
>
> Brian
>
>
> On Wednesday, January 2, 2013, Arun Kumar wrote:
>
> Team,
>
> I am configuring stunnel for the first time.
> My Requirement: "NetApp DataFabricManager" application on SLES10 SP4
> platform <------ (LDAP over Stunnel) -----> Windows 2003 Active
> Directory, for Active Directory user authentication.
>
>
> Stunnel.conf:
> -----------------------------------------------------------
> setuid = root
> setgid = root
>
> client = yes
>
> debug = 7
> output = /root/stunnel.log
>
> cert = /opt/crt_key.pem
> key = /opt/crt_key.pem
>
> pid = /var/run/stunnel.pid
>
> verify = 3
> CAfile = /opt/crt_key.pem
>
> options = NO_SSLv2
>
> [ldap]
> accept = 389
> connect = winad1-197-187:636
>
> [ldap-ha]
> accept = 8389
> connect = winad2-197-189:636
> -----------------------------------------------------------
>
> ocm5-197-196:~ # dfm ldap list
> Address Port Last Use
> Last Failure
> ------------------------------------------ ------
> -------------------------- --------------------------
> 127.0.0.1 389 2013-01-02
> 14:01:52.000000
> 127.0.0.1 8389 2013-01-02
> 13:49:35.000000
> ocm5-197-196:~ #
>
>
> ocm5-197-196:~ # dfm ldap find user1
> Warning: Failed to bind to ldap server '127.0.0.1' as user
> 'CN=Administrator,CN=Users,DC=<zz>,DC=<xx>,DC=<yy>,DC=com': Can't contact
> LDAP server
> Error: Failed to search for user1.
> ocm5-197-196:~ #
>
> NOTE: If i add active directory server IP in the above list, instead of
> 127.0.0.1, ldap authentication works fine.
>
> ocm5-197-196:~ # cat /etc/services
> ...
> .....
> ........
> #### This is a Manual Entry made by root user for AD authentication
> services & Stunnel Integration ########
> ldap-ha 8389/tcp # 2nd LDAP host for DC redundancy [Redirected
> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
> ldap-ha 8389/udp # 2nd LDAP host for DC redundancy [Redirected
> to 2nd DC by Stunnel, see /etc/stunnel/stunnel.conf]
>
>
> ocm5-197-196:~ # stunnel /root/stunnel-4.54/tools/stunnel.conf
>
>
> stunnel.log:
>
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Clients allowed=500
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: stunnel 4.54 on
> x86_64-unknown-linux-gnu platform
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Compiled/running with
> OpenSSL 0.9.8a 11 Oct 2005
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Threading:PTHREAD
> SSL:+ENGINE Auth:none Sockets:POLL+IPv6
> 2013.01.02 14:00:42 LOG5[7102:47010476379680]: Reading configuration from
> file /root/stunnel-4.54/tools/stunnel.conf
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Compression not enabled
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Snagged 64 random bytes
> from /root/.rnd
> 2013.01.02 14:00:42 LOG7[7102:47010476379680]: Wrote 1024 new
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130102/97242d30/attachment.html>
More information about the stunnel-users
mailing list