[stunnel-users] Stunnel4 not working?

David H. Durgee dhdurgee at verizon.net
Fri May 8 23:27:09 CEST 2015


At some point in the near past stunnel stopped working on my laptop.  
The laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the 
repositories.  I enabled debug=7, but I am not getting much from the log:


2015.05.08 17:12:06 LOG7[10804:140318864611136]: Clients allowed=500
2015.05.08 17:12:06 LOG5[10804:140318864611136]: stunnel 4.53 on 
x86_64-pc-linux-gnu platform
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL 
1.0.1e 11 Feb 2013
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Running  with OpenSSL 
1.0.1f 6 Jan 2014
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Update OpenSSL shared 
libraries or rebuild stunnel
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD 
SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Reading configuration 
from file /etc/stunnel/stunnel.conf
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Compression not enabled
2015.05.08 17:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully
2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service 
section [telnets]
2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file 
permissions on /etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: 
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: 
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004
2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service 
section [dsp3270s]
2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file 
permissions on /etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate: 
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file: 
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Configuration successful
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [telnets] 
(FD=12) bound to 0.0.0.0:3141
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [dsp3270s] 
(FD=13) bound to 0.0.0.0:7490
2015.05.08 17:12:06 LOG7[10810:140318864611136]: Created pid file 
/stunnel4.pid
2015.05.08 17:12:31 LOG7[10810:140318864611136]: Service [telnets] 
accepted (FD=3) from 127.0.0.1:40090
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] started
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap 
process
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Acquired libwrap process #0
2015.05.08 17:12:31 LOG3[10810:140318864770816]: Unexpected socket close 
(read_blocking)
2015.05.08 17:12:31 LOG5[10810:140318864770816]: Connection reset: 0 
byte(s) sent to SSL, 0 byte(s) sent to socket
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Local socket (FD=3) closed
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] 
finished (0 left)
2015.05.08 17:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s), 
32 data byte(s), 58 control byte(s)
2015.05.08 17:13:32 LOG7[10810:140318864611136]: Service [dsp3270s] 
accepted (FD=3) from 127.0.0.1:48534
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] started
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap 
process
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Acquired libwrap process #1
2015.05.08 17:13:32 LOG3[10810:140318864770816]: Unexpected socket close 
(read_blocking)
2015.05.08 17:13:32 LOG5[10810:140318864770816]: Connection reset: 0 
byte(s) sent to SSL, 0 byte(s) sent to socket
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Local socket (FD=3) closed
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] 
finished (0 left)
2015.05.08 17:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s), 
32 data byte(s), 58 control byte(s)


I don't even see the IP address for the outbound connection, so it seems 
as if it is hitting a problem even before it gets that far. 
Configuration is pretty simple:

; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular 
configuration
; Please make sure you understand them (especially the effect of the 
chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1

socket = l:TCP_KEEPCNT=5
socket = r:TCP_KEEPCNT=5

socket = l:TCP_KEEPIDLE=10
socket = r:TCP_KEEPIDLE=10

socket = l:TCP_KEEPINTVL=2
socket = r:TCP_KEEPINTVL=2

;compression = zlib

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[telnets]
accept = 3141
;connect = 192.168.80.11:992
;connect = DurgeeEnterprises.publicvm.com:992
connect = 192.168.80.5:992


[dsp3270s]
accept = 7490
;connect = 192.168.80.11:246
;connect = DurgeeEnterprises.publicvm.com:246
connect = 192.168.80.5:246

;[pop3s]
;accept  = 995
;connect = 110

;[imaps]
;accept  = 993
;connect = 143

;[ssmtp]
;accept  = 465
;connect = 25

;[https]
;accept  = 443
;connect = 80
;TIMEOUTclose = 0

; vim:ft=dosini


Any thoughts on how to track this down and get this working?

Dave



More information about the stunnel-users mailing list