[stunnel-users] Stunnel4 not working?
David H. Durgee
dhdurgee at verizon.net
Fri May 8 23:27:09 CEST 2015
At some point in the near past stunnel stopped working on my laptop.
The laptop is running Linux Mint 17.1 Rebecca x64 and stunnel from the
repositories. I enabled debug=7, but I am not getting much from the log:
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Clients allowed=500
2015.05.08 17:12:06 LOG5[10804:140318864611136]: stunnel 4.53 on
x86_64-pc-linux-gnu platform
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Compiled with OpenSSL
1.0.1e 11 Feb 2013
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Running with OpenSSL
1.0.1f 6 Jan 2014
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Update OpenSSL shared
libraries or rebuild stunnel
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Threading:PTHREAD
SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Reading configuration
from file /etc/stunnel/stunnel.conf
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Compression not enabled
2015.05.08 17:12:06 LOG7[10804:140318864611136]: PRNG seeded successfully
2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service
section [telnets]
2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file
permissions on /etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate:
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file:
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004
2015.05.08 17:12:06 LOG6[10804:140318864611136]: Initializing service
section [dsp3270s]
2015.05.08 17:12:06 LOG4[10804:140318864611136]: Insecure file
permissions on /etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate:
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Certificate loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Key file:
/etc/ssl/certs/stunnel.pem
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Private key loaded
2015.05.08 17:12:06 LOG7[10804:140318864611136]: SSL options set: 0x00000004
2015.05.08 17:12:06 LOG5[10804:140318864611136]: Configuration successful
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [telnets]
(FD=12) bound to 0.0.0.0:3141
2015.05.08 17:12:06 LOG7[10804:140318864611136]: Service [dsp3270s]
(FD=13) bound to 0.0.0.0:7490
2015.05.08 17:12:06 LOG7[10810:140318864611136]: Created pid file
/stunnel4.pid
2015.05.08 17:12:31 LOG7[10810:140318864611136]: Service [telnets]
accepted (FD=3) from 127.0.0.1:40090
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets] started
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Waiting for a libwrap
process
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Acquired libwrap process #0
2015.05.08 17:12:31 LOG3[10810:140318864770816]: Unexpected socket close
(read_blocking)
2015.05.08 17:12:31 LOG5[10810:140318864770816]: Connection reset: 0
byte(s) sent to SSL, 0 byte(s) sent to socket
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Local socket (FD=3) closed
2015.05.08 17:12:31 LOG7[10810:140318864770816]: Service [telnets]
finished (0 left)
2015.05.08 17:12:31 LOG7[10810:140318864770816]: str_stats: 1 block(s),
32 data byte(s), 58 control byte(s)
2015.05.08 17:13:32 LOG7[10810:140318864611136]: Service [dsp3270s]
accepted (FD=3) from 127.0.0.1:48534
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s] started
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Waiting for a libwrap
process
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Acquired libwrap process #1
2015.05.08 17:13:32 LOG3[10810:140318864770816]: Unexpected socket close
(read_blocking)
2015.05.08 17:13:32 LOG5[10810:140318864770816]: Connection reset: 0
byte(s) sent to SSL, 0 byte(s) sent to socket
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Local socket (FD=3) closed
2015.05.08 17:13:32 LOG7[10810:140318864770816]: Service [dsp3270s]
finished (0 left)
2015.05.08 17:13:32 LOG7[10810:140318864770816]: str_stats: 1 block(s),
32 data byte(s), 58 control byte(s)
I don't even see the IP address for the outbound connection, so it seems
as if it is hitting a problem even before it gets that far.
Configuration is pretty simple:
; Sample stunnel configuration file by Michal Trojnara 2002-2009
; Some options used here may not be adequate for your particular
configuration
; Please make sure you understand them (especially the effect of the
chroot jail)
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
;key = /etc/ssl/certs/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
socket = l:TCP_KEEPCNT=5
socket = r:TCP_KEEPCNT=5
socket = l:TCP_KEEPIDLE=10
socket = r:TCP_KEEPIDLE=10
socket = l:TCP_KEEPINTVL=2
socket = r:TCP_KEEPINTVL=2
;compression = zlib
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /etc/stunnel/crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[telnets]
accept = 3141
;connect = 192.168.80.11:992
;connect = DurgeeEnterprises.publicvm.com:992
connect = 192.168.80.5:992
[dsp3270s]
accept = 7490
;connect = 192.168.80.11:246
;connect = DurgeeEnterprises.publicvm.com:246
connect = 192.168.80.5:246
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0
; vim:ft=dosini
Any thoughts on how to track this down and get this working?
Dave
More information about the stunnel-users
mailing list