[stunnel-users] Intermittent error in 042_inetd
Eric S Eberhard
flash at vicsmba.com
Mon Jul 9 23:19:46 CEST 2018
The 50% could be because the server side is not fully updated - we have this
problem a lot with very large companies that should know better (and in
reality should overlap instead of changing over - meaning allow SSLv3 for 3
months or something while also accepting TLSv2.
A very good way to test is to get a telnet program. Then "telnent localhost
port#" - the port # being the port number stunnel is running on. This will
remove all variables except stunnel and allow you to see the output. It
could be you are connecting fine and failing some other authentication like
a login - which you can see often with telnet. And set your firewall to not
allow telnet on port 23. Also, we have found stunnel MUCH more reliable
under inetd (if you are on Unix of course) than as a stand-alone server. A
little performance loss that is unnoticeable to us - big customers exchange
2-4 million XML documents a day (using stunnel) so inetd is definitely not
the most efficient way, but the machines are so darn fast it seems not to
matter.
The certificates have become more painful but I have never had to use an
official signed one. I make my own with openssl. However, there are
intermediate ones that are needed from whomever you connect to if they have
a signed certificate - say from Verisign - you may need your certificate and
Verisigns, etc - in a chain.
I use "cacert" to set to a large file of .pem certificates - which I simply
download from the Web (available all over, some work, some don't. When you
get one that works . then use it. You can modify them by adding anything
not found in the file. Supposedly the cacert file I have now is good till
2020 for the big names.
You can also use openssl to get the certificate from the server - just ask
and you shall receive. It should have the entire chain.
I used to have on massive cacert for everyone and it was getting out of
hand. As tacky as it is, I just make a cacert.pem file for every connection
(e.g. Walmart, Fedex, Target, whatever). This allows working connections to
keep working while you fiddle with a tricky one.
Eric
Eric S Eberhard
VICS (Vertical Integrated Computer Systems)
Voice: 928 567 3529
Cell : 928 301 7537 (not reliable except for text or if not home)
2933 W Middle Verde Rd
Camp Verde, AZ 86322
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
Ian Bamforth
Sent: Wednesday, July 04, 2018 9:00 AM
To: stunnel-users at stunnel.org
Subject: [stunnel-users] Intermittent error in 042_inetd
Afternoon,
Until recently we'd disabled `make test` because of certificate problems -
we've re-enabled it (using `make check`) but are getting intermittent
failures (around 50% of CI runs). Below is the output from the logs - I
can't see what's gone wrong, can anyone shed any light?
2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648
2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())
2018.07.04 09:59:36 LOG7[ui]: Compression disabled
2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required
2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02004004 (+0x00004000,
-0x00000000)
2018.07.04 09:59:36 LOG7[ui]: Private key check succeeded
2018.07.04 09:59:36 LOG7[ui]: ECDH initialization
2018.07.04 09:59:36 LOG7[ui]: ECDH initialized with curve prime256v1
2018.07.04 09:59:36 LOG7[ui]: Binding service [server]
2018.07.04 09:59:36 LOG7[ui]: Listening file descriptor created (FD=6)
2018.07.04 09:59:36 LOG7[ui]: Setting accept socket options (FD=6)
2018.07.04 09:59:36 LOG7[ui]: Option SO_REUSEADDR set on accept socket
2018.07.04 09:59:36 LOG7[main]: Created pid file
/opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid
2018.07.04 09:59:36 LOG7[cron]: Cron thread initialized
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: Service [server] accepted (FD=3) from
127.0.0.1:58890
2018.07.04 09:59:36 LOG7[0]: Service [server] started
2018.07.04 09:59:36 LOG7[0]: Setting local socket options (FD=3)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on local socket
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: SNI: no virtual services defined
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server
hello
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write key
exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server done
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client key
exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read change
cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS read finished
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change
cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: New session callback
2018.07.04 09:59:36 LOG7[0]: 1 server accept(s) requested
2018.07.04 09:59:36 LOG7[0]: 1 server accept(s) succeeded
2018.07.04 09:59:36 LOG7[0]: 0 server renegotiation(s) requested
2018.07.04 09:59:36 LOG7[0]: 0 session reuse(s)
2018.07.04 09:59:36 LOG7[0]: 1 internal session cache item(s)
2018.07.04 09:59:36 LOG7[0]: 0 internal session cache fill-up(s)
2018.07.04 09:59:36 LOG7[0]: 0 internal session cache miss(es)
2018.07.04 09:59:36 LOG7[0]: 0 external session cache hit(s)
2018.07.04 09:59:36 LOG7[0]: 0 expired session(s) retrieved
2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null
2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=10)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) initialized
2018.07.04 09:59:36 LOG7[0]: TLS alert (read): warning: close notify
2018.07.04 09:59:36 LOG7[0]: Sent socket write shutdown
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=10) closed
2018.07.04 09:59:36 LOG7[0]: Local descriptor (FD=3) closed
2018.07.04 09:59:36 LOG7[0]: Service [server] finished (0 left)
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe
2018.07.04 09:59:36 LOG7[main]: Processing SIGCHLD
2018.07.04 09:59:36 LOG7[main]: Retrieving pid statuses with waitpid()
2018.07.04 09:59:36 LOG7[ui]: Clients allowed=14648
2018.07.04 09:59:36 LOG7[ui]: errno: (*__errno_location ())
2018.07.04 09:59:36 LOG7[ui]: Compression disabled
2018.07.04 09:59:36 LOG7[ui]: No PRNG seeding was required
2018.07.04 09:59:36 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
2018.07.04 09:59:36 LOG7[ui]: TLS options: 0x02000004 (+0x00000000,
-0x00000000)
2018.07.04 09:59:36 LOG7[ui]: No certificate or private key specified
2018.07.04 09:59:36 LOG7[0]: Service [inetd client] started
2018.07.04 09:59:36 LOG7[0]: s_connect: s_poll_wait 127.0.0.1:4433: waiting
10 seconds
2018.07.04 09:59:36 LOG7[0]: Setting remote socket options (FD=3)
2018.07.04 09:59:36 LOG7[0]: Option TCP_NODELAY set on remote socket
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) initialized
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): before SSL initialization
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client
hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server
hello
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server
certificate
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server key
exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read server done
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write client key
exchange
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write change
cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS write finished
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read change
cipher spec
2018.07.04 09:59:36 LOG7[0]: TLS state (connect): SSLv3/TLS read finished
2018.07.04 09:59:36 LOG7[0]: New session callback
2018.07.04 09:59:36 LOG7[0]: Peer certificate was cached (1241 bytes)
2018.07.04 09:59:36 LOG7[0]: 1 client connect(s) requested
2018.07.04 09:59:36 LOG7[0]: 1 client connect(s) succeeded
2018.07.04 09:59:36 LOG7[0]: 0 client renegotiation(s) requested
2018.07.04 09:59:36 LOG7[0]: 0 session reuse(s)
2018.07.04 09:59:36 LOG7[0]: Compression: null, expansion: null
2018.07.04 09:59:36 LOG7[0]: Sending close_notify alert
2018.07.04 09:59:36 LOG7[0]: TLS alert (write): warning: close notify
2018.07.04 09:59:36 LOG7[0]: Remote descriptor (FD=3) closed
2018.07.04 09:59:36 LOG7[0]: Service [inetd client] finished (0 left)
2018.07.04 09:59:36 LOG7[0]: Deallocating section defaults
2018.07.04 09:59:36 LOG7[main]: Found 1 ready file descriptor(s)
2018.07.04 09:59:36 LOG7[main]: FD=4 events=0x2001 revents=0x1
2018.07.04 09:59:36 LOG7[main]: FD=6 events=0x2001 revents=0x0
2018.07.04 09:59:36 LOG7[main]: Dispatching a signal from the signal pipe
2018.07.04 09:59:36 LOG7[main]: Processing SIGNAL_TERMINATE
2018.07.04 09:59:36 LOG7[main]: Leak detection table utilization: 86/997,
8.63%
2018.07.04 09:59:36 LOG7[main]: Removed pid file
/opt/stunnel/stunnel-5.48/tests/logs/stunnel.pid
2018.07.04 09:59:36 LOG7[main]: Deallocating section defaults
Regards,
Ian Bamforth
Senior Software Engineer
Operations & Planning Systems Division
T: <tel:00441133443970> +44 (0)113 344 3970
M: <tel:00447852404240> +44 (0)7852 404240
E: <mailto:Ian.Bamforth at tracsis.com> Ian.Bamforth at tracsis.com
W: <https://www.tracsis.com> www.tracsis.com
<http://www.tracsisops.com> www.tracsisops.com
Follow Us
<https://www.linkedin.com/company/972873?trk=tyah&trkInfo=idx:1-1-1,tarId:14
20795682492,tas:tracsis> <https://www.twitter.com/tracsis>
Tracsis plc
Leeds Innovation Centre
103 Clarendon Road
Leeds
LS2 9DF
<https://static.tracsis.com/email/award4.png>
Tracsis Operations and Planning Systems Division is a Division of Tracsis
plc and comprises Tracsis plc (05019106), Tracsis Rail Consultancy Limited
(05047148), Safety Information Systems Limited trading as COMPASS (02588404)
and Tracsis Retail and Operations Limited (04225250), all subsidiaries of
Tracsis plc with a registered office at Leeds Innovation Centre,103
Clarendon Road, Leeds, LS2 9DF. VAT Registration No: 945 7876 61. This email
and its attachments may be confidential and are intended solely for the use
of the individual(s) to whom it is addressed. If you are not the intended
recipient of this email and its attachments, you must take no action based
upon them, nor must you copy or show them to anyone. Please contact the
sender if you believe you have received this email in error.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180709/4f04ee5e/attachment.html>
More information about the stunnel-users
mailing list