[stunnel-users] Assistance needed debugging Stunnel AWS EC2 Interface

15 Nov 2016

      I am using stunnel as a proxy to support SoapUI mock services which are used
to test an SSL based application.  The SoapUI and stunnel proxy are running
on an AWS Ubuntu 14.04 EC2 Instance communicating to a Tomcat server running
on a second AWS Ubuntu 14.04 EC2 Instance.  The target application uses a
wildcard SSL Certificate and works successfully when accessed using a
desktop browser (Chrome or Firefox).

The issue I am encountering is that the stunnel connection logs a "SSL
closed on SSL_read" message as soon as the cipher suite is negotiated as
shown in the following stunnel.log:

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Clients allowed=2000

2016.11.14 21:34:19 LOG5[5287:140430154716992]: stunnel 4.53 on
x86_64-pc-linux-gnu platform

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Compiled with OpenSSL 1.0.1e
11 Feb 2013

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Running  with OpenSSL 1.0.1f
6 Jan 2014

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Update OpenSSL shared
libraries or rebuild stunnel

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Threading:PTHREAD
SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Reading configuration from
file /etc/stunnel/stunnel.conf

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Compression not enabled

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Snagged 64 random bytes from
/home/ubuntu/.rnd

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Wrote 1024 new random bytes
to /home/ubuntu/.rnd

2016.11.14 21:34:19 LOG7[5287:140430154716992]: PRNG seeded successfully

2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section
[resourceServer]

2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate:
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file:
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to
/etc/ssl/certs

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs
revocation lookup directory

2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004

2016.11.14 21:34:19 LOG6[5287:140430154716992]: Initializing service section
[tpserver]

2016.11.14 21:34:19 LOG4[5287:140430154716992]: Insecure file permissions on
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate:
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Certificate loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Key file:
/etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Private key loaded

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Verify directory set to
/etc/ssl/certs

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Added /etc/ssl/certs
revocation lookup directory

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Could not load DH parameters
from /etc/stunnel/stunnel.pem

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Using hardcoded DH
parameters

2016.11.14 21:34:19 LOG7[5287:140430154716992]: DH initialized with 2048-bit
key

2016.11.14 21:34:19 LOG7[5287:140430154716992]: ECDH initialized with curve
prime256v1

2016.11.14 21:34:19 LOG7[5287:140430154716992]: SSL options set: 0x00000004

2016.11.14 21:34:19 LOG5[5287:140430154716992]: Configuration successful

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [resourceServer]
(FD=12) bound to 127.0.0.1:8080

2016.11.14 21:34:19 LOG7[5287:140430154716992]: Service [tpserver] (FD=13)
bound to 127.0.0.1:8444

2016.11.14 21:34:19 LOG7[5293:140430154716992]: Created pid file
/var/run/stunnel4.pid

2016.11.14 21:34:25 LOG7[5293:140430154716992]: Service [resourceServer]
accepted (FD=3) from 127.0.0.1:41256

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer]
started

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Waiting for a libwrap
process

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Acquired libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Releasing libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Released libwrap process #0

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Service [resourceServer]
permitted by libwrap from 127.0.0.1:41256

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer]
accepted connection from 127.0.0.1:41256

2016.11.14 21:34:25 LOG6[5293:140430154827520]: connect_blocking: connecting
52.43.245.161:8443

2016.11.14 21:34:25 LOG7[5293:140430154827520]: connect_blocking:
s_poll_wait 52.43.245.161:8443: waiting 10 seconds

2016.11.14 21:34:25 LOG5[5293:140430154827520]: connect_blocking: connected
52.43.245.161:8443

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Service [resourceServer]
connected remote server from 172.31.44.97:34077

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Remote socket (FD=15)
initialized

2016.11.14 21:34:25 LOG7[5293:140430154827520]: SNI: host name:
52.43.245.161

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=1, /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA

2016.11.14 21:34:25 LOG7[5293:140430154827520]: Starting certificate
verification: depth=0, /CN=*.greenbuttonalliance.org

2016.11.14 21:34:25 LOG6[5293:140430154827520]: CERT: Verification not
enabled

2016.11.14 21:34:25 LOG5[5293:140430154827520]: Certificate accepted:
depth=0, /CN=*.greenbuttonalliance.org

2016.11.14 21:34:25 LOG6[5293:140430154827520]: SSL connected: new session
negotiated

2016.11.14 21:34:25 LOG6[5293:140430154827520]: Negotiated TLSv1/SSLv3
ciphersuite: AES128-SHA (128-bit encryption)

2016.11.14 21:34:25 LOG6[5293:140430154827520]: Compression: null,
expansion: null

2016.11.14 21:34:45 LOG7[5293:140430154827520]: SSL closed on SSL_read

2016.11.14 21:34:45 LOG7[5293:140430154827520]: Sent socket write shutdown

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Socket closed on read

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Sending close_notify alert

2016.11.14 21:34:56 LOG6[5293:140430154827520]: SSL_shutdown successfully
sent close_notify alert

2016.11.14 21:34:56 LOG5[5293:140430154827520]: Connection closed: 342
byte(s) sent to SSL, 250 byte(s) sent to socket

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Remote socket (FD=15) closed

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Local socket (FD=3) closed

2016.11.14 21:34:56 LOG7[5293:140430154827520]: Service [resourceServer]
finished (0 left)

The stunnel.conf file contains the following configuration:

; **************************************************************************

; * Service defaults may also be specified in individual service sections  *

; **************************************************************************

CApath = /etc/ssl/certs

; **************************************************************************

; * Logging
*

; **************************************************************************

debug = 7

output =
/home/ubuntu/Git/energyos/OpenESPI-GreenButtonCMDTest/SOAPUI/stunnel.log

; **************************************************************************

; * Service definitions (at least one service has to be defined)
*

; **************************************************************************

; **************************************************************************

; * Resource Server
*

; **************************************************************************

[resourceServer]

accept=localhost:8080

connect=52.43.245.161:8443

ciphers=AES128-SHA

client = yes

cert=/etc/stunnel/stunnel.pem

verify=0

[tpserver]

accept=127.0.0.1:8444

connect=localhost:8081

cert=/etc/stunnel/stunnel.pem

verify=0

client=no

ciphers=AES128-SHA

Are there any additional stunnel logging options or debugging techniques you
can recommend to help determine why the session is being closed?  Does
stunnel support wildcard based certificates (i.e.
*.greenbuttonalliance.org)?

Best regards,

Don

Donald F. Coffin

Technical Manager

Green Button Alliance

2335 Dunwoody Crossing Suite E

Dunwoody, GA 30338-8221

http://www.greenbuttonalliance.org <http://www.greenbuttonalliance.org/> 

(949) 636-8571 Mobile