Stunnel + Hybrid-ircd issues

9 Feb 2008

      Hi,

I'm running Hybrid-7.2 on two PCs, one of which has a dynamic IP, as Hybrid
wants a static IP and not hostname in its connect section, we are trying to
use stunnel to encrypt server<->server communication.

Server 1 specs (To which I'm connecting) running FreeBSD 6.3:

***********************************************

#stunnel -version

stunnel 4.05 on amd64-unknown-freebsd5.3 PTHREAD+LIBWRAP with OpenSSL 0.9.7e
25 Oct 2004

Global options

cert            = /usr/local/etc/stunnel/stunnel.pem

ciphers         = ALL:!ADH:+RC4:@STRENGTH

debug           = 5

key             = /usr/local/etc/stunnel/stunnel.pem

pid             = /var/tmp/stunnel.pid

RNDbytes        = 64

RNDfile         = /dev/urandom

RNDoverwrite    = yes

#gcc -v

Using built-in specs.

Configured with: FreeBSD/amd64 system compiler

Thread model: posix

gcc version 3.4.6 [FreeBSD] 20060305

#uname 

FreeBSD 6.3-STABLE FreeBSD 6.3-STABLE #6: Tue Jan 22 13:23:51 GMT 2008

root@:/usr/obj/usr/src/sys/SVR1  amd64

Server 2 specs (From which I'm connecting via stunnel as a client) running
OpenBSD 4.2:

******************************************************************

#stunnel -version

stunnel 4.20 on i386-unknown-openbsd4.2 with OpenSSL 0.9.7j 04 May 2006

Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP

Global options

debug           = 5

pid             = /usr/local/var/run/stunnel/stunnel.pid

RNDbytes        = 64

RNDfile         = /dev/arandom

RNDoverwrite    = yes

Service-level options

cert            = /etc/stunnel/stunnel.pem

ciphers         = ALL:!ADH:+RC4:@STRENGTH

key             = /etc/stunnel/stunnel.pem

session         = 300 seconds

sslVersion      = SSLv3 for client, all for server

TIMEOUTbusy     = 300 seconds

TIMEOUTclose    = 60 seconds

TIMEOUTconnect  = 10 seconds

TIMEOUTidle     = 43200 seconds

verify          = none

# gcc -v

Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd4.2/3.3.5/specs

Configured with:

Thread model: single

gcc version 3.3.5 (propolice)

# cat stunnel.conf:

cert = /etc/ssl/private/stunnel.pem

key = /etc/ssl/private/rsa.key

setuid = _stunnel

setgid = _stunnel

pid = /var/run/stunnel.pid

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

debug = 7

foreground = yes

[irc]

client = yes

accept  = localhost:994

connect = xxx.xxx.xxx.xxx:994

Here's the debug logged to stderr:

# stunnel

2008.02.08 19:34:54 LOG7[11904:2237644800]: Snagged 64 random bytes from
/dev/arandom

2008.02.08 19:34:54 LOG7[11904:2237644800]: RAND_status claims sufficient
entropy for the PRNG

2008.02.08 19:34:54 LOG7[11904:2237644800]: PRNG seeded successfully

2008.02.08 19:34:54 LOG7[11904:2237644800]: Certificate:
/etc/ssl/private/stunnel.pem

2008.02.08 19:34:54 LOG7[11904:2237644800]: Certificate loaded

2008.02.08 19:34:54 LOG7[11904:2237644800]: Key file:
/etc/ssl/private/rsa.key

2008.02.08 19:34:54 LOG7[11904:2237644800]: Private key loaded

2008.02.08 19:34:54 LOG7[11904:2237644800]: SSL context initialized for
service irc

2008.02.08 19:34:54 LOG5[11904:2237644800]: stunnel 4.20 on
i386-unknown-openbsd4.2 with OpenSSL 0.9.7j 04 May 2006

2008.02.08 19:34:54 LOG5[11904:2237644800]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv6 Auth:LIBWRAP

2008.02.08 19:34:54 LOG6[11904:2237644800]: file ulimit = 128 (can be
changed with 'ulimit -n')

2008.02.08 19:34:54 LOG6[11904:2237644800]: poll() used - no FD_SETSIZE
limit for file descriptors

2008.02.08 19:34:54 LOG5[11904:2237644800]: 61 clients allowed

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 6 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 7 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: FD 8 in non-blocking mode

2008.02.08 19:34:54 LOG7[11904:2237644800]: SO_REUSEADDR option set on
accept socket

2008.02.08 19:34:54 LOG7[11904:2237644800]: irc bound to 127.0.0.1:994

2008.02.08 19:34:54 LOG7[11904:2237644800]: Created pid file
/var/run/stunnel.pid

2008.02.08 19:35:15 LOG7[11904:2237644800]: irc accepted FD=9 from
127.0.0.1:8579

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc started

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 9 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: TCP_NODELAY option set on local
socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 10 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 11 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: Connection from 127.0.0.1:8579
permitted by libwrap

2008.02.08 19:35:15 LOG5[11904:2336256000]: irc accepted connection from
127.0.0.1:8579

2008.02.08 19:35:15 LOG7[11904:2336256000]: FD 10 in non-blocking mode

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc connecting 69.50.175.50:994

2008.02.08 19:35:15 LOG7[11904:2336256000]: connect_wait: waiting 10 seconds

2008.02.08 19:35:15 LOG7[11904:2237644800]: Cleaning up the signal pipe

2008.02.08 19:35:15 LOG6[11904:2237644800]: Child process 26562 finished
with code 0

2008.02.08 19:35:15 LOG7[11904:2336256000]: connect_wait: connected

2008.02.08 19:35:15 LOG5[11904:2336256000]: irc connected remote server from
192.168.1.101:42954

2008.02.08 19:35:15 LOG7[11904:2336256000]: Remote FD=10 initialized

2008.02.08 19:35:15 LOG7[11904:2336256000]: TCP_NODELAY option set on remote
socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect):
before/connect initialization

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write
client hello A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read
server hello A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read
server certificate A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read
server done A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write
client key exchange A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write
change cipher spec A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 write
finished A

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 flush
data

2008.02.08 19:35:15 LOG7[11904:2336256000]: SSL state (connect): SSLv3 read
finished A

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 items in the session cache

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 client connects
(SSL_connect())

2008.02.08 19:35:15 LOG7[11904:2336256000]:    1 client connects that
finished

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 client renegotiations
requested

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server connects
(SSL_accept())

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server connects that
finished

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 server renegotiations
requested

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache hits

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache misses

2008.02.08 19:35:15 LOG7[11904:2336256000]:    0 session cache timeouts

2008.02.08 19:35:15 LOG6[11904:2336256000]: SSL connected: new session
negotiated

2008.02.08 19:35:15 LOG6[11904:2336256000]: Negotiated ciphers: AES256-SHA
SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

2008.02.08 19:35:15 LOG3[11904:2336256000]: SSL_read: Connection reset by
peer (54)

2008.02.08 19:35:15 LOG5[11904:2336256000]: Connection reset: 0 bytes sent
to SSL, 0 bytes sent to socket

2008.02.08 19:35:15 LOG7[11904:2336256000]: irc finished (0 left)

What is going on here with "SSL_read: Connection reset by peer (54)"?

This process keeps repeating itself without the ircd's linking.

-          S

Strykar

tags

participants (1)