[stunnel-users] stunnel transparent mode stuck in timeout

shushant.kakkar Mon, 09 Feb 2015 02:03:08 -0800

Hi,

we would like to use stunnel in transpartent mode. Therefore we already applied 
iptable changes as mentioned in the man page :


Re-write address to appear as if wrapped daemon is connecting from the SSL 
client machine instead of the machine running stunnel.

           This option is currently available in:

               remote mode (I<connect> option) on Linux >=2.6.28

           Linux >=2.6.28 requires the following setup for iptables and routing 
(possibly in /etc/rc.local or equivalent file):

               iptables -t mangle -N DIVERT
               iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
               iptables -t mangle -A DIVERT -j MARK --set-mark 1
               iptables -t mangle -A DIVERT -j ACCEPT
               ip rule add fwmark 1 lookup 100
               ip route add local 0.0.0.0/0 dev lo table 100

However the connection to the services cannot be established and we run into a 
timeout.


2015.02.09 10:00:03 LOG7[6658:139940568909760]: ldaps-in accepted FD=12 from 
xxxxxx:51018
2015.02.09 10:00:03 LOG7[6658:139940568905472]: ldaps-in started
2015.02.09 10:00:03 LOG7[6658:139940568905472]: FD 12 in non-blocking mode
2015.02.09 10:00:03 LOG7[6658:139940568905472]: Waiting for a libwrap process
2015.02.09 10:00:03 LOG7[6658:139940568905472]: Acquired libwrap process #0
2015.02.09 10:00:03 LOG7[6658:139940568905472]: Releasing libwrap process #0
2015.02.09 10:00:03 LOG7[6658:139940568905472]: Released libwrap process #0
2015.02.09 10:00:03 LOG7[6658:139940568905472]: ldaps-in permitted by libwrap 
from xxxxxxx:51018
2015.02.09 10:00:03 LOG5[6658:139940568905472]: ldaps-in accepted connection 
from xxxxxxx:51018
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): 
before/accept initialization
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read 
client hello A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write 
server hello A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write 
certificate A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write 
server done A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 flush 
data
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read 
client key exchange A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 read 
finished A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write 
change cipher spec A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 write 
finished A
2015.02.09 10:00:03 LOG7[6658:139940568905472]: SSL state (accept): SSLv3 flush 
data
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 items in the session cache
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client connects 
(SSL_connect())
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client connects that 
finished
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 client renegotiations 
requested
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 server connects 
(SSL_accept())
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    1 server connects that 
finished
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 server renegotiations 
requested
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache hits
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 external session cache hits
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache misses
2015.02.09 10:00:03 LOG7[6658:139940568905472]:    0 session cache timeouts
2015.02.09 10:00:03 LOG6[6658:139940568905472]: SSL accepted: new session 
negotiated
2015.02.09 10:00:03 LOG6[6658:139940568905472]: Negotiated ciphers: AES256-SHA 
SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
2015.02.09 10:00:03 LOG7[6658:139940568905472]: FD 13 in non-blocking mode
2015.02.09 10:00:03 LOG6[6658:139940568905472]: local_bind succeeded on the 
original port
2015.02.09 10:00:03 LOG6[6658:139940568905472]: connect_blocking: connecting 
127.0.0.1:10389
2015.02.09 10:00:03 LOG7[6658:139940568905472]: connect_blocking: s_poll_wait 
127.0.0.1:10389: waiting 10 seconds
2015.02.09 10:00:13 LOG3[6658:139940568905472]: connect_blocking: s_poll_wait 
127.0.0.1:10389: timeout
2015.02.09 10:00:13 LOG5[6658:139940568905472]: Connection reset: 0 bytes sent 
to SSL, 0 bytes sent to socket
2015.02.09 10:00:13 LOG7[6658:139940568905472]: ldaps-in finished (0 left)

Any idea why the timeout is occuring?

Best regards,
Shushant

_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

[stunnel-users] stunnel transparent mode stuck in timeout

Reply via email to