stunnel often hangs when transferring the last portion of the steam (probably because of openssl library error)
To reproduce this use the following: 1. create test.cgi file ------------------------------------ #!/bin/sh echo 'Content-type: text/html' echo echo 'MAIL SAVED' exec /bin/cat >/dev/null ------------------------------------ Note the cgi must read data from stdin, (like in POST method). This is what "exec /bin/cat >/dev/null" for. then start stunnell /usr/sbin/stunnel -f -D 7 -d 443 -r 80 Create two files t1 and t2 and use curl compiled with SSL perl -e 'for(my $x=0;$x<128288;$x++){print " ";}' > /tmp/t1 then ./src/curl -3 -v -d @/tmp/t1 https://127.0.0.1/cgi-bin/test.cgi hangs. then do perl -e 'for(my $x=0;$x<1048576;$x++){print " ";}' > /tmp/t2 ./src/curl -3 -d @/tmp/t2 https://127.0.0.1/cgi-bin/test.cgi and it works. (note that 1048576=2^20) in the same time forcing curl to use SSL2 works OK Then access it from curl ./src/curl -3 -v -d @/tmp/jjjXX https://127.0.0.1/cgi-bin/test.cgi
Also stunnel to stunnel work OK when compiled as default, but It DOES NOT work if you set different buffer sizes in client and server. To repoduce use: 1. Use standard stunnell (buffer 8192) as a server /usr/sbin/stunnel -f -D 7 -p /usr/share/ssl/certs/stunnel.pem -d 443 -r 80 2. Make another copy , edit file ssl.c and put there /* I/O buffer size */ #define BUFFSIZE 16413 /* 8192 */ then start stunnel /my/special/anotherbuffersize/stunnel -f -D 7 -c -d 127.0.0.1:97 -r 127.0.0.1:443 3. now access http://127.0.0.1:97/cgi-bin/test.cgi (note port is 97 , as set in stunnel client) ./src/curl -3 -d @/tmp/t1 http://127.0.0.1:97/cgi-bin/test.cgi or, better, strace ./src/curl -3 -d @/tmp/t1 http://127.0.0.1:97/cgi-bin/test.cgi curl does not use any SSL any more, plain http access, it goes via first stunnel (as a client) to second ( as a server) to plain http. And it hanges. exactly in the same way as curl via ssl. even curl strace is similar.
Also note that focing curl to SSL ver2 ./src/curl -2 -v -d @/tmp/jjjXX https://127.0.0.1/cgi-bin/test.cgi works OK without any hang.
It's fixed in stunnel versions >=3.9.
Also, the stunnel from updates stunnel-3.9-1 has a bug when started as /usr/sbin/stunnel -d 465 -r remote_host_ip:25 It prints Dec 20 14:38:16 localhost stunnel[20230]: stunnel 3.9 on i386-redhat-linux-gnu PTHREAD+LIBWRAP Dec 20 14:38:16 localhost stunnel[20231]: Cannot create pid file /var/stunnel/stunnel.209.10.98.90.25.pid Dec 20 14:38:16 localhost stunnel[20231]: Create: No such file or directory (2) See, there is a string /var/stunnel in /usr/sbin/stunnel which is used in path. rpm -q stunnel stunnel-3.9-1 [root@localhost /root]# strings /usr/sbin/stunnel |grep /var/stunn /var/stunnel/ I am posting this to openssl because there is no stunnel in the packages list
We're working on a stunnel-3.9-2 errata to fix this last bug, and another.
The errata package will be 3.10-2.