Stunnel broke packets

Question

I'm trying to set up a secure connection between a computer and another.

I'm my case, SSH doesn't seem a good solution, and VPN is worst in our case too.

To begin, I've test my configuration in internal, it works fine.

So I've move the same configuration on our external server (send over SSH), and now packets are broken. PostgreSQL said : postgresql | LOG: invalid length of startup packet and Apache an 400 Error = Bad Request.

In both case, we are under Debian 8.5.

Exemple of return with stunnel and postgresql.

2016.09.15 09:23:18 LOG5[10639]: stunnel 5.06 on x86_64-pc-linux-gnu platform
2016.09.15 09:23:18 LOG5[10639]: Compiled with OpenSSL 1.0.1k 8 Jan 2015
2016.09.15 09:23:18 LOG5[10639]: Running  with OpenSSL 1.0.1t  3 May 2016
2016.09.15 09:23:18 LOG5[10639]: Update OpenSSL shared libraries or rebuild stunnel
2016.09.15 09:23:18 LOG5[10639]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
2016.09.15 09:23:18 LOG5[10639]: Reading configuration from file /root/docker/stunnel/stunnel.conf
2016.09.15 09:23:18 LOG5[10639]: FIPS mode disabled
2016.09.15 09:23:18 LOG4[10639]: Insecure file permissions on /root/docker/stunnel/stunnel.pem
2016.09.15 09:23:18 LOG5[10639]: Configuration successful
2016.09.15 09:23:26 LOG5[10640]: Service [DB] accepted connection from xxx.xxx.xxx.xxx:42004
2016.09.15 09:23:26 LOG5[10640]: s_connect: connected 172.18.0.2:5432
2016.09.15 09:23:26 LOG5[10640]: Service [DB] connected remote server from 172.18.0.1:38565
postgresql    | LOG:  invalid length of startup packet
2016.09.15 09:23:26 LOG5[10640]: Read socket error: Broken pipe (32)
2016.09.15 09:23:26 LOG5[10640]: Connection reset: 0 byte(s) sent to SSL, 167 byte(s) sent to socket

This is my stunnel configuration :

client = no

protocol=proxy
fips=no
foreground=yes

sslVersion = all
options = NO_SSLV2

pid = /root/docker/stunnel/stunnel.pid
cert = /root/docker/stunnel/stunnel.pem

[DB]
accept = 0.0.0.0:8443
connect = 172.18.0.2:5432

And on my client :

pid = /var/run/stunnel.pid
cert = /etc/stunnel/stunnel.pem
client = yes
[bd]
accept = 5432
connect = xxx.xxx.xxx.xxx:8443

Have a good coding day !

I suspect the problem is not in the stunnel hop. Do non-ssl connections to 172.18.0.2:5432 work as expected? — symcbean, Sep 15 '16 at 11:26

Stunnel broke packets

0 Answers0