Skip to content

Install stunnel4 from jessie-backports

Description

While debugging https://pad.riseup.net/p/8712 we found out that the jessie stunnel4 version (3:5.06-2+deb8u1) fails to work under certain circumstances. We tracked it down to:

  • It sometimes fail getting a list of UUIDs from a remote couch node (which is a recurring call made bu the couchrest gem)
  • It works in DC (i.e. dev.bitmask.net)
  • It fails in Amsterdam (cdev)
  • It fails querying a Amsterdam couchdb node from DC

What fails is this cmd, which tries to get 1000 UUIDs from a couchdb node (using the stunnel endpoint), and counting the bytes recieved:

curl -H 'Connection: close' -S -s --cert /etc/x509/certs/leap.crt --key /etc/x509/keys/leap.key -X GET https://giraffe.cdev.bitmask.net:15984/_uuids?count=1000

When the call succeeds, it should count 35012 bytes - but when it fails it fails with an error like this:

curl: (18) transfer closed with 196 bytes remaining to read

and it will count only part of these 35012 bytes.

We found out that this could get fixed reliably and reproducibly by upgrading stunnel to the jessie-backports version (3:5.30-1~bpo8+1). Downgrading to the jessie version again will reproduce the failure. Drebs will look into the changelog what happened between those versions and will comment on #8712 (closed).