Stunnel stops working and hangs indefinitely - SAML session invalid

In some environments the stunnel service randomly stops working.

Users need to re-login at seemingly random while their SAML session should still be valid.
The SAML sessions are not synchronised between the Backup Nodes and Primary Node any more due to the hanging stunnel.

Due to a lack of reproducibility we decided we take the following steps:

  • With erratum 876 for UCS 4.4-7 a new version of the stunnel package is available (5.50, previously 5.39).
  • With erratum 877 for UCS 4.4-7 a new watchdog service for stunnel has been added. This watchdog checks the stunnel service for reachability. If stunnel does not answer after 5s, the service will be restarted. This watchdog is disabled by default and can be activated by:
    ucr set ucs/server/sso/stunnel4/watchdog/active=true
    service univention-stunnel4-watchdog status