<div dir="ltr">Anyways I don't know what to say. But adding dnscache as dependency didn't do anything either. Same issue service on bootup shows as started but no logs. Restarting it through Service Control Manager works.<div><br></div><div>Automatic (Delayed Start) at least for me works fine. I'll continue working with that for now...</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 23 September 2014 14:27, John Smith <span dir="ltr"><<a href="mailto:java.dev.mtl@gmail.com" target="_blank">java.dev.mtl@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Ok when I have a chance I will try dnscache</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 23 September 2014 14:05, Pierre DELAAGE <span dir="ltr"><<a href="mailto:delaage.pierre@free.fr" target="_blank">delaage.pierre@free.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Sorry to tell but...<br>
<br>
On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO
DELAY at service startup :<br>
I can start the service, then reboot, <br>
then, at first, my log file is saying ": Error resolving 'HOSTNAME
': Neither nodename nor servname known (EAI_NONAME)"<br>
and later, when I try to use the tunnel (and at that time dns is
working), resolving is working...<br>
<br>
and everything is OK so....<br>
<br>
Even if dns is NOT available at startup, stunnel 504 is able to
resolve "later" the remote server hostname.<br>
<br>
<br>
<br>
2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of
clients<br>
2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500
platform<br>
2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
1.0.1i-fips 6 Aug 2014<br>
2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6
SSL:ENGINE,OCSP,FIPS<br>
2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())<br>
2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file
stunnel.conf<br>
2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled<br>
2014.09.23 19:23:17 LOG7[2612]: Compression disabled<br>
2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd<br>
2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to
C:/.rnd<br>
2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully<br>
2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]<br>
<br>
2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither
nodename nor servname known (EAI_NONAME)<br>
<br>
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target -
delaying DNS lookup<i> (COMMENT : stunnel is a good fellow !)</i><br>
<br>
2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
C:\Users\standard\Documents\Perso\SSL\johndoe.crt<br>
2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
C:\Users\standard\Documents\Perso\SSL\johndoe.uky<br>
2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded<br>
2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004<br>
2014.09.23 19:23:18 LOG5[2612]: Configuration successful<br>
2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to
<a href="http://127.0.0.1:81" target="_blank">127.0.0.1:81</a><br>
2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208)
from <a href="http://127.0.0.1:49164" target="_blank">127.0.0.1:49164</a><br>
2014.09.23 19:24:32 LOG7[2612]: Creating a new thread<br>
2014.09.23 19:24:32 LOG7[2612]: New thread created<br>
2014.09.23 19:24:32 LOG7[588]: Service [https] started<br>
2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection
from <a href="http://127.0.0.1:49164" target="_blank">127.0.0.1:49164</a><br>
2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
XXX.YYY.UUU.III:443<br>
2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
XXX.YYY.UUU.III:443: waiting 10 seconds<br>
2014.09.23 19:24:32 LOG5[588]: s_connect: connected
XXX.YYY.UUU.III:443<br>
2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote
server from <a href="http://192.168.3.220:49165" target="_blank">192.168.3.220:49165</a><br>
2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized<br>
2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect
initialization<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write
client hello A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server hello A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server certificate A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server certificate request A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server done A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
client certificate A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
client key exchange A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
certificate verify A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
change cipher spec A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
finished A<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data<br>
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
finished A<br>
<br>
So I am sorry to say that I cannot reproduce that bug.<br>
<br>
Anyway there are many services, on a heavy loaded machine, that can
slow down the service startup or interfere with file management :<br>
<br>
Antivirus ? try to deactivate it.<br>
Firewall : the same...<br>
any other piece of software that is not absolutely necessary at boot
time.<br>
<br>
Plus : Even if you don't use hostnames in conf file I suggest that
you try "dnscache" dependency anyway: <br>
because you probably have hostnames in your certificates.<br>
<br>
Regards<br>
Pierre<br>
<br>
<br>
<br>
<div>Le 23/09/2014 18:05, John Smith a
écrit :<br>
</div><div><div>
<blockquote type="cite">
<div dir="ltr">Network: Ethernet
<div>Multiple routers: No<br>
Firewall: No</div>
<div>Delay: Yes, Automitic (Delayed Start) works like a charm.</div>
<div>Capi engine: Yes tried turning it off<br>
32 bit or 64 bit: 32bit running on 64 bit server. I don't see
a 64 bit version on the download page?</div>
<div>dnscache: Haven't tried it yet.</div>
<div><br>
<br>
- stunnel works fine on the server specifically with the
service set to Automatic (Delayed Start). And I even tunnel
properly to other machines so it not firewalls or routers or
network.<br>
- Only when it's NOT (Delayed Start) stunnel doe not seem to
start even though the service shows as started.</div>
<div>- I managed to tunnel from my Desktop to the Server. I have
not tried automatic service startup on Desktop because I don't
have enough privilidges. But trying to setup the server, since
that's the machine that will have stunnel in production.<br>
<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 23 September 2014 10:04, Pierre
DELAAGE <span dir="ltr"><<a href="mailto:delaage.pierre@free.fr" target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Have you tried to
change the service dependency from "TCPIP" (the default in
the code), to "dnscache" (ok, EVEN if you do not use
hostname resolution),<br>
this is just to be sure that stunnel relies on something
that is using tcpip as well.<br>
<br>
question : what kind of network interface do you have :<br>
<br>
wifi ?<br>
ethernet board ?<br>
<br>
Are you traversing multiple routers ?<br>
<br>
Are you using multiple firewalls ?<br>
<br>
Have you tuned a delay as suggested a few days ago ?<br>
<br>
Can you try without specifying "capi engine" ?<br>
<br>
Are you using stunnel 32 bits or 64 bits : if 64, try the
32 version as well.<br>
<br>
I am reviewing the code and soon enter some test on
w7-32bits.<br>
<br>
Regards<br>
Pierre<br>
<br>
<br>
<br>
<div>Le 23/09/2014 15:30, John Smith a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">I wish you were right but
unfortunately it's running lol</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22 September 2014
18:24, Pierre DELAAGE <span dir="ltr"><<a href="mailto:delaage.pierre@free.fr" target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> When
you observe that log is empty and that
"stunnel shows as started",<br>
do a CTRL ALT DEL to check if there is any
process called "stunnel" that is really
running...<br>
<br>
I have a doubt that, although scm says
stunnel is running, in fact it is not.<br>
<br>
Regards<br>
Pierre<br>
<br>
<div>Le 22/09/2014 21:43, John Smith a
écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Hi I used administrator
account and defaults to install. It
is installed at Program Files (x86)
<div><br>
</div>
<div>The service is set to run as
local system account and interact
with desktop is checked.</div>
<div><br>
</div>
<div>Once the machine is booted...
Login open service control panel,
stunnel shows as started. Go look
at logs nothing there... In
service control panel hit the
restart button. And it comes up
properly.</div>
<div><br>
</div>
<div>My config is as follows:</div>
<div><br>
</div>
<div>
<div>; Debugging stuff (may useful
for troubleshooting)</div>
<div>;debug = 7</div>
<div>output = stunnel.log</div>
<div><br>
</div>
<div>; Initialize Microsoft
CryptoAPI interface</div>
<div>engine = capi</div>
<div>; Also needs "engineID =
capi" in each section using the
CAPI engine</div>
<div><br>
</div>
<div>[es-tcp]</div>
<div>accept = ${SERVER_IP}:9300</div>
<div>connect = <a href="http://127.0.0.1:9300" target="_blank">127.0.0.1:9300</a></div>
<div>cert = ....</div>
<div>CAfile = ....</div>
<div>verify = 2</div>
<div><br>
</div>
<div>[es-http]</div>
<div>accept = ${SERVER_IP}:9200</div>
<div>connect = <a href="http://127.0.0.1:9200" target="_blank">127.0.0.1:9200</a></div>
<div>cert = ....</div>
<div>CAfile = ....</div>
<div>verify = 2</div>
<div><br>
</div>
<div>[es-disc-local]</div>
<div>client = yes</div>
<div>accept = <a href="http://127.0.0.1:9700" target="_blank">127.0.0.1:9700</a></div>
<div>connect = ${SERVER_IP}:9300</div>
<div>cert = ....</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 22
September 2014 14:30, Pierre
DELAAGE <span dir="ltr"><<a href="mailto:delaage.pierre@free.fr" target="_blank">delaage.pierre@free.fr</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hello,<br>
I can tell my patch was
adressing read file error on
conf file, <br>
but, unfortunately, not at all
"dependencies of stunnel
service at start up",<br>
which is likely to be the core
pb preventing stunnel to start
correctly at boot time for
people on that thread.<br>
<br>
Michal added explicit
dependencies at startup, that
is necessary to solve that
bug. I did not check yet its
implementation.<br>
<br>
But maybe some services,
although started, are still
"not ready" when stunnel
starts, so that this makes
stunnel fail.<br>
<br>
I suggest that stunnel checks,
not only the availability, but
also the "efficiency" of the
DNS service by trying to
resolve a well known server.<br>
it should retry during, eg, 3
seconds, and then stops with
some reports if failing to
resolve the hostname,<br>
either by lack of network, or
by lack of answer from the
name resolver.<br>
But...it seems that when
having problems at startup, it
cannot even log
anything....maybe this is due
to the identity of "system
user" of stunnel at that
particular moment: user that
may have no right to write on
the HD.<br>
<br>
People should check also the
installation location of
stunnel : it is supposed (and
have predefined shortcuts for
that) to be installed
PREFERABLY in "c:\program
files\stunnel".<br>
I recommend to use that
location.<br>
<br>
They also should try to
resolve by hand the hostnames
they put in their stunnel conf
file, just to be sure.<br>
<br>
On some network or machines,
maybe there is a problem with
the firewall and SOME services
tunneled by stunnel on
forbidden ports.<br>
<br>
On another hand, it sounds
strange that just restarting
stunnel (in user mode or
service mode ?) is solving the
problem :<br>
this sounds like
unavailability of DNS at
startup.<br>
<br>
I did not investigate that
particular problem, but I will
perform some tests soon with
the last 504 (or 505).<br>
<br>
Yours sincerely<br>
Pierre<br>
<br>
<br>
<br>
<div>Le 22/09/2014 19:20, <a href="mailto:541401@gmail.com" target="_blank">541401@gmail.com</a>
a écrit :<br>
</div>
<div>
<div>
<blockquote type="cite">
Using Stunnel on several
Windows Server 2008 R2
SP1 machines (all such
machines are X64 as the
OS is only released as
X64).<br>
<br>
During August of 2014 I
reported in this forum
the current version of
Stunnel would not
function as a service
under the above OS, even
if using a delayed
start, it might run but
it would not work. I
reverted to using
version 4.35, which did
work properly.<br>
<br>
Pierre DeLagge was kind
enough to provide me
with a copy of his
patched Stunnel 5.02,
which I am still using
and which is working
flawlessly on my
production servers. No
delayed start required.<br>
<br>
I am wondering if
Pierre's 5.02 patch has
been incorporated into
the most recently
released Stunnel, 5.04?
Has anyone been
successful in getting
the most current version
to actually work under
the above environment
without delaying the
start of the service?<br>
<br>
Just to add a little
color and background to
the story, I am using
the native WS2008R2SP1
SMTP server on each
machine, in conjunction
with Stunnel, so as to
forward OS event
notifications through a
gmail account.<br>
<br>
<br>
<br>
<div>On 09.22.2014
06:54, John Smith
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I tried
5.04. on Windows
Server 2008 R2
Enterprise Service
Pack 1 x64
<div><br>
</div>
<div><br>
</div>
<div>Same issue.
Service shows as
started, but no
log. If I go
manual restart it
works.<br>
<br>
Have to put
delayed startup.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
18 September 2014
16:15, John Smith
<span dir="ltr"><<a href="mailto:java.dev.mtl@gmail.com" target="_blank">java.dev.mtl@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">For
now i'm happy
with 5.03
Already in
production so
I will have to
wait next
time! :)</div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
17 September
2014 17:10,
Michal
Trojnara <span dir="ltr"><<a href="mailto:Michal.Trojnara@mirt.net" target="_blank">Michal.Trojnara@mirt.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN
PGP SIGNED
MESSAGE-----<br>
Hash: SHA1<br>
<span><br>
Jose Alf.
wrote:<br>
> Regarding
stunnel
service
dependencies,
If you read
the 5.04 beta<br>
>
announcement,
the dependency
is created
automatically
now when you<br>
> install
stunnel as a
service.
Please give it
a try. Looks
like it<br>
> works for
me.<br>
><br>
> Thanks to
Mike for
implementing
that.<br>
<br>
</span>Thank
you for
testing it.<br>
<br>
Best regards,<br>
Mike<br>
-----BEGIN PGP
SIGNATURE-----<br>
Version: GnuPG
v1<br>
<br>
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q<br>
yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR<br>
=+xFQ<br>
-----END PGP
SIGNATURE-----<br>
<div>
<div>_______________________________________________<br>
stunnel-users
mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
stunnel-users mailing list
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
stunnel-users mailing list
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>