Hi All-
I am using stunnel to secure a connection between a local python
script using telnetlib and a custom sockets-based server requiring
SSL, from local port 4449 to remote port 4449. This is done via:
stunnel /opt/www/domains/admin.showcasere.com/showcase/classes/
opensrs-php/stunnel-app.conf
where the conf file is:
> client = yes
> pid = /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid
> debug = 7
> [telnet]
> accept = 4449
> connect = admin.hostedemail.com:4449
Functionally, everything works for my application, but I am
experiencing a bad side-effect.
stunnel is ALSO setting up listeners on HTTP and HTTPS ports, and
when my daily logrotate scripts run and HUP apache, stunnel steals
the web server's ports and the server won't come back up! I had 7
hours of downtime today because of this.
I've done a bunch of debugging and can't figure out what's going on.
I have only one guess: stunnel automatically listens on any ports
that the process calling stunnel is listening on, in some sort of
attempt to seamlessly add SSL to existing daemons. I can't find any
docs or tell from the source code, but it's the only idea I can't
rule out...
Here is the debug log of the startup of stunnel (which is run from an
apache/php script):
Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: stunnel
4.14 on i386-redhat-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL
0.9.8a 11 Oct 2005
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: RAND_status
claims sufficient entropy for the PRNG
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: PRNG seeded
successfully
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: file ulimit
= 1024 (can be changed with 'ulimit -n')
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: poll() used
- no FD_SETSIZE limit for file descriptors
Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: 500 clients
allowed
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 31 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 32 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 33 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]:
SO_REUSEADDR option set on accept socket
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: telnet
bound to 0.0.0.0:4449
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Created pid
file /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: telnet
accepted FD=34 from 127.0.0.1:48335
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet started
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 34 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 36 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Cleaning up
the signal pipe
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086333632]: Child
process 13967 finished with code 0
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Connection
from 127.0.0.1:48335 permitted by libwrap
Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: telnet
connected from 127.0.0.1:48335
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet
connecting 216.40.42.6:4449
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:
connect_wait: waiting 10 seconds
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:
connect_wait: connected
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Remote
FD=35 initialized
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): before/connect initialization
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 write client hello A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 read server hello A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 read server certificate A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 read server done A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 write client key exchange A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 write change cipher spec A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 write finished A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 flush data
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state
(connect): SSLv3 read finished A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 items
in the session cache
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 client
connects (SSL_connect())
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 client
connects that finished
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 client
renegotiatations requested
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server
connects (SSL_accept())
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server
connects that finished
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server
renegotiatiations requested
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0
session cache hits
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0
session cache misses
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0
session cache timeouts
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: SSL
connected: new session negotiated
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: Negotiated
ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4
(128) Mac=MD5
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL socket
closed on SSL_read
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Socket
write shutdown
Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: Connection
closed: 91 bytes sent to SSL, 73 bytes sent to socket
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet
finished (0 left)
And then, you can see what stunnel is listening on:
[root@bigwoody custom_img]# lsof -i | grep stunnel
stunnel 13965 apache 4u IPv4 156503478 TCP
static-216.114.79.43.primarynetwork.com:http (LISTEN)
stunnel 13965 apache 5u IPv4 156503480 TCP
static-216.114.79.43.primarynetwork.com:https (LISTEN)
stunnel 13965 apache 30u IPv4 156771437 TCP
localhost.localdomain:51333->localhost.localdomain:9676 (ESTABLISHED)
stunnel 13965 apache 33u IPv4 156846546 TCP
*:privatewire (LISTEN)
If I start up stunnel from the command line as "root" or another user
even, it only listens on the port listed in the conf file.
Does anyone have any idea what's going on here? How can I turn off
this behavior?
Thanks!
Alan