Hello,
Can anyone enlighten me on the following:
I have installed stunnel up on my Mac (OS X Lion) and it all runs just fine. When I put this on another machine (OS X Mountain Lion) stunnel refuses to start. I include the output and the stunnel.conf file below. We have some experience of stunnel as we have been using it in both client and server mode on Windows and RedHat for years but none of my colleagues can give me much help here. It looks to me like although stunnel is reporting that it is starting with the correct stunnel.conf file it is actually using something else as: 1) no stunnel.log file is created 2) after successfully seeding the PRNG it seems to be Initializing inetd mode and starting as a service when this should be starting in client mode. (The only way I can get it to do something similar on the machine that works is to remove all the service definitions and put in a line service = SERVICE when it blows up but with a slightly different error about needing an end/connection point (not sure the exact error) and then it fails. Even so in this case it will still create an output log in the correct place)
My thoughts are that it might be something to do with the installation process of stunnel that hasn't been followed properly or some kind of permissions issue.
Apologies if I am being dim but I am at a bit of a loss to explain what is going on here. I do not have direct access to the second machine and am trying to support it over the phone.
Thanks for any help.
Matthew
========================================================================== = Here is the output: ==========================================================================
Last login: Fri Jan 31 10:44:30 on ttys000 Administrator:~ admin$ cd stunnel Administrator:stunnel admin$ stunnel /Users/admin/stunnel/stunnel.conf Clients allowed=125 stunnel 4.56 on x86_64-apple-darwin11.4.2 platform Compiled with OpenSSL 0.9.8r 8 Feb 2011 Running with OpenSSL 0.9.8y 5 Feb 2013 Update OpenSSL shared libraries or rebuild stunnel Threading:PTHREAD Sockets:SELECT,IPv6 SSL:ENGINE,OCSP Auth:LIBWRAP Reading configuration from file /Users/admin/stunnel/stunnel.conf Compression not enabled Snagged 64 random bytes from /Users/admin/.rnd Wrote 1024 new random bytes to /Users/admin/.rnd PRNG seeded successfully Initializing inetd mode configuration Service [stunnel]: SSL server needs a certificate str_stats: 2 block(s), 45 data byte(s), 116 control byte(s) Administrator:stunnel admin$
========================================================================== = And here is the stunnel.conf file: ==========================================================================
; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012 ; Some options used here may be inadequate for your particular configuration ; This sample file does *not* represent stunnel.conf defaults ; Please consult the manual for detailed description of available options
; ************************************************************************** ; * Global options * ; **************************************************************************
; Debugging stuff (may useful for troubleshooting) debug = 7 ;output = stunnel.log
; Disable FIPS mode to allow non-approved protocols and algorithms ;fips = no
client=yes sslVersion=SSLv3 output=/Users/admin/stunnel/stunnel.log pid=/Users/admin/stunnel/stunnel.pid ; ************************************************************************** ; * Service defaults may also be specified in individual service sections * ; **************************************************************************
; Certificate/key is needed in server mode and optional in client mode ;cert = rwa2012.clientkeycert.pem ;key = stunnel.pem
; Authentication stuff needs to be configured to prevent MITM attacks ; It is not enabled by default! verify = 2 ;verify = 0 ; Don't forget to c_rehash CApath ;CApath = certs ; It's often easier to use CAfile CAfile = /Users/admin/stunnel/ca.crt ; Don't forget to c_rehash CRLpath ;CRLpath = crls ; Alternatively CRLfile can be used ;CRLfile = crls.pem
; Disable support for insecure SSLv2 protocol options = NO_SSLv2 ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS
; These options provide additional security at some performance degradation ;options = SINGLE_ECDH_USE ;options = SINGLE_DH_USE
; ************************************************************************** ; * Service definitions (at least one service has to be defined) * ; **************************************************************************
[Gounder] cert = /Users/admin/stunnel/gounder20141401011000.pem accept=8128 connect=311.219.292.173:9876
[Gounder IJ] cert = /Users/admin/stunnel/gounder20141401011000.pem accept=9128 connect=311.219.292.173:9875