Hi Tom,
I'm not sure why the stunnel process dies for you. I have several processes running using config files similar to what I included earlier. We generally create one config file per service. So if I was to run an TSSL service like you then I'd have a config file called /etc/stunnel/stunnel_tssl.conf ... and the service is started from /etc/inittab with a line like this:
stunnel_tssl:2:once:/usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf >/dev/console
I haven't experienced any problems with the stunnel process not staying alive... And the process I started early this morning on my test box is still alive:
clund@prod-db-2:/home/clund $ ps -ef|grep stunnel nobody 1233036 1 0 08:15:28 - 0:00 /usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
-Claus
____________________________________________ Claus Lund Systems Developer
Vermont Department of Taxes Information Systems 133 State Street Montpelier, Vermont 05633-1401 (802) 828-3735
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 10:26 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Claus,
After I type:
# stunnel # ps -ef | grep stunnel stunnel 295006 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 348182 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 454872 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 458864 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 589834 1 0 09:49:38 - 0:00 /usr/local/bin/stunnel stunnel 634882 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel root 643180 463028 0 09:49:40 pts/2 0:00 grep stunnel
About 10 minutes later,
# ps -ef | grep stunnel root 381102 463028 0 10:03:59 pts/2 0:00 grep stunnel
Any idea why? Must have 'socket' in stunnel.conf? I took it off cuz I want it to run for 24 hours/7 days...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:21 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd then you can just use "connect = localhost:23" instead of "exec = /usr/sbin/telnetd". That should work. A config file like this works on my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel_telnet.pid ;debug = 7 output = /tmp/stunnel.log
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;compression = zlib
[tssl] accept = 7443 connect = localhost:23
-Claus
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 8:13 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users