Hi all, we have noticed that when reloading (note reloading not restarting) stunnel it appears to be leaking between 12 and 32 bytes of memory (ish) per reload. There does not need to be any traffic passing through it at the time to view this problem. If its reloaded enough times the system will eventually run out of memory. Unless an stunnel restart if performed inbetween.
We are running 5.41 tried with the latest 5.44 and have the same result. We are using openssl 1.0.2j-fips ive tried with 1.0.2n and 1.1.0e (to try and rule out openssl)
We are reloading by running: kill -s HUP <pid>
The stunnel configuration is -
pid = /var/run/stunnel/stunnel.pid debug = 7 syslog = no output = /var/log/stunnel.log socket = a:IP_FREEBIND=yes fips = no sslVersion = all [VIP_Name] cert = /etc/loadbalancer.org/certs/server.pem ciphers = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES accept = 192.168.80.16:443 connect = 127.0.0.5:80 delay = yes options = NO_SSLv3 options = NO_TLSv1 options = DONT_INSERT_EMPTY_FRAGMENTS renegotiation = no local = 192.168.80.16 TIMEOUTclose = 0
The stunnel log file is as follows - 2018.04.03 11:09:59 LOG7[ui]: Clients allowed=62937 2018.04.03 11:09:59 LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform 2018.04.03 11:09:59 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j-fips 26 Sep 2016 2018.04.03 11:09:59 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2018.04.03 11:09:59 LOG7[ui]: errno: (*__errno_location ()) 2018.04.03 11:09:59 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 2018.04.03 11:09:59 LOG5[ui]: UTF-8 byte order mark not detected 2018.04.03 11:09:59 LOG5[ui]: FIPS mode disabled 2018.04.03 11:09:59 LOG7[ui]: Compression disabled 2018.04.03 11:09:59 LOG7[ui]: Snagged 64 random bytes from /dev/urandom 2018.04.03 11:09:59 LOG7[ui]: PRNG seeded successfully 2018.04.03 11:09:59 LOG6[ui]: Initializing service [VIP_Name] 2018.04.03 11:09:59 LOG7[ui]: Ciphers: ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES 2018.04.03 11:09:59 LOG7[ui]: TLS options: 0x07004804 (+0x07004800, -0x00000000) 2018.04.03 11:09:59 LOG6[ui]: Loading certificate from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:09:59 LOG6[ui]: Certificate loaded from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:09:59 LOG6[ui]: Loading private key from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:09:59 LOG6[ui]: Private key loaded from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:09:59 LOG7[ui]: Private key check succeeded 2018.04.03 11:09:59 LOG7[ui]: ECDH initialization 2018.04.03 11:09:59 LOG7[ui]: ECDH initialized with curve prime256v1 2018.04.03 11:09:59 LOG5[ui]: Configuration successful 2018.04.03 11:09:59 LOG7[ui]: Binding service [VIP_Name] 2018.04.03 11:09:59 LOG7[ui]: Listening file descriptor created (FD=6) 2018.04.03 11:09:59 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2018.04.03 11:09:59 LOG7[ui]: Option IP_FREEBIND set on accept socket 2018.04.03 11:09:59 LOG7[ui]: Service [VIP_Name] (FD=6) bound to 192.168.80.16:443 2018.04.03 11:09:59 LOG7[main]: Created pid file /var/run/stunnel/stunnel.pid 2018.04.03 11:09:59 LOG7[cron]: Cron thread initialized 2018.04.03 11:10:59 LOG6[cron]: Executing cron jobs 2018.04.03 11:10:59 LOG6[cron]: Cron jobs completed in 0 seconds 2018.04.03 11:10:59 LOG7[cron]: Waiting 86400 seconds 2018.04.03 11:11:08 LOG7[main]: Found 1 ready file descriptor(s) 2018.04.03 11:11:08 LOG7[main]: FD=4 events=0x2001 revents=0x1 2018.04.03 11:11:08 LOG7[main]: FD=6 events=0x2001 revents=0x0 2018.04.03 11:11:08 LOG7[main]: Dispatching signals from the signal pipe 2018.04.03 11:11:08 LOG7[main]: Processing SIGNAL_RELOAD_CONFIG 2018.04.03 11:11:08 LOG5[main]: Reading configuration from file /etc/stunnel/stunnel.conf 2018.04.03 11:11:08 LOG5[main]: UTF-8 byte order mark not detected 2018.04.03 11:11:08 LOG5[main]: FIPS mode disabled 2018.04.03 11:11:08 LOG7[main]: Compression disabled 2018.04.03 11:11:08 LOG7[main]: Snagged 64 random bytes from /dev/urandom 2018.04.03 11:11:08 LOG7[main]: PRNG seeded successfully 2018.04.03 11:11:08 LOG6[main]: Initializing service [VIP_Name] 2018.04.03 11:11:08 LOG7[main]: Ciphers: ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES 2018.04.03 11:11:08 LOG7[main]: TLS options: 0x07004804 (+0x07004800, -0x00000000) 2018.04.03 11:11:08 LOG6[main]: Loading certificate from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:11:08 LOG6[main]: Certificate loaded from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:11:08 LOG6[main]: Loading private key from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:11:08 LOG6[main]: Private key loaded from file: /etc/ loadbalancer.org/certs/server.pem 2018.04.03 11:11:08 LOG7[main]: Private key check succeeded 2018.04.03 11:11:08 LOG7[main]: ECDH initialization 2018.04.03 11:11:08 LOG7[main]: ECDH initialized with curve prime256v1 2018.04.03 11:11:08 LOG5[main]: Configuration successful 2018.04.03 11:11:08 LOG7[main]: Unbinding service [VIP_Name] 2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] closed (FD=6) 2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] closed 2018.04.03 11:11:08 LOG7[main]: Binding service [VIP_Name] 2018.04.03 11:11:08 LOG7[main]: Listening file descriptor created (FD=6) 2018.04.03 11:11:08 LOG7[main]: Option SO_REUSEADDR set on accept socket 2018.04.03 11:11:08 LOG7[main]: Option IP_FREEBIND set on accept socket 2018.04.03 11:11:08 LOG7[main]: Service [VIP_Name] (FD=6) bound to 192.168.80.16:443 2018.04.03 11:11:08 LOG7[main]: Signal pipe is empty
Any help would be appreciated.
Thanks
Hi,
I confirm it using 5.44.
In my case in fact is 200KB, but as I have a big stunnel.conf file with quite a few client services ;), hence, the difference.
Should be fixed, but, in the other hand... why continuous reloading?
I reload when I make changes and that happens from never to less than the fingers of both hands of times in a year :P
Anyway, should be fixed, true. I thought it could be the log in the window, but as it has a limit of lines might be something else.
Regards.
Should be fixed, but, in the other hand... why continuous reloading?
We have started using lets encrypt and update the certs once every few days and reload the config after that update. It takes roughly a month before we start to run into issues.
On 3 April 2018 at 17:37, Javier jamilist.stn@gmx.es wrote:
Hi,
I confirm it using 5.44.
In my case in fact is 200KB, but as I have a big stunnel.conf file with quite a few client services ;), hence, the difference.
Should be fixed, but, in the other hand... why continuous reloading?
I reload when I make changes and that happens from never to less than the fingers of both hands of times in a year :P
Anyway, should be fixed, true. I thought it could be the log in the window, but as it has a limit of lines might be something else.
Regards. _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users