My stunnel.conf file looks like:
debug = 7 cert = /usr/local/stunnel/etc/stunnel/stunnel.pem chroot = /usr/local/stunnel/var/run/ pid = /stunnel.pid output = stunnel.log CAfile = /usr/local/stunnel/etc/stunnel/certs.pem verify = 3 delay = yes client = yes setuid = stunnel setgid = stunnel . . .
and the stunnel.log file:
. . . 2004.11.07 16:49:10 LOG7[3794:1025]: smtps started 2004.11.07 16:49:10 LOG5[3794:1025]: smtps connected from 127.0.0.1:1143 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net' 2004.11.07 16:49:10 LOG3[3794:1025]: Failed to initialize remote connection 2004.11.07 16:49:10 LOG7[3794:1025]: smtps finished (0 left)
Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
Thanks,
John
"John Conover" conover@rahul.net wrote:
chroot = /usr/local/stunnel/var/run/
[cut]
delay = yes
[cut]
2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net'
[cut]
Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
Yes. You have several options: 1. As you noticed you can turn off chroot. 2. You can turn off delayed resolver (to resolve hosts at startup, before chroot). 3. You can create the files/devices your resolver library needs inside the chroot jail. strace is your friend: http://sourceforge.net/projects/strace/ 4. You can use IP address as "connect" parameter instead of domain name. 8-)
Best regards, Mike
"John Conover" conover@rahul.net wrote:
2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net'
(...)
Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
(...)
- You can create the files/devices your resolver library needs inside the
chroot jail. strace is your friend: http://sourceforge.net/projects/strace/
ie: <chroot_jail_root>etc/resolv.conf should be enough.
Olivier
Michal Trojnara writes:
"John Conover" conover@rahul.net wrote:
chroot = /usr/local/stunnel/var/run/
[cut]
delay = yes
[cut]
2004.11.07 16:49:10 LOG3[3794:1025]: Failed to resolve hostname 'abc.wxyz.net'
[cut]
Removing chroot in stunnel.conf fixes the problem, but its no longer jailed.
Hints?
Yes. You have several options:
- As you noticed you can turn off chroot.
- You can turn off delayed resolver (to resolve hosts at startup, before
chroot). 3. You can create the files/devices your resolver library needs inside the chroot jail. strace is your friend: http://sourceforge.net/projects/strace/ 4. You can use IP address as "connect" parameter instead of domain name. 8-)
Thanks, Mike. Using IP addresses as a "connect" parameter worked like a charm.
How do you make sure the remote/server stunnel is kept running?
I haven't waded through the sources to stunnel, but is there a command line arg "if its not running, make it so," by checking the pid file as a lock file and check if the pid is valid as a stunnel process-so it could be run periodically out of cron(8) to keep it running, in case the remote went down?
Or, something similar triggered by the client machine?
Thanks,
John
BTW, as a sidebar, the -Wall gcc(1) command line arg in the compile of stunnel was a nice touch-shows the authors cared.
-
conover@rahul.net -
Michal Trojnara -
Olivier Kaloudoff