Hi,
kill -HUP does not seem to work for me with 4.35, I always get:
2011.02.07 17:51:25 LOG5[14988:139705784043264]: Received signal 15; terminating
Best regards,
Stefan Behte
Babiel GmbH Moskauer Str. 27 D-40227 Düsseldorf
Tel: 0211-179349 0 Fax: 0211-179349 29 E-Mail: S.Behte@babiel.com Internet: http://www.babiel.com
Stefan Behte wrote:
kill -HUP does not seem to work for me with 4.35, I always get:
2011.02.07 17:51:25 LOG5[14988:139705784043264]: Received signal 15; terminating
I could not reproduce your problem. Are you sure that you used "kill -HUP 14988" and not "kill 14988"? Otherwise please send us your configuration file and more logs, including the lines logged by stunnel at startup.
Mike
Hi,
kill -HUP does not seem to work for me with 4.35, I always get:
2011.02.07 17:51:25 LOG5[14988:139705784043264]: Received signal 15; terminating
I could not reproduce your problem. Are you sure that you used "kill -HUP 14988" and not "kill 14988"? Otherwise please send us your configuration file and more logs, including the lines logged by stunnel at startup.
Sorry but I cannot reproduce it anymore, either. I am 100% sure, I sent kill -HUP, though (it's even in the history).
As I tried to reproduce the issue, I got a different one. :/
# /etc/init.d/stunnel start &>/dev/null; cat stunnel
2011.02.09 11:23:53 LOG5[1332:139976438163200]: Reading configuration from file /etc/stunnel/stunnel.conf 2011.02.09 11:23:53 LOG6[1332:139976438163200]: Could not load DH parameters from /etc/stunnel/www.mydomain.com.crt 2011.02.09 11:23:53 LOG6[1332:139976438163200]: Could not load DH parameters from /etc/stunnel/www.myotherdomain.com.crt 2011.02.09 11:23:53 LOG5[1332:139976438163200]: Configuration successful 2011.02.09 11:23:53 LOG5[1332:139976438163200]: No limit detected for the number of clients 2011.02.09 11:23:53 LOG5[1338:139976438163200]: stunnel 4.35 on x86_64-pc-linux-gnu with OpenSSL 1.0.0c 2 Dec 2010 2011.02.09 11:23:53 LOG5[1338:139976438163200]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
# ps auxwww | grep stunnel stunnel 1333 0.0 0.0 29164 628 pts/0 S 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf stunnel 1334 0.0 0.0 29164 628 pts/0 S 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf stunnel 1335 0.0 0.0 29164 628 pts/0 S 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf stunnel 1336 0.0 0.0 29164 632 pts/0 S 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf stunnel 1337 0.0 0.0 29164 632 pts/0 S 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf stunnel 1338 0.0 0.0 29164 856 ? Ss 11:23 0:00 /usr/sbin/stunnel /etc/stunnel/stunnel.conf root 1344 0.0 0.0 6204 580 pts/0 S+ 11:24 0:00 grep --colour=auto stunnel
# kill -HUP 1338
2011.02.09 11:25:18 LOG5[1338:139976438163200]: Reading configuration from file /etc/stunnel/stunnel.conf 2011.02.09 11:25:18 LOG6[1338:139976438163200]: Could not load DH parameters from /etc/stunnel/www.mydomain.com.crt 2011.02.09 11:25:18 LOG3[1338:139976438163200]: error queue: 140B0002 : error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib 2011.02.09 11:25:18 LOG3[1338:139976438163200]: error queue: 20074002 : error:20074002:BIO routines:FILE_CTRL:system lib 2011.02.09 11:25:18 LOG3[1338:139976438163200]: SSL_CTX_use_PrivateKey_file: 200100D: error:0200100D:system library:fopen:Permission denied 2011.02.09 11:25:18 LOG3[1338:139976438163200]: Error binding https to 0.0.0.0:444 2011.02.09 11:25:18 LOG3[1338:139976438163200]: bind: Permission denied (13)
# /etc/init.d/stunnel restart
2011.02.09 11:40:22 LOG5[2017:140528250427136]: Received signal 15; terminating 2011.02.09 11:40:23 LOG5[2123:140176257128192]: Reading configuration from file /etc/stunnel/stunnel.conf
[.. same as above: 2011.02.09 11:23:53 ..]
But the socket is not in use, netstat does not list it. Stunnel works fine again after the restart.
stunnel.conf:
setuid = stunnel setgid = stunnel pid = /var/run/stunnel/stunnel.pid
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
debug = info output = /var/log/squid/stunnel
[https] accept = 444 connect = 127.0.0.1:8089 TIMEOUTclose = 0 cert = /etc/stunnel/www.mydomain.com.crt key = /etc/stunnel/www.mydomain.com.key
[https] accept = 445 connect = 127.0.0.1:8083 TIMEOUTclose = 0 cert = /etc/stunnel/www.myotherdomain.com.crt key = /etc/stunnel/www.myotherdomain.com.key
Best regards,
Stefan Behte
Stefan Behte wrote:
2011.02.09 11:25:18 LOG3[1338:139976438163200]: Error binding https to 0.0.0.0:444 2011.02.09 11:25:18 LOG3[1338:139976438163200]: bind: Permission denied (13)
[cut]
setuid = stunnel setgid = stunnel
On Unix you have to be root to bind port <1024. Remove setuid from your configuration file.
Mike
Hi
Stefan Behte wrote:
2011.02.09 11:25:18 LOG3[1338:139976438163200]: Error binding https to 0.0.0.0:444 2011.02.09 11:25:18 LOG3[1338:139976438163200]: bind: Permission denied (13)
[cut]
setuid = stunnel setgid = stunnel
On Unix you have to be root to bind port <1024. Remove setuid from your configuration file.
Mike
I was confused as it works just fine with a simple restart and I've never experienced this -HUP behaviour with a unix daemon yet, so it seemed like an bug and not a design decision to me.
Well: the setuid is not the underlying problem and dropping that line is just a workaround because of the way stunnel drops its privileges: as far as I understand it, the problem is that after binding the port and dropping privileges, the process cannot rebind the port as those privileges were already dropped and the HUP is send to a process that cannot get/grant those privileges again. AFAIK other products like apache solve this problem by running a main process as root and dropping privileges/capabilities in subprocesses/threads that handle the connections. If you want to kill -HUP apache, you send it to the main process, not a process running with lower privileges.
To be honest, I do not like the way stunnel currently handles this, when I send a -HUP, I expect it to reload my config, without exceptions. Well, it is a design decision, a workaround exists and it's documented, but still...
Best regards,
Stefan Behte
Stefan Behte wrote:
AFAIK other products like apache solve this problem by running a main process as root and dropping privileges/capabilities
in
subprocesses/threads that handle the connections. If you want to kill
-HUP
apache, you send it to the main process, not a process running with
lower
privileges.
To be honest, I do not like the way stunnel currently handles this, when
I
send a -HUP, I expect it to reload my config, without exceptions. Well,
it
is a design decision, a workaround exists and it's documented, but
still...
It's a good idea, but quite tough to implement. It would require passing socket descriptors, configuration file, certificates, private keys, CRLs, and possibly other stuff between processes with different permissions.
I have updated my TODO list: http://www.stunnel.org/?page=sdf_todo
Alternatively I could just drop support for setuid and chroot, as my budget is much smaller than the budget of Apache Foundation: http://www.apache.org/foundation/records/minutes/2010/board_minutes_2010_04_...
Mike
Hi,
It's a good idea, but quite tough to implement. It would require passing socket descriptors, configuration file, certificates, private keys, CRLs, and possibly other stuff between processes with different permissions.
That's true.
Alternatively I could just drop support for setuid and chroot, as my budget is much smaller than the budget of Apache Foundation: http://www.apache.org/foundation/records/minutes/2010/board_minutes_2010_04_...
I don't blame you, I am well are that you are not backed by a large team of programmers and money. It was just meant as an idea how to enhance stunnel, not as a complaint. I'm sorry, if you got me wrong. A workaround exists and I am satisfied with that. :)
Thanks!
Stefan Behte
-
Michal Trojnara -
Stefan Behte