-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Does stunnel offer a way to signal a need for rereading the configuration file, i.e. some kind of SIGHUP ? I would like to add services while running stunnel without stopping the program ... it should compare currently available services with the new list of services, stop the ones not available any more and start those which are new in the new/changed configuration ...
- -- Heiko Nardmann (Dipl.-Ing. Technische Informatik) secunet Security Networks AG - Sicherheit in Netzwerken (www.secunet.de), Weidenauer Str. 223-225, D-57076 Siegen Tel. : +49 271 48950-13, Fax : +49 271 48950-50
Besuchen Sie uns vom 10. - 16. März auf der CeBIT 2005 in Halle 7, Stand D38.
Informationen zu unseren CeBIT-Themen finden Sie unter www.secunet.com outbind://44/www.secunet.com - wir freuen uns auf das Gespräch mit Ihnen.
On Tue, Feb 01, 2005 at 02:15:22PM +0100, Heiko Nardmann wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
Does stunnel offer a way to signal a need for rereading the configuration file, i.e. some kind of SIGHUP ?
I don't think it does; at least, it is not handled by a signal, and for a good reason; see below.
I would like to add services while running stunnel without stopping the program ... it should compare currently available services with the new list of services, stop the ones not available any more and start those which are new in the new/changed configuration ...
Part of the reason that I think this has not been done is that in most cases (at least under Unix), stunnel is running in a chroot jail for security reasons. If so, the stunnel process that receives the signal has absolutely no way to access the config file - it is most probably outside the chroot tree where the stunnel process operates.
G'luck, Peter
Peter Pentchev wrote:
Part of the reason that I think this has not been done is that in most cases (at least under Unix), stunnel is running in a chroot jail for security reasons. If so, the stunnel process that receives the signal has absolutely no way to access the config file - it is most probably outside the chroot tree where the stunnel process operates.
Of course rereading configuration file won't be compatible with chroot (unless you place a copy of the configuration file/certificate/etc. inside the chroot jail). Another obvious problem I expect is the setuid option and binding ports below 1024. 8-)
Rereading of the configuration file is on my TODO aka waiting-for-a-sponsor list, anyway. http://stunnel.mirt.net/todo_sdf.html
Best regards, Mike
-
Heiko Nardmann -
Michal Trojnara -
Peter Pentchev