Hi,
I'm new to stunnel and have run into some unexpected behavior. I'm inclined to think it's a bug, but perhaps I'm misunderstanding some things.
I'm running FreeBSD 6.2 with stunnel 4.21 (installed via ports collection). I'm able to configure things properly when using stunnel in daemon mode, but am unable to run stunnel from inetd when I set the debug level to 7.
Here's the config file I'm using,
cert = /usr/local/CA/stunnel.pem key = /usr/local/CA/stunnel.pem sslVersion = all pid = /var/log/swat-stunnel.pid debug = 7 output = /tmp/stunnel.log exec = /usr/local/sbin/swat execargs = swat
...and the inetd.conf entry,
swat stream tcp nowait.400 root /usr/local/sbin/stunnel stunnel /usr/local/etc/stunnel/swat.conf
If I connect to port 901, some debug messages are written to the socket,
dwiest@dfwdamian.vail: telnet localhost 901 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 2008.01.22 22:19:09 LOG7[81278:134651904]: Snagged 64 random bytes from /home/dwiest/.rnd 2008.01.22 22:19:09 LOG7[81278:134651904]: Wrote 1024 new random bytes to /home/dwiest/.rnd 2008.01.22 22:19:09 LOG7[81278:134651904]: RAND_status claims sufficient entropy for the PRNG 2008.01.22 22:19:09 LOG7[81278:134651904]: PRNG seeded successfully 2008.01.22 22:19:09 LOG7[81278:134651904]: Certificate: /usr/local/CA/stunnel.pem 2008.01.22 22:19:09 LOG7[81278:134651904]: Certificate loaded 2008.01.22 22:19:09 LOG7[81278:134651904]: Key file: /usr/local/CA/stunnel.pem 2008.01.22 22:19:09 LOG7[81278:134651904]: Private key loaded 2008.01.22 22:19:09 LOG7[81278:134651904]: SSL context initialized for service stunnel ^] telnet> q Connection closed.
...and some are written to the file I specified,
dwiest@dfwdamian.vail: cat /tmp/stunnel.log 2008.01.22 22:19:09 LOG5[81278:134651904]: stunnel 4.21 on i386-unknown-freebsd6.2 with OpenSSL 0.9.7e-p1 25 Oct 2004 2008.01.22 22:19:09 LOG5[81278:134651904]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2008.01.22 22:19:09 LOG7[81278:134651904]: stunnel started 2008.01.22 22:19:09 LOG7[81278:134651904]: FD 0 in non-blocking mode 2008.01.22 22:19:09 LOG7[81278:134651904]: FD 1 in non-blocking mode 2008.01.22 22:19:09 LOG7[81278:134651904]: stunnel permitted by libwrap from 127.0.0.1:53961 2008.01.22 22:19:09 LOG5[81278:134651904]: stunnel accepted connection from 127.0.0.1:53961 2008.01.22 22:19:09 LOG7[81278:134651904]: SSL state (accept): before/accept initialization 2008.01.22 22:19:11 LOG3[81278:134651904]: SSL_accept: Peer suddenly disconnected 2008.01.22 22:19:11 LOG5[81278:134651904]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2008.01.22 22:19:11 LOG7[81278:134651904]: stunnel finished (0 left)
If I run stunnel in daemon mode with the debug level set to 7, then the messages are printed to stderr. Shouldn't they go to either syslog, or to the file specified with the "output" option?
I dug through the source code and discovered that file_putline() is being called from parse_config() before open_log() has been called. This results in file_putline() writing to stderr instead of the specified output file.
If this is known behavior, then it would be nice if the man page mentioned something.
-Damian
On Wed, Jan 23, 2008 at 01:45:17PM -0600, Damian Wiest wrote:
Hi,
I'm new to stunnel and have run into some unexpected behavior. I'm inclined to think it's a bug, but perhaps I'm misunderstanding some things.
I'm running FreeBSD 6.2 with stunnel 4.21 (installed via ports collection). I'm able to configure things properly when using stunnel in daemon mode, but am unable to run stunnel from inetd when I set the debug level to 7.
If I connect to port 901, some debug messages are written to the socket, [ ... ] ...and some are written to the file I specified, [ ... ] If I run stunnel in daemon mode with the debug level set to 7, then the messages are printed to stderr. Shouldn't they go to either syslog, or to the file specified with the "output" option?
I dug through the source code and discovered that file_putline() is being called from parse_config() before open_log() has been called. This results in file_putline() writing to stderr instead of the specified output file.
It's know behaviour that will get fixed for 4.22. Dig through the list archives for the past couple weeks for a URL to download a beta, if you care to test it.
On Wed, Jan 23, 2008 at 05:08:26PM -0600, Luis Rodrigo Gallardo Cruz wrote:
On Wed, Jan 23, 2008 at 01:45:17PM -0600, Damian Wiest wrote:
Hi,
I'm new to stunnel and have run into some unexpected behavior. I'm inclined to think it's a bug, but perhaps I'm misunderstanding some things.
I'm running FreeBSD 6.2 with stunnel 4.21 (installed via ports collection). I'm able to configure things properly when using stunnel in daemon mode, but am unable to run stunnel from inetd when I set the debug level to 7.
If I connect to port 901, some debug messages are written to the socket, [ ... ] ...and some are written to the file I specified, [ ... ] If I run stunnel in daemon mode with the debug level set to 7, then the messages are printed to stderr. Shouldn't they go to either syslog, or to the file specified with the "output" option?
I dug through the source code and discovered that file_putline() is being called from parse_config() before open_log() has been called. This results in file_putline() writing to stderr instead of the specified output file.
It's know behaviour that will get fixed for 4.22. Dig through the list archives for the past couple weeks for a URL to download a beta, if you care to test it.
Ouch. When I read Damian's e-mail, I realized that I should have updated the FreeBSD port of stunnel to the 4.22b2 version a couple of days ago, when you (Luis) reported the problem and Michal announced it. I started working on the FreeBSD port update a couple of hours ago, but you managed to sneak this e-mail before I was done :)
Damian, I just committed the update to stunnel-4.22.b2 (yep, funny versioning schemes and such) to the FreeBSD Ports Collection; could you try to update your ports tree and see if the logging fix in the new version works for you? It seems to work just fine here.
Sorry for not getting the fix into the Ports Collection earlier -- and thanks to Michal for the quick release of this beta, and thanks to Luis for the response to Damian :)
G'luck, Peter
On Thu, Jan 24, 2008 at 02:51:31AM +0200, Peter Pentchev wrote:
[snip]
Damian, I just committed the update to stunnel-4.22.b2 (yep, funny versioning schemes and such) to the FreeBSD Ports Collection; could you try to update your ports tree and see if the logging fix in the new version works for you? It seems to work just fine here.
It looks good to me. Thanks!
-Damian
-
Damian Wiest -
Luis Rodrigo Gallardo Cruz -
Peter Pentchev