Hi All-
I am using stunnel to secure a connection between a local python script using telnetlib and a custom sockets-based server requiring SSL, from local port 4449 to remote port 4449. This is done via:
stunnel /opt/www/domains/admin.showcasere.com/showcase/classes/ opensrs-php/stunnel-app.conf
where the conf file is:
client = yes pid = /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid debug = 7 [telnet] accept = 4449 connect = admin.hostedemail.com:4449
Functionally, everything works for my application, but I am experiencing a bad side-effect.
stunnel is ALSO setting up listeners on HTTP and HTTPS ports, and when my daily logrotate scripts run and HUP apache, stunnel steals the web server's ports and the server won't come back up! I had 7 hours of downtime today because of this.
I've done a bunch of debugging and can't figure out what's going on. I have only one guess: stunnel automatically listens on any ports that the process calling stunnel is listening on, in some sort of attempt to seamlessly add SSL to existing daemons. I can't find any docs or tell from the source code, but it's the only idea I can't rule out...
Here is the debug log of the startup of stunnel (which is run from an apache/php script):
Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: stunnel 4.14 on i386-redhat-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: RAND_status claims sufficient entropy for the PRNG Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: PRNG seeded successfully Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: file ulimit = 1024 (can be changed with 'ulimit -n') Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: poll() used - no FD_SETSIZE limit for file descriptors Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: 500 clients allowed Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 31 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 32 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 33 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: SO_REUSEADDR option set on accept socket Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: telnet bound to 0.0.0.0:4449 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Created pid file /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: telnet accepted FD=34 from 127.0.0.1:48335 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet started Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 34 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 36 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Cleaning up the signal pipe Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086333632]: Child process 13967 finished with code 0 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Connection from 127.0.0.1:48335 permitted by libwrap Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: telnet connected from 127.0.0.1:48335 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in non-blocking mode Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet connecting 216.40.42.6:4449 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: connect_wait: waiting 10 seconds Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: connect_wait: connected Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Remote FD=35 initialized Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): before/connect initialization Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 write client hello A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 read server hello A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 read server certificate A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 read server done A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 write client key exchange A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 write change cipher spec A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 write finished A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 flush data Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state (connect): SSLv3 read finished A Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 items in the session cache Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 client connects (SSL_connect()) Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 1 client connects that finished Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 client renegotiatations requested Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server connects (SSL_accept()) Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server connects that finished Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 server renegotiatiations requested Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 session cache hits Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 session cache misses Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: 0 session cache timeouts Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: SSL connected: new session negotiated Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4 (128) Mac=MD5 Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL socket closed on SSL_read Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Socket write shutdown Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: Connection closed: 91 bytes sent to SSL, 73 bytes sent to socket Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet finished (0 left)
And then, you can see what stunnel is listening on:
[root@bigwoody custom_img]# lsof -i | grep stunnel stunnel 13965 apache 4u IPv4 156503478 TCP static-216.114.79.43.primarynetwork.com:http (LISTEN) stunnel 13965 apache 5u IPv4 156503480 TCP static-216.114.79.43.primarynetwork.com:https (LISTEN) stunnel 13965 apache 30u IPv4 156771437 TCP localhost.localdomain:51333->localhost.localdomain:9676 (ESTABLISHED) stunnel 13965 apache 33u IPv4 156846546 TCP *:privatewire (LISTEN)
If I start up stunnel from the command line as "root" or another user even, it only listens on the port listed in the conf file.
Does anyone have any idea what's going on here? How can I turn off this behavior?
Thanks! Alan
On Fri, Jan 11, 2008 at 02:31:58PM -0500, Alan Pinstein wrote:
Hi All- [ Stunnel listens on ports it shouldn't ]
If I start up stunnel from the command line as "root" or another user even, it only listens on the port listed in the conf file.
Could you have some startup script that's automatically getting run with your logrotate scripts?
-
Alan Pinstein -
Luis Rodrigo Gallardo Cruz