Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd then you can just use "connect = localhost:23" instead of "exec = /usr/sbin/telnetd". That should work. A config file like this works on my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel_telnet.pid ;debug = 7 output = /tmp/stunnel.log
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;compression = zlib
[tssl] accept = 7443 connect = localhost:23
-Claus
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 8:13 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Claus,
It works perfectly!!! Why I didn't think "localhost:23"... :-)
Thank you so much!!!
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:21 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd then you can just use "connect = localhost:23" instead of "exec = /usr/sbin/telnetd". That should work. A config file like this works on my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel_telnet.pid ;debug = 7 output = /tmp/stunnel.log
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;compression = zlib
[tssl] accept = 7443 connect = localhost:23
-Claus
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 8:13 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Claus,
After I type:
# stunnel # ps -ef | grep stunnel stunnel 295006 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 348182 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 454872 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 458864 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 589834 1 0 09:49:38 - 0:00 /usr/local/bin/stunnel stunnel 634882 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel root 643180 463028 0 09:49:40 pts/2 0:00 grep stunnel
About 10 minutes later,
# ps -ef | grep stunnel root 381102 463028 0 10:03:59 pts/2 0:00 grep stunnel
Any idea why? Must have 'socket' in stunnel.conf? I took it off cuz I want it to run for 24 hours/7 days...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:21 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd then you can just use "connect = localhost:23" instead of "exec = /usr/sbin/telnetd". That should work. A config file like this works on my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel_telnet.pid ;debug = 7 output = /tmp/stunnel.log
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;compression = zlib
[tssl] accept = 7443 connect = localhost:23
-Claus
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 8:13 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Tom,
I'm not sure why the stunnel process dies for you. I have several processes running using config files similar to what I included earlier. We generally create one config file per service. So if I was to run an TSSL service like you then I'd have a config file called /etc/stunnel/stunnel_tssl.conf ... and the service is started from /etc/inittab with a line like this:
stunnel_tssl:2:once:/usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf >/dev/console
I haven't experienced any problems with the stunnel process not staying alive... And the process I started early this morning on my test box is still alive:
clund@prod-db-2:/home/clund $ ps -ef|grep stunnel nobody 1233036 1 0 08:15:28 - 0:00 /usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
-Claus
____________________________________________ Claus Lund Systems Developer
Vermont Department of Taxes Information Systems 133 State Street Montpelier, Vermont 05633-1401 (802) 828-3735
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 10:26 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Claus,
After I type:
# stunnel # ps -ef | grep stunnel stunnel 295006 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 348182 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 454872 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 458864 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel stunnel 589834 1 0 09:49:38 - 0:00 /usr/local/bin/stunnel stunnel 634882 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel root 643180 463028 0 09:49:40 pts/2 0:00 grep stunnel
About 10 minutes later,
# ps -ef | grep stunnel root 381102 463028 0 10:03:59 pts/2 0:00 grep stunnel
Any idea why? Must have 'socket' in stunnel.conf? I took it off cuz I want it to run for 24 hours/7 days...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:21 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd then you can just use "connect = localhost:23" instead of "exec = /usr/sbin/telnetd". That should work. A config file like this works on my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /usr/local/var/lib/stunnel/ setuid = nobody setgid = nogroup ; PID is created inside chroot jail pid = /stunnel_telnet.pid ;debug = 7 output = /tmp/stunnel.log
; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1
;compression = zlib
[tssl] accept = 7443 connect = localhost:23
-Claus
-----Original Message----- From: Spence, Thomas Civ 844 CS/SCBX [mailto:Thomas.Spence@pentagon.af.mil] Sent: Thursday, January 22, 2009 8:13 AM To: Lund, Claus; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel 3.24 for years that I have no problem with this one. Yes, I do have telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd /usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message----- From: Lund, Claus [mailto:Claus.Lund@state.vt.us] Sent: Thursday, January 22, 2009 8:00 AM To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when, I was doing some testing with a similar setup and was never successful getting the "exec = telnetd" to work quite right when stunnel was running as a service.
I did some quick testing right now on one of our AIX boxes (using stunnel 4.22) and it doesn't work for me either. Everything looks fine when stunnel is started and the first connection comes along and works beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you don't have telnetd enabled through inetd? We can't generally run telnetd either so I understand that requirement. But maybe you can get a waiver and leave it running behind a port that only accepts local connections?
_______________________________ Claus Lund System Developer Vermont Department of Taxes 802-828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Spence, Thomas Civ 844 CS/SCBX Sent: Wednesday, January 21, 2009 4:59 PM To: stunnel-announce@mirt.net; stunnel-users@mirt.net Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this: ------- pid = cert = /usr/local/ssl/private/stunnel.pem output = stunnel.log [tssl] accept = 992 exec = /usr/sbin/telnetd -------
*stunnel.log ------- [/usr/local/etc/stunnel]# cat *.log 2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to //.rnd 2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient entropy for the PRNG 2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully 2009.01.21 16:42:55 LOG7[462906:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded 2009.01.21 16:42:55 LOG7[462906:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded 2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service tssl 2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009 2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed with 'ulimit -n') 2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit for file descriptors 2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed 2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode 2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept socket 2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992 2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created 2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: tssl started 2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode 2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process 2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0 2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from x.x.x.x:3532 2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from x.x.x.x:3532 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept initialization 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server hello A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write certificate A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write server done A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read client key exchange A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write change cipher spec A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write finished A 2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush data 2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects (SSL_connect()) 2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects (SSL_accept()) 2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished 2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations requested 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses 2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts 2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session negotiated 2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22) 2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22) 2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started (PID=639170) 2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized 2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read 2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown 2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close notify 2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown 2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown 2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent to SSL, 101 bytes sent to socket 2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left) -------
Your help will be appreciate... Thank you.
________________________________ Tom Spence AIX Sys Adm ABIDES System Support 844th CS/SCBX Pentagon - MD822
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Claus,
I'm not sure why the stunnel process dies for you.
maybe I am wrong, but I could imagine, that this issue is related to the behaviour that I described in my mail to this list (sent on the 10th of January).
I have several processes running using config files similar to what I included earlier. We generally create one config file per service. So if I was to run an TSSL service like you then I'd have a config file called /etc/stunnel/stunnel_tssl.conf ... and the service is started from /etc/inittab with a line like this:
stunnel_tssl:2:once:/usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
/dev/console
I haven't experienced any problems with the stunnel process not staying alive... And the process I started early this morning on my test box is still alive:
clund@prod-db-2:/home/clund $ ps -ef|grep stunnel nobody 1233036 1 0 08:15:28 - 0:00 /usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
I guess, the initial /sbin/init is not connected to a terminal - thus the "tty" column is always empty in your setup. Could you try to run stunnel from a terminal instead?
Or am I completely off-track?
regards, Lars
Hi Lars,
I checked out your previous mails... And I don't know if it's related. I haven't dived into the code or done any extensive testing to try to figure out why Stunnel was failing when using "exec = ...". And I haven't had any problems when using it the way we do.
Could you try to run stunnel from a terminal instead?
I can (and did yesterday when I was helping Tom) ... but I'm not entirely sure what you'd like me to test :-)
-Claus
____________________________________________ Claus Lund Systems Developer
Vermont Department of Taxes Information Systems 133 State Street Montpelier, Vermont 05633-1401 (802) 828-3735
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Lars Kruse Sent: Thursday, January 22, 2009 4:17 PM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] Stunnel 4.26 - AIX 5.3
Hi Claus,
I'm not sure why the stunnel process dies for you.
maybe I am wrong, but I could imagine, that this issue is related to the behaviour that I described in my mail to this list (sent on the 10th of January).
I have several processes running using config files similar to what I included earlier. We generally create one config file per service. So if I was to run an TSSL service like you then I'd have a config file called /etc/stunnel/stunnel_tssl.conf ... and the service is started from /etc/inittab with a line like this:
stunnel_tssl:2:once:/usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
/dev/console
I haven't experienced any problems with the stunnel process not staying alive... And the process I started early this morning on my test box is still alive:
clund@prod-db-2:/home/clund $ ps -ef|grep stunnel nobody 1233036 1 0 08:15:28 - 0:00 /usr/local/bin/stunnel /etc/stunnel/stunnel_tssl.conf
I guess, the initial /sbin/init is not connected to a terminal - thus the "tty" column is always empty in your setup. Could you try to run stunnel from a terminal instead?
Or am I completely off-track?
regards, Lars _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of stephan.w.schindehette@jpmchase.com Sent: Thursday, January 22, 2009 4:41 PM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] Stunnel 4.26 - AIX 5.3
I'm running into the same issue on one of our AIX boxes (using stunnel 4.22). Everything looks fine when stunnel is started. The first connection comes along and everything works properly. But then stunnel dies after the connection is closed.
I'm working with ldaps instead of tssl. I tried to equate the "connect = localhost:23" solution in the previous e-mails to my situation, but wasn't having any success.
My config files currently includes:
[ldaps] accept = 127.0.0.1:636 connect = entldap.jpmchase.net:636 TIMEOUTclose = 0
Any suggestions?
-Stephan
------------------------------------------------------ Stephan Schindehette JPMorgan Chase Consumer Risk Modeling & Analytics (614) 213-6622 ________________________________
This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities.
--_000_0124A9436EBA7D4D84E25C4CCB0F9AAFECBE56C3FEENTMAILBOX02v_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 12 (filtered medium)"> <!--[if !mso]> <style> v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} </style> <![endif]--> <style> <!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman","serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p {mso-style-priority:99; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman","serif";} span.EmailStyle18 {mso-style-type:personal-reply; font-family:"Calibri","sans-serif"; color:#1F497D;} .MsoChpDefault {mso-style-type:export-only;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 9]><xml> <o:shapedefaults v:ext="edit" spidmax="1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext="edit"> <o:idmap v:ext="edit" data="1" /> </o:shapelayout></xml><![endif]--> </head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Hi Stephan,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>I have done some testing in the past with using stunnel to wrap LDAP traffic … and I seem to remember that it worked just fine (we never switched to using it though so I may just remember wrong).<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>Can you post your entire config file? And maybe also a log file with debug level logging?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'>-Claus<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"; color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] <b>On Behalf Of </b>stephan.w.schindehette@jpmchase.com<br> <b>Sent:</b> Thursday, January 22, 2009 4:41 PM<br> <b>To:</b> stunnel-users@mirt.net<br> <b>Subject:</b> Re: [stunnel-users] Stunnel 4.26 - AIX 5.3<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm running into the same issue on one of our AIX boxes (using stunnel 4.22). Everything looks fine when stunnel is started. The first connection comes along and everything works properly. But then stunnel dies after the connection is closed.</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm working with ldaps instead of tssl. I tried to equate the "connect = localhost:23" solution in the previous e-mails to my situation, but wasn't having any success.</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>My config files currently includes:</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>[ldaps]</span> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>accept = 127.0.0.1:636</span> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>connect = entldap.jpmchase.net:636</span> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>TIMEOUTclose = 0</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Any suggestions?</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>-Stephan</span> <br> <br> <span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>------------------------------------------------------<br> Stephan Schindehette<br> JPMorgan Chase<br> Consumer Risk Modeling & Analytics<br> (614) 213-6622</span><o:p></o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=1 width="100%" align=center>
</div>
<p>This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to UK legal entities. <o:p></o:p></p>
</div>
</body>
</html>
--_000_0124A9436EBA7D4D84E25C4CCB0F9AAFECBE56C3FEENTMAILBOX02v_--
Hi Claus,
Am Fri, 23 Jan 2009 07:55:05 -0500 schrieb "Lund, Claus" Claus.Lund@state.vt.us:
I checked out your previous mails... And I don't know if it's related. I haven't dived into the code or done any extensive testing to try to figure out why Stunnel was failing when using "exec = ...". And I haven't had any problems when using it the way we do.
the "exec" issue is not the point, that was problematic for me. The problem is the still open stdout/stderr file handle. See my mail from the 10th of January for details.
Could you try to run stunnel from a terminal instead?
I can (and did yesterday when I was helping Tom) ... but I'm not entirely sure what you'd like me to test :-)
I did the following:
1) running stunnel 4.20 (no separate libwrap): The stunnel processes are properly disconnected from stdout/stderr. See the output of "ps" - especially the "tty" column.
2) running stunnel 4.21 (with libwrap): The stunnel processes (except for one) are still connected to stdout/stderr. This can cause programs to hang (e.g. the cryptonas python code, that I referred to, was waiting forever for the daemon process to finish/disconnect - with 4.20 it worked).
3) running stunnel 4.21 (disabled libwrap): The stunnel processes are disconnected from stdout/stderr. It behaves just like 4.20 - no hang or other problems.
If you notice above behaviour (2) for 4.21 (or later) with libwrap enabled, then I guess, this is a problem, or? At least, I expected stunnel to disconnect completely from the terminal when entering daemon mode. If my expectations are flawed here, then we all can safely ignore this non-issue :)
thanks for your time! Lars
Ah! Well, I build stunnel with: --disable-libwrap :-)
-Claus
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Lars Kruse Sent: Saturday, January 24, 2009 12:16 PM To: stunnel-users@mirt.net Subject: Re: [stunnel-users] Stunnel 4.26 - AIX 5.3
Hi Claus,
Am Fri, 23 Jan 2009 07:55:05 -0500 schrieb "Lund, Claus" Claus.Lund@state.vt.us:
I checked out your previous mails... And I don't know if it's related. I haven't dived into the code or done any extensive testing to try to figure out why Stunnel was failing when using "exec = ...". And I haven't had any problems when using it the way we do.
the "exec" issue is not the point, that was problematic for me. The problem is the still open stdout/stderr file handle. See my mail from the 10th of January for details.
Could you try to run stunnel from a terminal instead?
I can (and did yesterday when I was helping Tom) ... but I'm not entirely sure what you'd like me to test :-)
I did the following:
1) running stunnel 4.20 (no separate libwrap): The stunnel processes are properly disconnected from stdout/stderr. See the output of "ps" - especially the "tty" column.
2) running stunnel 4.21 (with libwrap): The stunnel processes (except for one) are still connected to stdout/stderr. This can cause programs to hang (e.g. the cryptonas python code, that I referred to, was waiting forever for the daemon process to finish/disconnect - with 4.20 it worked).
3) running stunnel 4.21 (disabled libwrap): The stunnel processes are disconnected from stdout/stderr. It behaves just like 4.20 - no hang or other problems.
If you notice above behaviour (2) for 4.21 (or later) with libwrap enabled, then I guess, this is a problem, or? At least, I expected stunnel to disconnect completely from the terminal when entering daemon mode. If my expectations are flawed here, then we all can safely ignore this non-issue :)
thanks for your time! Lars _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Lars Kruse -
Lund, Claus -
Spence, Thomas Civ 844 CS/SCBX