-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Users,
I have released version 5.20 of stunnel.
The ChangeLog entry:
Version 5.20, 2015.07.09, urgency: HIGH * Security bugfixes - OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt * New features - poll(2) re-enabled on MacOS X 10.5 and later. - Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found. - The SSL library detection algorithm was made a bit smarter. - Warnings about insecure authentication were modified to include the name of the affected service section. - A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev). - Optional debugging symbols are included in the Win32 installer. - Documentation updates (closes Debian bug #781669). * Bugfixes - Signal pipe reinitialization added to prevent turning the main accepting thread into a busy wait loop when an external condition breaks the signal pipe. This bug was found to surface on Win32, but other platforms may also be affected. - Fixed removing the disabled taskbar icon. - Generated temporary DH parameters are used for configuration reload instead of the static defaults. - LSB compatibility fixes added to the stunnel.init script (thx to Peter Pentchev). - Fixed the manual page headers (thx to Gleydson Soares).
Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html
SHA-256 hashes: 4a36a3729a7287d9d82c4b38bf72c4d3496346cb969b86129c5deac22b20292b stunnel-5.20.tar.gz 9d9d38241e972713cd0937e2cf66fdacf3adcb357fbea82d8e46648de4e26fa4 stunnel-5.20-installer.exe cfc1e94cb7c7bf14c832ac8799db4a3438ae7542aa04ec5e9c6695a1a3c3843d stunnel-5.20-android.zip
Best regards, Mike
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Also please let me know if i need to install openSSL before installing this executable. Thank you.
Installation Logs--> MobileLab:Downloads sahnilsurana$ ./stunnel-5.20b8-osx
[ ] Cron started
[ ] Clients allowed=500
[.] stunnel 5.20 on x86_64-apple-darwin14.3.0 platform
[.] Compiled with OpenSSL 0.9.8zd 8 Jan 2015
[.] Running with OpenSSL 0.9.8za 5 Jun 2014
[.] Update OpenSSL shared libraries or rebuild stunnel
[.] Threading:PTHREAD Sockets:SELECT,IPv6 TLS:ENGINE,OCSP
[ ] errno: (*__error())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[!] Cannot open configuration file
[.]
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
[.] -fd <n> - read the config file from a file descriptor
[.] -help - get config file help
[.] -version - display version and defaults
[.] -sockets - display default socket options
Regards, Saurabh Beriwal
On Thu, Jul 9, 2015 at 7:31 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Users,
I have released version 5.20 of stunnel.
The ChangeLog entry:
Version 5.20, 2015.07.09, urgency: HIGH
- Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt
- New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
- Bugfixes
- Signal pipe reinitialization added to prevent turning the main accepting thread into a busy wait loop when an external condition breaks the signal pipe. This bug was found to surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html
SHA-256 hashes: 4a36a3729a7287d9d82c4b38bf72c4d3496346cb969b86129c5deac22b20292b stunnel-5.20.tar.gz 9d9d38241e972713cd0937e2cf66fdacf3adcb357fbea82d8e46648de4e26fa4 stunnel-5.20-installer.exe cfc1e94cb7c7bf14c832ac8799db4a3438ae7542aa04ec5e9c6695a1a3c3843d stunnel-5.20-android.zip
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVnoXOAAoJEC78f/DUFuAUGvoP/1WQ2DliVyQQNGDYPkE2Rbqk BJ7lMEseYdPLjZVtkNPQIuH9PCc/qbWMrDFK1sJg+R7d0yyp+Ip+ucH4i5GCfW6o xIZQ00WVa/qV52AcEDGTZ+43EBPBIFNMkSeJlkwyj81ISZ+my0YpqPNSF77fZFdN IqGln9e+1n4gM+8SOgPnJs2XiR2EsbQzmwaZcTCOoKp56j6q2bLXlYC802B9KezJ ex2dmbGV2JEHmNarSUxWO45VnFdqhjhz4qHySm6KnLD2hoyS9Ex2XyynuuyIiIVx yU9M1zliZvgQSQ4RTpO3Ko2b9Qy2cYDECrFwk7i5rlwmiCw1zH5zWGh1rnAsLJHn 7SAxc5BfiB3VQl16CgoLM65no2mJ60f499ab3LA0uTNbt03PrPkc5cK8w+ec3YNU 6E59R4FXC6ae5T4iR7b9mBGifUHWtg53I1H7qbD6Pye/EH5QciSSPizEHeORYlPy fC3jOMEIUDlXjqI7k/XMGVPJ7SSKFkBNiqHKTKoM12QhiZXLLh4Ig3aQJgqX5IBQ VdML1/W9MdBlZNAHYaUBrkSls99aVbIsHJ5yAE0gsF5Lgi6hK6zDkXiKoVEozN5A N6MtfQHs/JS2nvlmCbtGWrK66EXKxW409f0JS3AJG6tjOquuSZYmR944EPzQD+zA WPivIUH2TVk63kULw/ui =Uw+D -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12.07.2015 07:20, Saurabh Beriwal wrote:
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Yes, stunnel needs a configuration file to work. It is probably a good time for you to read the fine manual at https://www.stunnel.org/static/stunnel.html
Also please let me know if i need to install openSSL before installing this executable. Thank you.
No, you don't need to install additional OpenSSL library on your OSX.
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
This is where it tells you how to specify the configuration file name.
Mike
Thank you Michal for the explanation. Now I am able to load configuration file successfully but I am getting error in creating the connection so I just wanted to know the path where I can see the log file. Also is it possible to change .pem file with this executable? On Jul 13, 2015 1:17 PM, "Michal Trojnara" Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12.07.2015 07:20, Saurabh Beriwal wrote:
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Yes, stunnel needs a configuration file to work. It is probably a good time for you to read the fine manual at https://www.stunnel.org/static/stunnel.html
Also please let me know if i need to install openSSL before installing this executable. Thank you.
No, you don't need to install additional OpenSSL library on your OSX.
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
This is where it tells you how to specify the configuration file name.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVo20PAAoJEC78f/DUFuAU50wP/3zFlTa5Xs7TkEcrGpfdss4M nVj+GrmPKYQc4/+qW87KHNvbNo8nqawVfQO+ziJzVosBNBC0LQcekc3hmoUSKRNS 8sv52uNqljAIrZkFJiWg3ciDotOW+9zGmEbW4RG/C3W/m2eY7oCDpyglq4HVGtHQ 6QeZa+35s7csDY3lnn6zoSYfMTs5iGqUZA00Cfb0+c4osHNIhdRAWne0yGDTdnVt ILm0kXAlu0FuVDamOctgBBuylQjpjCt94b4jLI4NVzUEK//FKo7fkrpzxUIt/Cd1 bmZ+eJdScxM4gTgf05vjCw0jFWabLfBQ9Udsnm736+twDmJxGATADFboSv170Lk2 zIzCBgaoUzcLhvkVxWCr6Q2WgQlJyMWHzE9TE4wefkuJ9l9b2h/+nOZi6uH6sT5d 4TAFhYhbLZjAZhiHgB16ix4S61yUaXykmgwmWl/pPFn9+W2hR4h5pUdpQqMAD8Md 1hC9TRngV3Chcd6t4t3r60IA7jGQ4fQfc9xiSyn2oaU25j8rEAyBLksXuI4Kfm6Y 08DKlooixeczrLuYNmM0sTXwAVL/h9SSrfwH7IxKWDVk9wPYXFg/1frYRov53QjO 5pbyBLifWV2FkM41mDMereFPLb8p3DTomz5r1jEMM+q3F7nLo6VZoBXXVmAoCbS/ GchtkYlpXurltTVw93ec =OEu/ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi Michal,
Thank you for your help! I was able to create connection through stunnel. However i am not sure how to start and stop services using stunnel-5.20b8-osx https://www.stunnel.org/downloads/stunnel-5.20b8-osx executable. I am new to mac OS so i am not aware if there is any standard process for files with this extension. Also this executable works fine on my mac machine but still i wanted to know if there is any requirement for this to work.
Regards, Saurabh Beriwal
On Mon, Jul 13, 2015 at 12:47 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12.07.2015 07:20, Saurabh Beriwal wrote:
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Yes, stunnel needs a configuration file to work. It is probably a good time for you to read the fine manual at https://www.stunnel.org/static/stunnel.html
Also please let me know if i need to install openSSL before installing this executable. Thank you.
No, you don't need to install additional OpenSSL library on your OSX.
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
This is where it tells you how to specify the configuration file name.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVo20PAAoJEC78f/DUFuAU50wP/3zFlTa5Xs7TkEcrGpfdss4M nVj+GrmPKYQc4/+qW87KHNvbNo8nqawVfQO+ziJzVosBNBC0LQcekc3hmoUSKRNS 8sv52uNqljAIrZkFJiWg3ciDotOW+9zGmEbW4RG/C3W/m2eY7oCDpyglq4HVGtHQ 6QeZa+35s7csDY3lnn6zoSYfMTs5iGqUZA00Cfb0+c4osHNIhdRAWne0yGDTdnVt ILm0kXAlu0FuVDamOctgBBuylQjpjCt94b4jLI4NVzUEK//FKo7fkrpzxUIt/Cd1 bmZ+eJdScxM4gTgf05vjCw0jFWabLfBQ9Udsnm736+twDmJxGATADFboSv170Lk2 zIzCBgaoUzcLhvkVxWCr6Q2WgQlJyMWHzE9TE4wefkuJ9l9b2h/+nOZi6uH6sT5d 4TAFhYhbLZjAZhiHgB16ix4S61yUaXykmgwmWl/pPFn9+W2hR4h5pUdpQqMAD8Md 1hC9TRngV3Chcd6t4t3r60IA7jGQ4fQfc9xiSyn2oaU25j8rEAyBLksXuI4Kfm6Y 08DKlooixeczrLuYNmM0sTXwAVL/h9SSrfwH7IxKWDVk9wPYXFg/1frYRov53QjO 5pbyBLifWV2FkM41mDMereFPLb8p3DTomz5r1jEMM+q3F7nLo6VZoBXXVmAoCbS/ GchtkYlpXurltTVw93ec =OEu/ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi Michal ,
I know , i am asking too many questions but i am again stuck. Actually now everything is working fine if i provide absolute path for stunnel.pem in configuration file but as per my requirement , i don't want to be dependent on absolute file path and want to generate it dynamically. but i am not able to understand how to do this.Please help.
On Mon, Jul 13, 2015 at 12:47 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12.07.2015 07:20, Saurabh Beriwal wrote:
Thank you Mike for sharing the update! Actually i was trying to install 5.20 on Mac OS using the executable provided by you on website but i am getting the below error while installing. It is giving me error for missing configuration file and when i investigated at the path(/etc/stunnel/stunnel.conf), there was no stunnel folder only.
Yes, stunnel needs a configuration file to work. It is probably a good time for you to read the fine manual at https://www.stunnel.org/static/stunnel.html
Also please let me know if i need to install openSSL before installing this executable. Thank you.
No, you don't need to install additional OpenSSL library on your OSX.
[.] Syntax:
[.] stunnel [<filename>] ] -fd <n> | -help | -version | -sockets
[.] <filename> - use specified config file
This is where it tells you how to specify the configuration file name.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVo20PAAoJEC78f/DUFuAU50wP/3zFlTa5Xs7TkEcrGpfdss4M nVj+GrmPKYQc4/+qW87KHNvbNo8nqawVfQO+ziJzVosBNBC0LQcekc3hmoUSKRNS 8sv52uNqljAIrZkFJiWg3ciDotOW+9zGmEbW4RG/C3W/m2eY7oCDpyglq4HVGtHQ 6QeZa+35s7csDY3lnn6zoSYfMTs5iGqUZA00Cfb0+c4osHNIhdRAWne0yGDTdnVt ILm0kXAlu0FuVDamOctgBBuylQjpjCt94b4jLI4NVzUEK//FKo7fkrpzxUIt/Cd1 bmZ+eJdScxM4gTgf05vjCw0jFWabLfBQ9Udsnm736+twDmJxGATADFboSv170Lk2 zIzCBgaoUzcLhvkVxWCr6Q2WgQlJyMWHzE9TE4wefkuJ9l9b2h/+nOZi6uH6sT5d 4TAFhYhbLZjAZhiHgB16ix4S61yUaXykmgwmWl/pPFn9+W2hR4h5pUdpQqMAD8Md 1hC9TRngV3Chcd6t4t3r60IA7jGQ4fQfc9xiSyn2oaU25j8rEAyBLksXuI4Kfm6Y 08DKlooixeczrLuYNmM0sTXwAVL/h9SSrfwH7IxKWDVk9wPYXFg/1frYRov53QjO 5pbyBLifWV2FkM41mDMereFPLb8p3DTomz5r1jEMM+q3F7nLo6VZoBXXVmAoCbS/ GchtkYlpXurltTVw93ec =OEu/ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15.07.2015 19:07, Saurabh Beriwal wrote:
Actually now everything is working fine if i provide absolute path for stunnel.pem in configuration file but as per my requirement , i don't want to be dependent on absolute file path and want to generate it dynamically. but i am not able to understand how to do this.Please help.
The following example illustrates using dynamic configuration files:
#!/bin/bash REMOTE_HOST="www.stunnel.org:443" echo "client script connecting $REMOTE_HOST" stunnel -fd 10 11<&0 <<EOT 10<&0 0<&11 11<&- client=yes connect=$REMOTE_HOST EOT echo "client script finished"
Mike
Hi,
I am unable to compile stunnel 5.20 against openssl 1.0.2d (or even 1.0.2c). There a compilation error at some point.
cron.c:151: warning: conflicting types for 'cron_dh_param' cron.c:151: error: static declaration of 'cron_dh_param' follows non-static declaration cron.c:131: error: previous implicit declaration of 'cron_dh_param' was here cron.c: In function 'cron_dh_param':
I'm on on RHEL 5.10. No issues with stunnel 5.19 with either openssl versions.
Thanks.
2015-07-09 10:31 GMT-04:00 Michal Trojnara Michal.Trojnara@mirt.net:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dear Users,
I have released version 5.20 of stunnel.
The ChangeLog entry:
Version 5.20, 2015.07.09, urgency: HIGH
- Security bugfixes
- OpenSSL DLLs updated to version 1.0.2d. https://www.openssl.org/news/secadv_20150709.txt
- New features
- poll(2) re-enabled on MacOS X 10.5 and later.
- Xcode SDK is automatically used on MacOS X if no other locally installed OpenSSL directory is found.
- The SSL library detection algorithm was made a bit smarter.
- Warnings about insecure authentication were modified to include the name of the affected service section.
- A warning was added to stunnel.init if no pid file was specified in the configuration file (thx to Peter Pentchev).
- Optional debugging symbols are included in the Win32 installer.
- Documentation updates (closes Debian bug #781669).
- Bugfixes
- Signal pipe reinitialization added to prevent turning the main accepting thread into a busy wait loop when an external condition breaks the signal pipe. This bug was found to surface on Win32, but other platforms may also be affected.
- Fixed removing the disabled taskbar icon.
- Generated temporary DH parameters are used for configuration reload instead of the static defaults.
- LSB compatibility fixes added to the stunnel.init script (thx to Peter Pentchev).
- Fixed the manual page headers (thx to Gleydson Soares).
Home page: https://www.stunnel.org/ Download: https://www.stunnel.org/downloads.html
SHA-256 hashes: 4a36a3729a7287d9d82c4b38bf72c4d3496346cb969b86129c5deac22b20292b stunnel-5.20.tar.gz 9d9d38241e972713cd0937e2cf66fdacf3adcb357fbea82d8e46648de4e26fa4 stunnel-5.20-installer.exe cfc1e94cb7c7bf14c832ac8799db4a3438ae7542aa04ec5e9c6695a1a3c3843d stunnel-5.20-android.zip
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVnoXOAAoJEC78f/DUFuAUGvoP/1WQ2DliVyQQNGDYPkE2Rbqk BJ7lMEseYdPLjZVtkNPQIuH9PCc/qbWMrDFK1sJg+R7d0yyp+Ip+ucH4i5GCfW6o xIZQ00WVa/qV52AcEDGTZ+43EBPBIFNMkSeJlkwyj81ISZ+my0YpqPNSF77fZFdN IqGln9e+1n4gM+8SOgPnJs2XiR2EsbQzmwaZcTCOoKp56j6q2bLXlYC802B9KezJ ex2dmbGV2JEHmNarSUxWO45VnFdqhjhz4qHySm6KnLD2hoyS9Ex2XyynuuyIiIVx yU9M1zliZvgQSQ4RTpO3Ko2b9Qy2cYDECrFwk7i5rlwmiCw1zH5zWGh1rnAsLJHn 7SAxc5BfiB3VQl16CgoLM65no2mJ60f499ab3LA0uTNbt03PrPkc5cK8w+ec3YNU 6E59R4FXC6ae5T4iR7b9mBGifUHWtg53I1H7qbD6Pye/EH5QciSSPizEHeORYlPy fC3jOMEIUDlXjqI7k/XMGVPJ7SSKFkBNiqHKTKoM12QhiZXLLh4Ig3aQJgqX5IBQ VdML1/W9MdBlZNAHYaUBrkSls99aVbIsHJ5yAE0gsF5Lgi6hK6zDkXiKoVEozN5A N6MtfQHs/JS2nvlmCbtGWrK66EXKxW409f0JS3AJG6tjOquuSZYmR944EPzQD+zA WPivIUH2TVk63kULw/ui =Uw+D -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.07.2015 16:24, Philippe Anctil wrote:
I am unable to compile stunnel 5.20 against openssl 1.0.2d (or even 1.0.2c). There a compilation error at some point.
cron.c:151: warning: conflicting types for 'cron_dh_param'
Did you configure stunnel with "--with-threads=fork"? It is broken in stunnel 5.20. It is also a bad idea in general.
Otherwise, please send me your config.log.
Mike
Yes I compile with fork.
We have been using that for a very long time. In the 7-8 years range if not a few years more. In the past we decided to use fork to sidestep leaks. We process astronomical numbers of transactions each year on a 24/7 basis and never had any problems.
Can you expand a bit on why it is a bad idea?
Thanks.
2015-07-15 10:27 GMT-04:00 Michal Trojnara Michal.Trojnara@mirt.net:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 14.07.2015 16:24, Philippe Anctil wrote:
I am unable to compile stunnel 5.20 against openssl 1.0.2d (or even 1.0.2c). There a compilation error at some point.
cron.c:151: warning: conflicting types for 'cron_dh_param'
Did you configure stunnel with "--with-threads=fork"? It is broken in stunnel 5.20. It is also a bad idea in general.
Otherwise, please send me your config.log.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVpm3YAAoJEC78f/DUFuAUQUAQALbaxWCvvEK8tCygX8YvVudb hNYYcMdpVPdH3sfZWt6+wd/0ylskCUpY4+kfpdvoq5yeZA0xCAF+84nk3zqfbyAO 1lR9/3bppcLdsnEsTqUApHp1lePECdorW94VRIO7XhTAVjn9pbbEgjdqCqEYPwQ/ XshreQpeNs2w5cMHiMQqmuIquZF0K4OR33GK6XwmwBHYuNUJXRmCyXas76xrJyd5 8q2Q+kIv+tO1sf+FcG/YhPKh1Mq13Q5PFO1DEJBraj7GNCgZkXVNGD+FjlzWRW+K rvV1iZLgXV2jcb/2+UsqGx3lN+RYlOvwni6rKjniX8bJalDlD0I3UFotVIqaQsFe /Bq2YyQYZhddadJ1TsOhWzc/MWiuwFR7IVWBC8RFVbuyWbdcFT/eHqijXixLNwjl KvwIaNe9ba4dUKWDuH0TfmeyoJ3aDd3ROzH6sNmwIJR0bFThY/Fvih0i0sv83vX+ D1hmHt/9+4MT59C9xHkC2HJQpPJ9wnwvFIWoDHwC+PzhC7kh5NQ42ZIURrsZjVcF XRiiPVVjHiWUHfPpsgbpF7Ti4KvkGrGzPcmTZDUEonlnbh87WbkXiAGT2wUWM8G9 bgrX2vJI8SBL+UI3KawlgiaDfIl2gv5Lo9kySZe311P3VYoLM2pA9aTSf1RG8ZqU 9CQd5LBA8bqgjyr5Il3L =+hCd -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 15.07.2015 16:35, Philippe Anctil wrote:
Yes I compile with fork.
We have been using that for a very long time. In the 7-8 years range if not a few years more. In the past we decided to use fork to sidestep leaks. We process astronomical numbers of transactions each year on a 24/7 basis and never had any problems.
Can you expand a bit on why it is a bad idea?
A few reasons out of the top of my head:
1. Posix/windows threads are required for session cache, which is a major performance improvement. With fork, stunnel needs to negotiate a new TLS session on each TCP connection with the same peer.
2. Posix/windows threads are required for DH parameter regenerations.
3. Fork not the default compilation option and it doesn't get nearly as much testing as posix/windows threads.
Mike
-
Michal Trojnara -
Philippe Anctil -
Saurabh Beriwal