My current compile-install-configure-run environment is broken with 4.30.
Up to 4.29 stunnel is working ok for me. 4.30 compiles, installs but when running it (i simply start /opt/ssl/bin/stunnel) the behaviour is completely different. Up to version 4.29 the program simply starts and logs to syslog:
root@bongo opt]# /opt/ssl/bin/stunnel root@bongo opt]# grep stunnel /var/log/maillog Jan 27 21:38:25 bongo stunnel: LOG5[31985:16384]: stunnel 4.29 on i686-pc-linux-gnu with OpenSSL 0.9.8l 5 Nov 2009 Jan 27 21:38:25 bongo stunnel: LOG5[31985:16384]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Jan 27 21:38:25 bongo stunnel: LOG6[31985:16384]: file ulimit = 1024 (can be changed with 'ulimit -n') Jan 27 21:38:25 bongo stunnel: LOG6[31985:16384]: poll() used - no FD_SETSIZE limit for file descriptors Jan 27 21:38:25 bongo stunnel: LOG5[31985:16384]: 500 clients allowed Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 9 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 10 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 11 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: imaps bound to 0.0.0.0:993 Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 12 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: pop3s bound to 0.0.0.0:995 Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 13 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: arcorpop3 bound to 127.0.0.1:3003 Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 14 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: bnvhpop3 bound to 127.0.0.1:3004 Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 15 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: netidpop3 bound to 127.0.0.1:3005 Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: FD 16 in non-blocking mode Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: SO_REUSEADDR option set on accept socket Jan 27 21:38:25 bongo stunnel: LOG7[31985:16384]: icybolt bound to 127.0.0.1:3006 Jan 27 21:38:25 bongo stunnel: LOG7[31991:16384]: Created pid file /var/run/stunnel.pid
With 4.30 i get lots of messages to the console and stunnel does not fork into background - where is the magic to get the old behaviour with 4.30? At the end stunnel reports: daemon: No such file or directory (2)
root@bongo opt]# /opt/ssl/bin/stunnel Reading configuration from file /etc/ssl/stunnel/stunnel.conf Snagged 64 random bytes from /root/.rnd Wrote 1024 new random bytes to /root/.rnd RAND_status claims sufficient entropy for the PRNG PRNG seeded successfully Certificate: /etc/ssl/stunnel/freakout.pem Certificate loaded Key file: /etc/ssl/stunnel/freakout.key Private key loaded SSL context initialized for service imaps Certificate: /etc/ssl/stunnel/freakout.pem Certificate loaded Key file: /etc/ssl/stunnel/freakout.key Private key loaded SSL context initialized for service pop3s SSL context initialized for service arcorpop3 SSL context initialized for service bnvhpop3 SSL context initialized for service netidpop3 SSL context initialized for service icybolt Configuration successful No limit detected for the number of clients FD=8 in non-blocking mode FD=9 in non-blocking mode FD=10 in non-blocking mode Option SO_REUSEADDR set on accept socket Service imaps bound to 0.0.0.0:993 Service imaps opened FD=10 FD=11 in non-blocking mode Option SO_REUSEADDR set on accept socket Service pop3s bound to 0.0.0.0:995 Service pop3s opened FD=11 FD=12 in non-blocking mode Option SO_REUSEADDR set on accept socket Service arcorpop3 bound to 127.0.0.1:3003 Service arcorpop3 opened FD=12 FD=13 in non-blocking mode Option SO_REUSEADDR set on accept socket Service bnvhpop3 bound to 127.0.0.1:3004 Service bnvhpop3 opened FD=13 FD=14 in non-blocking mode Option SO_REUSEADDR set on accept socket Service netidpop3 bound to 127.0.0.1:3005 Service netidpop3 opened FD=14 FD=15 in non-blocking mode Option SO_REUSEADDR set on accept socket Service icybolt bound to 127.0.0.1:3006 Service icybolt opened FD=15 Created pid file /var/run/stunnel.pid daemon: No such file or directory (2) removing pid file /var/run/stunnel.pid
Axel
Axel Reinhold wrote:
root@bongo opt]# /opt/ssl/bin/stunnel
[cut]
daemon: No such file or directory (2) removing pid file /var/run/stunnel.pid
That's interesting. I couldn't reproduce it.
Could you install strace tool and than execute: strace -f -o /tmp/stunnel.log /opt/ssl/bin/stunnel , and than send us the output of /tmp/stunnel.log?
Mike
Eric Wong normalperson@yhbt.net wrote:
Mike wrote:
Axel Reinhold wrote:
root@bongo opt]# /opt/ssl/bin/stunnel
[cut]
daemon: No such file or directory (2) removing pid file /var/run/stunnel.pid
[cut]
Using a chroot + daemonizing seems to be the problem, creating /dev/null inside the chroot as a workaround seems to work. However, 4.26 (and probably other non-4.30 versions) worked without needing /dev/null inside the chroot.
Using CentOS 5.4, glibc 2.5 so the daemon() function is available.
There was also a problem with the pid file inside the chroot pointing to an invalid pid.
I've reordered the initalization methods in the below patch which fixes both daemonization and pid files being broken with chroots.
*** /dev/fd/63 2010-01-28 18:05:31.386566649 -0800 --- src/stunnel.c 2010-01-28 17:43:27.000000000 -0800 *************** *** 88,93 **** --- 88,94 ---- ssl_init(); /* initialize SSL library */ sthreads_init(); /* initialize critical sections & SSL callbacks */ parse_commandline(arg1, arg2); + log_open();
#ifdef USE_FIPS if(options.option.fips) { *************** *** 116,135 **** if(!bind_ports()) die(1);
- #ifdef HAVE_CHROOT - change_root(); - #endif /* HAVE_CHROOT */ - #if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2) - drop_privileges(); if(service_options.next) { /* there are service sections -> daemon mode */ - create_pid(); if(!(global_options.option.foreground)) daemonize(); } #endif /* standard Unix */
- log_open(); stunnel_info(); }
--- 117,134 ---- if(!bind_ports()) die(1);
#if !defined(USE_WIN32) && !defined(__vms) && !defined(USE_OS2) if(service_options.next) { /* there are service sections -> daemon mode */ if(!(global_options.option.foreground)) daemonize(); + #ifdef HAVE_CHROOT + change_root(); + #endif /* HAVE_CHROOT */ + drop_privileges(); + create_pid(); } #endif /* standard Unix */
stunnel_info(); }
Eric Wong wrote:
I've reordered the initalization methods in the below patch which fixes both daemonization and pid files being broken with chroots.
I think I found the solution: ftp://stunnel.mirt.net/stunnel/startup.patch
Also log file is now created within chrooted directory to allow log file rotation on SIGHUP, and also changing log file name without stopping stunnel.
Mike
Michal Trojnara Michal.Trojnara@mirt.net wrote:
Eric Wong wrote:
I've reordered the initalization methods in the below patch which fixes both daemonization and pid files being broken with chroots.
I think I found the solution: ftp://stunnel.mirt.net/stunnel/startup.patch
Also log file is now created within chrooted directory to allow log file rotation on SIGHUP, and also changing log file name without stopping stunnel.
There's still a problem, it now creates the pid file before daemonizing, which makes the pid file invalid.
-
Axel Reinhold -
Eric Wong -
Michal Trojnara