Windows service won't start. ""The Stunnel TLS wrapper service is marked as an interactive service."
Window 10 LTCS (1089): "The Stunnel TLS wrapper service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly." looks like starting with version 5.61, this above error appears in the System Event log. I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of them. From the release notes, seems that windows services code might have been affected: New features for the Windows platform - Added client mode allowing authenticated users to view logs, reconfigure and terminate running stunnel services. - Added support for multiple GUI and service instances distinguised by the location of stunnel.conf. On GitHub, I also noticed that in the source code for src/ui_win_gui.c the service is created as follows: service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path, NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line 1622 the SERVICE_INTERACTIVE_PROCESS flag is set Is this flag necessary? I guess that would be the culprit. my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability anyone has a workaround for this? Microsoft has fully disabled Interactive Service Detection starting with Windows 10 Build 1803 and Windows Server 2016 and 2019. So, it looks like that that Interactive services are no longer allowed and this can't be circumvented by changing some registry setting like it seems it was possible before. thank you
Hi Robert, If your only reason to migrate is to mitigate an OpenSSL vuln, you can try to replace the openssl.exe binary and the DLLs used in your currently working Stunnel version. Since there is no compatibility breaking changes in latest OpenSSL releases, Stunnel should be able to load it without complaining. I currently do this with the 1.1.1 branch, and it is working flawlessly so far :) Can't say for sure for the 3.0.0 branch, but it's worth a try. You can find up-to-date pre-built binaries here: http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Binarie... 8required_for_SSL-enabled_components.29 Other options are also listed on the official OpenSSL wiki: https://wiki.openssl.org/index.php/Binaries Best regards, Florian Stosse Information security engineer Safran Electronics & Defense | Safran Data Systems | Space & Communication
-----Message d'origine----- De : robert.croteau--- via stunnel-users <stunnel-users@stunnel.org> Envoyé : vendredi 15 avril 2022 09:21 À : stunnel-users@stunnel.org Objet : [stunnel-users] Windows service won't start. ""The Stunnel TLS wrapper service is marked as an interactive service."
Window 10 LTCS (1089): "The Stunnel TLS wrapper service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
looks like starting with version 5.61, this above error appears in the System Event log. I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of them.
From the release notes, seems that windows services code might have been affected: New features for the Windows platform - Added client mode allowing authenticated users to view logs, reconfigure and terminate running stunnel services. - Added support for multiple GUI and service instances distinguised by the location of stunnel.conf.
On GitHub, I also noticed that in the source code for src/ui_win_gui.c the service is created as follows:
service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path, NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line 1622
the SERVICE_INTERACTIVE_PROCESS flag is set
Is this flag necessary? I guess that would be the culprit.
my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability
anyone has a workaround for this?
Microsoft has fully disabled Interactive Service Detection starting with Windows 10 Build 1803 and Windows Server 2016 and 2019. So, it looks like that that Interactive services are no longer allowed and this can't be circumvented by changing some registry setting like it seems it was possible before.
thank you _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
# " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés." ****** " This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
Robert, I'm running version 5.63 running with openssl 3.0.2 on Windows build 19044 and stunnel runs as a service without any issues. Carter Browne On 4/15/2022 4:48 AM, STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE) wrote:
Hi Robert,
If your only reason to migrate is to mitigate an OpenSSL vuln, you can try to replace the openssl.exe binary and the DLLs used in your currently working Stunnel version. Since there is no compatibility breaking changes in latest OpenSSL releases, Stunnel should be able to load it without complaining. I currently do this with the 1.1.1 branch, and it is working flawlessly so far :) Can't say for sure for the 3.0.0 branch, but it's worth a try.
You can find up-to-date pre-built binaries here: http://wiki.overbyte.eu/wiki/index.php/ICS_Download#Download_OpenSSL_Binarie... 8required_for_SSL-enabled_components.29
Other options are also listed on the official OpenSSL wiki: https://wiki.openssl.org/index.php/Binaries
Best regards,
Florian Stosse Information security engineer Safran Electronics & Defense | Safran Data Systems | Space & Communication
-----Message d'origine----- De : robert.croteau--- via stunnel-users<stunnel-users@stunnel.org> Envoyé : vendredi 15 avril 2022 09:21 À :stunnel-users@stunnel.org Objet : [stunnel-users] Windows service won't start. ""The Stunnel TLS wrapper service is marked as an interactive service."
Window 10 LTCS (1089): "The Stunnel TLS wrapper service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly."
looks like starting with version 5.61, this above error appears in the System Event log. I've given a quick glance at the changes from 5.60 to 5.61 and there a lot of them. From the release notes, seems that windows services code might have been affected: New features for the Windows platform - Added client mode allowing authenticated users to view logs, reconfigure and terminate running stunnel services. - Added support for multiple GUI and service instances distinguised by the location of stunnel.conf.
On GitHub, I also noticed that in the source code for src/ui_win_gui.c the service is created as follows:
service=CreateService(scm, SERVICE_NAME, SERVICE_DISPLAY_NAME, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS, SERVICE_AUTO_START, SERVICE_ERROR_NORMAL, service_path, NULL, NULL, TEXT("TCPIP\0"), NULL, NULL);ui_win_gui.c at around line 1622 the SERVICE_INTERACTIVE_PROCESS flag is set
Is this flag necessary? I guess that would be the culprit.
my reason to upgrade is because of the CVE-2022-0778 OpenSSL vulnerability
anyone has a workaround for this?
Microsoft has fully disabled Interactive Service Detection starting with Windows 10 Build 1803 and Windows Server 2016 and 2019. So, it looks like that that Interactive services are no longer allowed and this can't be circumvented by changing some registry setting like it seems it was possible before.
thank you _______________________________________________ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-leave@stunnel.org # " Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."
" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #
_______________________________________________ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-leave@stunnel.org
Carter, We're running Windows 10 Enterprise LTSC [Version 1809 (OS Build 17763.1012)] Unfortunately, we have to stay on that build. tx
Robert, I run stunnel on a number of Windows versions, the oldest of which is LTSB version 1607 build 14393.5066 and it works there without any issues as well. An additional thought is that all my systems have been running stunnel for many years, the last complete new install as a service was in 2019 and the systems have been upgraded after that time. It may be earlier versions did not have this problem and by updating we did not run into that issue. Good luck, Carter On 4/15/2022 10:55 AM, robert.croteau--- via stunnel-users wrote:
Carter,
We're running Windows 10 Enterprise LTSC [Version 1809 (OS Build 17763.1012)]
Unfortunately, we have to stay on that build.
tx _______________________________________________ stunnel-users mailing list --stunnel-users@stunnel.org To unsubscribe send an email tostunnel-users-leave@stunnel.org
Carter, Thanks for the info. As a workaround, instead of using .\stunnel.exe -install -quiet to install the stunnel service, I'm using the sc.exe command (so not relying on the stunnel CreateService() call when using -install option. I just don't know if there's a reason SERVICE_INTERACTIVE_PROCESS is set in that call. I'll know soon enough) sc.exe create stunnel type= own ..... looking at the source, is seems that .\stunnel.exe -install does the equivalent of sc create stunnel type= interact type=own .... so going from "type= interact type=own" to "type= own" The service creation works fine, now on with the testing to verify that there are no side-effects. For now, with this, the error message that was showing up in the event log is no longer being reported and the service can be started/stopped/restarted. Fingers crossed that there are no side-effects to the functionality with this change. tx
participants (3)
-
c t browne -
robert.croteau@quest.com -
STOSSE Florian (SAFRAN ELECTRONICS & DEFENSE)