Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Browne cbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
|2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful|
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Where is the delayed start option?
On 12 September 2014 13:10, Carter Browne cbcs@comcast.net wrote:
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Brownecbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Never mind found it... Will try it and let you know :)
On 12 September 2014 13:13, John Smith java.dev.mtl@gmail.com wrote:
Where is the delayed start option?
On 12 September 2014 13:10, Carter Browne cbcs@comcast.net wrote:
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Brownecbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Works like a charm! :)
As an off topic, do you know what the registry key is for the delayed time to bring it down from two minutes to something shorter?
On 12 September 2014 13:14, John Smith java.dev.mtl@gmail.com wrote:
Never mind found it... Will try it and let you know :)
On 12 September 2014 13:13, John Smith java.dev.mtl@gmail.com wrote:
Where is the delayed start option?
On 12 September 2014 13:10, Carter Browne cbcs@comcast.net wrote:
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Brownecbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Sorry, I don't know what it is.
Carter Browne cbrowne@cbcs-usa.com
On 9/12/2014 1:35 PM, John Smith wrote:
Works like a charm! :)
As an off topic, do you know what the registry key is for the delayed time to bring it down from two minutes to something shorter?
On 12 September 2014 13:14, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
Never mind found it... Will try it and let you know :) On 12 September 2014 13:13, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: Where is the delayed start option? On 12 September 2014 13:10, Carter Browne <cbcs@comcast.net <mailto:cbcs@comcast.net>> wrote: Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later Carter Browne cbrowne@cbcs-usa.com <mailto:cbrowne@cbcs-usa.com> On 9/12/2014 12:57 PM, John Smith wrote:Running stunnel 5.03 on Windows 2008 R2. Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically) When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run... This only happens if i reboot the machine. I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-start-on-reboot Output of my logs proving it works. |2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful| _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
You mean the DNS delay or something else.
Pete
From: Carter Browne [mailto:cbcs@comcast.net] Sent: Friday, September 12, 2014 10:56 AM To: John Smith; cbrowne@cbcs-usa.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel as windows service doesn't start on restart.
Sorry, I don't know what it is.
Carter Browne cbrowne@cbcs-usa.com
On 9/12/2014 1:35 PM, John Smith wrote:
Works like a charm! :)
As an off topic, do you know what the registry key is for the delayed time to bring it down from two minutes to something shorter?
On 12 September 2014 13:14, John Smith java.dev.mtl@gmail.com wrote:
Never mind found it... Will try it and let you know :)
On 12 September 2014 13:13, John Smith java.dev.mtl@gmail.com wrote:
Where is the delayed start option?
On 12 September 2014 13:10, Carter Browne cbcs@comcast.net wrote:
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Browne cbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform 2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf 2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled 2014.09.11 15:57:49 LOG5[1612]: Configuration successful
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
No. When setting a service to Automatic (Delayed Start) windows will wait 2:00 minutes after it has completed booting to start the service that was specified as "Delayed".
On 12 September 2014 16:25, WNSDEV pete@wnsdev.com wrote:
You mean the DNS delay or something else.
Pete
*From:* Carter Browne [mailto:cbcs@comcast.net] *Sent:* Friday, September 12, 2014 10:56 AM *To:* John Smith; cbrowne@cbcs-usa.com *Cc:* stunnel-users@stunnel.org *Subject:* Re: [stunnel-users] Stunnel as windows service doesn't start on restart.
Sorry, I don't know what it is.
Carter Browne
cbrowne@cbcs-usa.com
On 9/12/2014 1:35 PM, John Smith wrote:
Works like a charm! :)
As an off topic, do you know what the registry key is for the delayed time to bring it down from two minutes to something shorter?
On 12 September 2014 13:14, John Smith java.dev.mtl@gmail.com wrote:
Never mind found it... Will try it and let you know :)
On 12 September 2014 13:13, John Smith java.dev.mtl@gmail.com wrote:
Where is the delayed start option?
On 12 September 2014 13:10, Carter Browne cbcs@comcast.net wrote:
Did you select the delayed start option on the service? I have found that necessary in Windows 7/Windows server 2008 r2 and later
Carter Browne
cbrowne@cbcs-usa.com
On 9/12/2014 12:57 PM, John Smith wrote:
Running stunnel 5.03 on Windows 2008 R2.
Everything is installed and working fine. I can even start/stop the service no problem... (Pretty sure the service is set to start Automatically)
When I reboot my server stunnel service shows as started but nothing gets logged and none of my connections work. Once I restart the service through service manager, everything works. So on startup it doesn't seem to run...
This only happens if i reboot the machine.
I also asked the same question here: http://serverfault.com/questions/627932/stunnel-as-windows-service-doesnt-st...
Output of my logs proving it works.
2014.09.11 15:57:48 LOG5[1612]: stunnel 5.03 on x86-pc-msvc-1500 platform
2014.09.11 15:57:48 LOG5[1612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014
2014.09.11 15:57:48 LOG5[1612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2014.09.11 15:57:48 LOG5[1612]: Reading configuration from file stunnel.conf
2014.09.11 15:57:48 LOG5[1612]: FIPS mode disabled
2014.09.11 15:57:49 LOG5[1612]: Configuration successful
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Perhaps you can also create a dependency for stunnel service on another service that requires TCP/IP up, like the DNS client. That can make your stunnel service available sooner.
Dependencies can be created with sc utility.
-----Original Message----- From: John Smith java.dev.mtl@gmail.com Sender: "stunnel-users" stunnel-users-bounces@stunnel.org Date: Fri, 12 Sep 2014 16:31:40 To: WNSDEVpete@wnsdev.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel as windows service doesn't start on restart.
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Yeah I had tried that but maybe I picked the wrong services lol I picked some TCPIP service but don't remember exactly.
But I suppose this is worth official documenting?
On 12 September 2014 19:41, josealf@rocketmail.com wrote:
Perhaps you can also create a dependency for stunnel service on another service that requires TCP/IP up, like the DNS client. That can make your stunnel service available sooner.
Dependencies can be created with sc utility.
-----Original Message----- From: John Smith java.dev.mtl@gmail.com Sender: "stunnel-users" stunnel-users-bounces@stunnel.org Date: Fri, 12 Sep 2014 16:31:40 To: WNSDEVpete@wnsdev.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel as windows service doesn't start on restart.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
John,
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
On Monday, September 15, 2014 10:01 AM, John Smith java.dev.mtl@gmail.com wrote:
Yeah I had tried that but maybe I picked the wrong services lol I picked some TCPIP service but don't remember exactly.
But I suppose this is worth official documenting?
On 12 September 2014 19:41, josealf@rocketmail.com wrote:
Perhaps you can also create a dependency for stunnel service on another service that requires TCP/IP up, like the DNS client. That can make your stunnel service available sooner.
Dependencies can be created with sc utility.
-----Original Message----- From: John Smith java.dev.mtl@gmail.com Sender: "stunnel-users" stunnel-users-bounces@stunnel.org Date: Fri, 12 Sep 2014 16:31:40 To: WNSDEVpete@wnsdev.com Cc: stunnel-users@stunnel.org Subject: Re: [stunnel-users] Stunnel as windows service doesn't start on restart.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE delaage.pierre@free.fr wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 http://127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 http://127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 http://127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 Same issue. Service shows as started, but no log. If I go manual restart it works. Have to put delayed startup. On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE delaage.pierre@free.fr wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE delaage.pierre@free.fr wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Did you do a netstat to see if stunnel was listing on the selected ports? Also enabling the debug might help identify the issue..
Carter Browne cbrowne@cbcs-usa.com
On 9/23/2014 9:30 AM, John Smith wrote:
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running... I have a doubt that, although scm says stunnel is running, in fact it is not. Regards Pierre Le 22/09/2014 21:43, John Smith a écrit :Hi I used administrator account and defaults to install. It is installed at Program Files (x86) The service is set to run as local system account and interact with desktop is checked. Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly. My config is as follows: ; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2 [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2 [es-disc-local] client = yes accept = 127.0.0.1:9700 <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = .... On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 Same issue. Service shows as started, but no log. If I go manual restart it works. Have to put delayed startup. On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well.
question : what kind of network interface do you have :
wifi ? ethernet board ?
Are you traversing multiple routers ?
Are you using multiple firewalls ?
Have you tuned a delay as suggested a few days ago ?
Can you try without specifying "capi engine" ?
Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well.
I am reviewing the code and soon enter some test on w7-32bits.
Regards Pierre
Le 23/09/2014 15:30, John Smith a écrit :
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running... I have a doubt that, although scm says stunnel is running, in fact it is not. Regards Pierre Le 22/09/2014 21:43, John Smith a écrit :Hi I used administrator account and defaults to install. It is installed at Program Files (x86) The service is set to run as local system account and interact with desktop is checked. Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly. My config is as follows: ; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2 [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2 [es-disc-local] client = yes accept = 127.0.0.1:9700 <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = .... On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 Same issue. Service shows as started, but no log. If I go manual restart it works. Have to put delayed startup. On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet.
- stunnel works fine on the server specifically with the service set to Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network. - Only when it's NOT (Delayed Start) stunnel doe not seem to start even though the service shows as started. - I managed to tunnel from my Desktop to the Server. I have not tried automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production.
On 23 September 2014 10:04, Pierre DELAAGE delaage.pierre@free.fr wrote:
Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well.
question : what kind of network interface do you have :
wifi ? ethernet board ?
Are you traversing multiple routers ?
Are you using multiple firewalls ?
Have you tuned a delay as suggested a few days ago ?
Can you try without specifying "capi engine" ?
Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well.
I am reviewing the code and soon enter some test on w7-32bits.
Regards Pierre
Le 23/09/2014 15:30, John Smith a écrit :
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE delaage.pierre@free.fr wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE delaage.pierre@free.fr wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote:
Regarding stunnel service dependencies, If you read the 5.04 beta announcement, the dependency is created automatically now when you install stunnel as a service. Please give it a try. Looks like it works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Sorry to tell but...
On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY at service startup : I can start the service, then reboot, then, at first, my log file is saying ": Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)" and later, when I try to use the tunnel (and at that time dns is working), resolving is working...
and everything is OK so....
Even if dns is NOT available at startup, stunnel 504 is able to resolve "later" the remote server hostname.
2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled 2014.09.23 19:23:17 LOG7[2612]: Compression disabled 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: C:\Users\standard\Documents\Perso\SSL\johndoe.crt 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: C:\Users\standard\Documents\Perso\SSL\johndoe.uky 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 2014.09.23 19:23:18 LOG5[2612]: Configuration successful 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 127.0.0.1:81 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 127.0.0.1:49164 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread 2014.09.23 19:24:32 LOG7[2612]: New thread created 2014.09.23 19:24:32 LOG7[588]: Service [https] started 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 127.0.0.1:49164 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: waiting 10 seconds 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server from 192.168.3.220:49165 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect initialization 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate request A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key exchange A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write certificate verify A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change cipher spec A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A
So I am sorry to say that I cannot reproduce that bug.
Anyway there are many services, on a heavy loaded machine, that can slow down the service startup or interfere with file management :
Antivirus ? try to deactivate it. Firewall : the same... any other piece of software that is not absolutely necessary at boot time.
Plus : Even if you don't use hostnames in conf file I suggest that you try "dnscache" dependency anyway: because you probably have hostnames in your certificates.
Regards Pierre
Le 23/09/2014 18:05, John Smith a écrit :
Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet.
- stunnel works fine on the server specifically with the service set
to Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network.
- Only when it's NOT (Delayed Start) stunnel doe not seem to start
even though the service shows as started.
- I managed to tunnel from my Desktop to the Server. I have not tried
automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production.
On 23 September 2014 10:04, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well. question : what kind of network interface do you have : wifi ? ethernet board ? Are you traversing multiple routers ? Are you using multiple firewalls ? Have you tuned a delay as suggested a few days ago ? Can you try without specifying "capi engine" ? Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well. I am reviewing the code and soon enter some test on w7-32bits. Regards Pierre Le 23/09/2014 15:30, John Smith a écrit :I wish you were right but unfortunately it's running lol On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running... I have a doubt that, although scm says stunnel is running, in fact it is not. Regards Pierre Le 22/09/2014 21:43, John Smith a écrit :Hi I used administrator account and defaults to install. It is installed at Program Files (x86) The service is set to run as local system account and interact with desktop is checked. Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly. My config is as follows: ; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2 [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2 [es-disc-local] client = yes accept = 127.0.0.1:9700 <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = .... On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 Same issue. Service shows as started, but no log. If I go manual restart it works. Have to put delayed startup. On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Ok when I have a chance I will try dnscache
On 23 September 2014 14:05, Pierre DELAAGE delaage.pierre@free.fr wrote:
Sorry to tell but...
On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY at service startup : I can start the service, then reboot, then, at first, my log file is saying ": Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)" and later, when I try to use the tunnel (and at that time dns is working), resolving is working...
and everything is OK so....
Even if dns is NOT available at startup, stunnel 504 is able to resolve "later" the remote server hostname.
2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled 2014.09.23 19:23:17 LOG7[2612]: Compression disabled 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying DNS lookup* (COMMENT : stunnel is a good fellow !)*
2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: C:\Users\standard\Documents\Perso\SSL\johndoe.crt 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: C:\Users\standard\Documents\Perso\SSL\johndoe.uky 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 2014.09.23 19:23:18 LOG5[2612]: Configuration successful 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 127.0.0.1:81 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 127.0.0.1:49164 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread 2014.09.23 19:24:32 LOG7[2612]: New thread created 2014.09.23 19:24:32 LOG7[588]: Service [https] started 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 127.0.0.1:49164 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: waiting 10 seconds 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server from 192.168.3.220:49165 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect initialization 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate request A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key exchange A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write certificate verify A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change cipher spec A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A
So I am sorry to say that I cannot reproduce that bug.
Anyway there are many services, on a heavy loaded machine, that can slow down the service startup or interfere with file management :
Antivirus ? try to deactivate it. Firewall : the same... any other piece of software that is not absolutely necessary at boot time.
Plus : Even if you don't use hostnames in conf file I suggest that you try "dnscache" dependency anyway: because you probably have hostnames in your certificates.
Regards Pierre
Le 23/09/2014 18:05, John Smith a écrit :
Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet.
- stunnel works fine on the server specifically with the service set to
Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network.
- Only when it's NOT (Delayed Start) stunnel doe not seem to start even
though the service shows as started.
- I managed to tunnel from my Desktop to the Server. I have not tried
automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production.
On 23 September 2014 10:04, Pierre DELAAGE delaage.pierre@free.fr wrote:
Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well.
question : what kind of network interface do you have :
wifi ? ethernet board ?
Are you traversing multiple routers ?
Are you using multiple firewalls ?
Have you tuned a delay as suggested a few days ago ?
Can you try without specifying "capi engine" ?
Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well.
I am reviewing the code and soon enter some test on w7-32bits.
Regards Pierre
Le 23/09/2014 15:30, John Smith a écrit :
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE delaage.pierre@free.fr wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE delaage.pierre@free.fr wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Anyways I don't know what to say. But adding dnscache as dependency didn't do anything either. Same issue service on bootup shows as started but no logs. Restarting it through Service Control Manager works.
Automatic (Delayed Start) at least for me works fine. I'll continue working with that for now...
On 23 September 2014 14:27, John Smith java.dev.mtl@gmail.com wrote:
Ok when I have a chance I will try dnscache
On 23 September 2014 14:05, Pierre DELAAGE delaage.pierre@free.fr wrote:
Sorry to tell but...
On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY at service startup : I can start the service, then reboot, then, at first, my log file is saying ": Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)" and later, when I try to use the tunnel (and at that time dns is working), resolving is working...
and everything is OK so....
Even if dns is NOT available at startup, stunnel 504 is able to resolve "later" the remote server hostname.
2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled 2014.09.23 19:23:17 LOG7[2612]: Compression disabled 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying DNS lookup* (COMMENT : stunnel is a good fellow !)*
2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: C:\Users\standard\Documents\Perso\SSL\johndoe.crt 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: C:\Users\standard\Documents\Perso\SSL\johndoe.uky 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 2014.09.23 19:23:18 LOG5[2612]: Configuration successful 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 127.0.0.1:81 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 127.0.0.1:49164 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread 2014.09.23 19:24:32 LOG7[2612]: New thread created 2014.09.23 19:24:32 LOG7[588]: Service [https] started 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 127.0.0.1:49164 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: waiting 10 seconds 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server from 192.168.3.220:49165 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect initialization 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate request A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key exchange A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write certificate verify A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change cipher spec A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A
So I am sorry to say that I cannot reproduce that bug.
Anyway there are many services, on a heavy loaded machine, that can slow down the service startup or interfere with file management :
Antivirus ? try to deactivate it. Firewall : the same... any other piece of software that is not absolutely necessary at boot time.
Plus : Even if you don't use hostnames in conf file I suggest that you try "dnscache" dependency anyway: because you probably have hostnames in your certificates.
Regards Pierre
Le 23/09/2014 18:05, John Smith a écrit :
Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet.
- stunnel works fine on the server specifically with the service set to
Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network.
- Only when it's NOT (Delayed Start) stunnel doe not seem to start even
though the service shows as started.
- I managed to tunnel from my Desktop to the Server. I have not tried
automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production.
On 23 September 2014 10:04, Pierre DELAAGE delaage.pierre@free.fr wrote:
Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well.
question : what kind of network interface do you have :
wifi ? ethernet board ?
Are you traversing multiple routers ?
Are you using multiple firewalls ?
Have you tuned a delay as suggested a few days ago ?
Can you try without specifying "capi engine" ?
Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well.
I am reviewing the code and soon enter some test on w7-32bits.
Regards Pierre
Le 23/09/2014 15:30, John Smith a écrit :
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE delaage.pierre@free.fr wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE delaage.pierre@free.fr wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith java.dev.mtl@gmail.com wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net > wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jose Alf. wrote: > > Regarding stunnel service dependencies, If you read the 5.04 beta > > announcement, the dependency is created automatically now when you > > install stunnel as a service. Please give it a try. Looks like it > > works for me. > > > > Thanks to Mike for implementing that. > > Thank you for testing it. > > Best regards, > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q > yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR > =+xFQ > -----END PGP SIGNATURE----- > _______________________________________________ > stunnel-users mailing list > stunnel-users@stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing liststunnel-users@stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Ask Pierre for a copy of his patched 5.02, I bet that will solve your problem.
On 09.24.2014 08:51, John Smith wrote:
Anyways I don't know what to say. But adding dnscache as dependency didn't do anything either. Same issue service on bootup shows as started but no logs. Restarting it through Service Control Manager works.
Automatic (Delayed Start) at least for me works fine. I'll continue working with that for now...
On 23 September 2014 14:27, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
Ok when I have a chance I will try dnscache On 23 September 2014 14:05, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Sorry to tell but... On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY at service startup : I can start the service, then reboot, then, at first, my log file is saying ": Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)" and later, when I try to use the tunnel (and at that time dns is working), resolving is working... and everything is OK so.... Even if dns is NOT available at startup, stunnel 504 is able to resolve "later" the remote server hostname. 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled 2014.09.23 19:23:17 LOG7[2612]: Compression disabled 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https] 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME) 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/ 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: C:\Users\standard\Documents\Perso\SSL\johndoe.crt 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: C:\Users\standard\Documents\Perso\SSL\johndoe.uky 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 2014.09.23 19:23:18 LOG5[2612]: Configuration successful 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 127.0.0.1:81 <http://127.0.0.1:81> 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164> 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread 2014.09.23 19:24:32 LOG7[2612]: New thread created 2014.09.23 19:24:32 LOG7[588]: Service [https] started 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 127.0.0.1:49164 <http://127.0.0.1:49164> 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: waiting 10 seconds 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server from 192.168.3.220:49165 <http://192.168.3.220:49165> 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect initialization 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate request A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key exchange A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write certificate verify A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change cipher spec A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A So I am sorry to say that I cannot reproduce that bug. Anyway there are many services, on a heavy loaded machine, that can slow down the service startup or interfere with file management : Antivirus ? try to deactivate it. Firewall : the same... any other piece of software that is not absolutely necessary at boot time. Plus : Even if you don't use hostnames in conf file I suggest that you try "dnscache" dependency anyway: because you probably have hostnames in your certificates. Regards Pierre Le 23/09/2014 18:05, John Smith a écrit :Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet. - stunnel works fine on the server specifically with the service set to Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network. - Only when it's NOT (Delayed Start) stunnel doe not seem to start even though the service shows as started. - I managed to tunnel from my Desktop to the Server. I have not tried automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production. On 23 September 2014 10:04, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well. question : what kind of network interface do you have : wifi ? ethernet board ? Are you traversing multiple routers ? Are you using multiple firewalls ? Have you tuned a delay as suggested a few days ago ? Can you try without specifying "capi engine" ? Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well. I am reviewing the code and soon enter some test on w7-32bits. Regards Pierre Le 23/09/2014 15:30, John Smith a écrit :I wish you were right but unfortunately it's running lol On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running... I have a doubt that, although scm says stunnel is running, in fact it is not. Regards Pierre Le 22/09/2014 21:43, John Smith a écrit :Hi I used administrator account and defaults to install. It is installed at Program Files (x86) The service is set to run as local system account and interact with desktop is checked. Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly. My config is as follows: ; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2 [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2 [es-disc-local] client = yes accept = 127.0.0.1:9700 <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = .... On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 Same issue. Service shows as started, but no log. If I go manual restart it works. Have to put delayed startup. On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com <mailto:java.dev.mtl@gmail.com>> wrote: For now i'm happy with 5.03 Already in production so I will have to wait next time! :) On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net <mailto:Michal.Trojnara@mirt.net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Alf. wrote: > Regarding stunnel service dependencies, If you read the 5.04 beta > announcement, the dependency is created automatically now when you > install stunnel as a service. Please give it a try. Looks like it > works for me. > > Thanks to Mike for implementing that. Thank you for testing it. Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR =+xFQ -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Dear all, I will send it to John, but I do not think it will solve this particular issue.
Anyway, Let's try and see.
Regards Pierre
Le 24/09/2014 17:59, 541401@gmail.com a écrit :
Ask Pierre for a copy of his patched 5.02, I bet that will solve your problem.
On 09.24.2014 08:51, John Smith wrote:
Anyways I don't know what to say. But adding dnscache as dependency didn't do anything either. Same issue service on bootup shows as started but no logs. Restarting it through Service Control Manager works.
Automatic (Delayed Start) at least for me works fine. I'll continue working with that for now...
On 23 September 2014 14:27, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
Ok when I have a chance I will try dnscache On 23 September 2014 14:05, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Sorry to tell but... On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY at service startup : I can start the service, then reboot, then, at first, my log file is saying ": Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)" and later, when I try to use the tunnel (and at that time dns is working), resolving is working... and everything is OK so.... Even if dns is NOT available at startup, stunnel 504 is able to resolve "later" the remote server hostname. 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips 6 Aug 2014 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled 2014.09.23 19:23:17 LOG7[2612]: Compression disabled 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https] 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME) 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/ 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: C:\Users\standard\Documents\Perso\SSL\johndoe.crt 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: C:\Users\standard\Documents\Perso\SSL\johndoe.uky 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 2014.09.23 19:23:18 LOG5[2612]: Configuration successful 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 127.0.0.1:81 <http://127.0.0.1:81> 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164> 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread 2014.09.23 19:24:32 LOG7[2612]: New thread created 2014.09.23 19:24:32 LOG7[588]: Service [https] started 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 127.0.0.1:49164 <http://127.0.0.1:49164> 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: waiting 10 seconds 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server from 192.168.3.220:49165 <http://192.168.3.220:49165> 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect initialization 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server hello A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server certificate request A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client certificate A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key exchange A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write certificate verify A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change cipher spec A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A So I am sorry to say that I cannot reproduce that bug. Anyway there are many services, on a heavy loaded machine, that can slow down the service startup or interfere with file management : Antivirus ? try to deactivate it. Firewall : the same... any other piece of software that is not absolutely necessary at boot time. Plus : Even if you don't use hostnames in conf file I suggest that you try "dnscache" dependency anyway: because you probably have hostnames in your certificates. Regards Pierre Le 23/09/2014 18:05, John Smith a écrit :Network: Ethernet Multiple routers: No Firewall: No Delay: Yes, Automitic (Delayed Start) works like a charm. Capi engine: Yes tried turning it off 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit version on the download page? dnscache: Haven't tried it yet. - stunnel works fine on the server specifically with the service set to Automatic (Delayed Start). And I even tunnel properly to other machines so it not firewalls or routers or network. - Only when it's NOT (Delayed Start) stunnel doe not seem to start even though the service shows as started. - I managed to tunnel from my Desktop to the Server. I have not tried automatic service startup on Desktop because I don't have enough privilidges. But trying to setup the server, since that's the machine that will have stunnel in production. On 23 September 2014 10:04, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Have you tried to change the service dependency from "TCPIP" (the default in the code), to "dnscache" (ok, EVEN if you do not use hostname resolution), this is just to be sure that stunnel relies on something that is using tcpip as well. question : what kind of network interface do you have : wifi ? ethernet board ? Are you traversing multiple routers ? Are you using multiple firewalls ? Have you tuned a delay as suggested a few days ago ? Can you try without specifying "capi engine" ? Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as well. I am reviewing the code and soon enter some test on w7-32bits. Regards Pierre Le 23/09/2014 15:30, John Smith a écrit :I wish you were right but unfortunately it's running lol On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running... I have a doubt that, although scm says stunnel is running, in fact it is not. Regards Pierre Le 22/09/2014 21:43, John Smith a écrit :Hi I used administrator account and defaults to install. It is installed at Program Files (x86) The service is set to run as local system account and interact with desktop is checked. Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly. My config is as follows: ; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log ; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine [es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 <http://127.0.0.1:9300> cert = .... CAfile = .... verify = 2 [es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 <http://127.0.0.1:9200> cert = .... CAfile = .... verify = 2 [es-disc-local] client = yes accept = 127.0.0.1:9700 <http://127.0.0.1:9700> connect = ${SERVER_IP}:9300 cert = .... On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr <mailto:delaage.pierre@free.fr>> wrote: Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread. Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation. But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail. I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD. People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location. They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure. On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports. On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup. I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505). Yours sincerely Pierre Le 22/09/2014 19:20, 541401@gmail.com <mailto:541401@gmail.com> a écrit :Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64). During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly. Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required. I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service? Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account. On 09.22.2014 06:54, John Smith wrote:> I tried 5.04. on Windows Server 2008 R2 > Enterprise Service Pack 1 x64 > > > Same issue. Service shows as started, but no > log. If I go manual restart it works. > > Have to put delayed startup. > > On 18 September 2014 16:15, John Smith > <java.dev.mtl@gmail.com > mailto:java.dev.mtl@gmail.com> wrote: > > For now i'm happy with 5.03 Already in > production so I will have to wait next > time! :) > > On 17 September 2014 17:10, Michal > Trojnara <Michal.Trojnara@mirt.net > mailto:Michal.Trojnara@mirt.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jose Alf. wrote: > > Regarding stunnel service > dependencies, If you read the 5.04 beta > > announcement, the dependency is > created automatically now when you > > install stunnel as a service. > Please give it a try. Looks like it > > works for me. > > > > Thanks to Mike for implementing that. > > Thank you for testing it. > > Best regards, > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q > yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR > =+xFQ > -----END PGP SIGNATURE----- > _______________________________________________ > stunnel-users mailing list > stunnel-users@stunnel.org > mailto:stunnel-users@stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > > > > _______________________________________________ > stunnel-users mailing list > stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org <mailto:stunnel-users@stunnel.org> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Guys,
Can anyone reproduce this issue? Could you attach a debugger and see why it didn't create the log file? I'd be glad to at least see the list of open file handles to get some clues about the state of the process... Some Sysinternals tools can get this information, e.g. Process Explorer.
Mike
John Smith wrote:
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
When you observe that log is empty and that "stunnel shows as started", do a CTRL ALT DEL to check if there is any process called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is running, in fact it is not.
Regards Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to install. It is installed at Program Files (x86)
The service is set to run as local system account and interact with desktop is checked.
Once the machine is booted... Login open service control panel, stunnel shows as started. Go look at logs nothing there... In service control panel hit the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting) ;debug = 7 output = stunnel.log
; Initialize Microsoft CryptoAPI interface engine = capi ; Also needs "engineID = capi" in each section using the CAPI engine
[es-tcp] accept = ${SERVER_IP}:9300 connect = 127.0.0.1:9300 http://127.0.0.1:9300 cert = .... CAfile = .... verify = 2
[es-http] accept = ${SERVER_IP}:9200 connect = 127.0.0.1:9200 http://127.0.0.1:9200 cert = .... CAfile = .... verify = 2
[es-disc-local] client = yes accept = 127.0.0.1:9700 http://127.0.0.1:9700 connect = ${SERVER_IP}:9300 cert = ....
On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre@free.fr mailto:delaage.pierre@free.fr> wrote:
Hello, I can tell my patch was adressing read file error on conf file, but, unfortunately, not at all "dependencies of stunnel service at start up", which is likely to be the core pb preventing stunnel to start correctly at boot time for people on that thread.
Michal added explicit dependencies at startup, that is necessary to solve that bug. I did not check yet its implementation.
But maybe some services, although started, are still "not ready" when stunnel starts, so that this makes stunnel fail.
I suggest that stunnel checks, not only the availability, but also the "efficiency" of the DNS service by trying to resolve a well known server. it should retry during, eg, 3 seconds, and then stops with some reports if failing to resolve the hostname, either by lack of network, or by lack of answer from the name resolver. But...it seems that when having problems at startup, it cannot even log anything....maybe this is due to the identity of "system user" of stunnel at that particular moment: user that may have no right to write on the HD.
People should check also the installation location of stunnel : it is supposed (and have predefined shortcuts for that) to be installed PREFERABLY in "c:\program files\stunnel". I recommend to use that location.
They also should try to resolve by hand the hostnames they put in their stunnel conf file, just to be sure.
On some network or machines, maybe there is a problem with the firewall and SOME services tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just restarting stunnel (in user mode or service mode ?) is solving the problem : this sounds like unavailability of DNS at startup.
I did not investigate that particular problem, but I will perform some tests soon with the last 504 (or 505).
Yours sincerely Pierre
Le 22/09/2014 19:20, 541401@gmail.com mailto:541401@gmail.com a écrit :
Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such machines are X64 as the OS is only released as X64).
During August of 2014 I reported in this forum the current version of Stunnel would not function as a service under the above OS, even if using a delayed start, it might run but it would not work. I reverted to using version 4.35, which did work properly.
Pierre DeLagge was kind enough to provide me with a copy of his patched Stunnel 5.02, which I am still using and which is working flawlessly on my production servers. No delayed start required.
I am wondering if Pierre's 5.02 patch has been incorporated into the most recently released Stunnel, 5.04? Has anyone been successful in getting the most current version to actually work under the above environment without delaying the start of the service?
Just to add a little color and background to the story, I am using the native WS2008R2SP1 SMTP server on each machine, in conjunction with Stunnel, so as to forward OS event notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith <java.dev.mtl@gmail.com mailto:java.dev.mtl@gmail.com> wrote:
For now i'm happy with 5.03 Already in production so I will have to wait next time! :)
On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara@mirt.net mailto:Michal.Trojnara@mirt.net> wrote:
Jose Alf. wrote:
Regarding stunnel service dependencies, If you
read the 5.04 beta
announcement, the dependency is created
automatically now when you
install stunnel as a service. Please give it a
try. Looks like it
works for me.
Thanks to Mike for implementing that.
Thank you for testing it.
Best regards, Mike
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org mailto:stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
541401@gmail.com -
Carter Browne -
John Smith -
Jose Alf. -
josealf@rocketmail.com
-
Michal Trojnara -
Pierre DELAAGE -
WNSDEV