Why 6 processes for single client-mode service configuration?
I'm configuring stunnel to encrypt a single client-mode connection: client = yes foreground = yes syslog = yes pid = [stunnel-localhost] accept = localhost:4608 connect = localhost:4606 Why does that result in _six_ stunnel processes? [one parent and 5 children]? It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes. I can see two processes (one for data flowing in each direction) but six seems way overboard. -- Grant Edwards grant.b.edwards Yow! I feel like a wet at parking meter on Darvon! gmail.com
On 2011-10-10, Grant Edwards <grant.b.edwards@gmail.com> wrote:
I'm configuring stunnel to encrypt a single client-mode connection:
client = yes foreground = yes syslog = yes pid = [stunnel-localhost] accept = localhost:4608 connect = localhost:4606
Why does that result in _six_ stunnel processes?
[one parent and 5 children]?
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
I can see two processes (one for data flowing in each direction) but six seems way overboard.
Apparently the 5 children all belong to libwrap? I had configured "libwrap = no", but that didn't seem to matter. Rebuilding stunnel without libwrap support got rid of the 5 useless processes. -- Grant Edwards grant.b.edwards Yow! A can of ASPARAGUS, at 73 pigeons, some LIVE ammo, gmail.com and a FROZEN DAQUIRI!!
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-) Mike
On Tue, 2011-10-11 18:12:15 +0200, Michal Trojnara wrote:
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-)
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates. That way, I'm able to allow mail access, but e.g. no SQL access to certain users. Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006). Mike
On Tue, 2011-10-11 18:44:11 +0200, Michal Trojnara wrote:
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006).
Ah, o.k, I didn't realize that. Our stunnel configuration dates back to Oct 21 2005 and migrated from hardware to hardware and stunnel version to stunnel version without substantial changes. ("Never change a running system" -- and it's running great.) ;-) Ludolf -- --------------------------------------------------------------- Ludolf Holzheid Tel: +49 621 339960 Bihl+Wiedemann GmbH Fax: +49 621 3392239 Floßwörthstraße 41 e-mail: lholzheid@bihl-wiedemann.de D-68199 Mannheim, Germany ---------------------------------------------------------------
On 2011-10-11, Michal Trojnara <Michal.Trojnara@mirt.net> wrote:
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006).
What if you only know what the contents are for a single service section? -- Grant Edwards grant.b.edwards Yow! I'm having an at EMOTIONAL OUTBURST!! But, gmail.com uh, WHY is there a WAFFLE in my PAJAMA POCKET??
On 2011-10-11, Michal Trojnara <Michal.Trojnara@mirt.net> wrote:
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-)
Each instance must start and stop independently, and the program that's starting each instance has no knowlege of the existence of the other instances let alone what the configuration needs to be for them. -- Grant Edwards grant.b.edwards Yow! ... the HIGHWAY is at made out of LIME JELLO and gmail.com my HONDA is a barbequeued OYSTER! Yum!
participants (3)
-
Grant Edwards -
Ludolf Holzheid -
Michal Trojnara