I'm configuring stunnel to encrypt a single client-mode connection:
client = yes foreground = yes syslog = yes pid = [stunnel-localhost] accept = localhost:4608 connect = localhost:4606
Why does that result in _six_ stunnel processes?
[one parent and 5 children]?
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
I can see two processes (one for data flowing in each direction) but six seems way overboard.
On 2011-10-10, Grant Edwards grant.b.edwards@gmail.com wrote:
I'm configuring stunnel to encrypt a single client-mode connection:
client = yes foreground = yes syslog = yes pid = [stunnel-localhost] accept = localhost:4608 connect = localhost:4606Why does that result in _six_ stunnel processes?
[one parent and 5 children]?
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
I can see two processes (one for data flowing in each direction) but six seems way overboard.
Apparently the 5 children all belong to libwrap? I had configured "libwrap = no", but that didn't seem to matter. Rebuilding stunnel without libwrap support got rid of the 5 useless processes.
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-)
Mike
On Tue, 2011-10-11 18:12:15 +0200, Michal Trojnara wrote:
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-)
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
That way, I'm able to allow mail access, but e.g. no SQL access to certain users.
Ludolf
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006).
Mike
On Tue, 2011-10-11 18:44:11 +0200, Michal Trojnara wrote:
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006).
Ah, o.k, I didn't realize that.
Our stunnel configuration dates back to Oct 21 2005 and migrated from hardware to hardware and stunnel version to stunnel version without substantial changes. ("Never change a running system" -- and it's running great.)
;-)
Ludolf
On 2011-10-11, Michal Trojnara Michal.Trojnara@mirt.net wrote:
On Tue, 11 Oct 2011 18:25:00 +0200, Ludolf Holzheid wrote:
We also do run several instances of stunnel with "verify = 3", each with a different set of certificates.
You can specify separate set of certificates for each service section since stunnel 4.15 (released in March 2006).
What if you only know what the contents are for a single service section?
On 2011-10-11, Michal Trojnara Michal.Trojnara@mirt.net wrote:
On Mon, 10 Oct 2011 19:25:04 +0000 (UTC), Grant Edwards wrote:
It's going to look a ridiculous if I have four instances like that configured and end up with _24_ stunnel processes.
It's even more ridiculous to start four instances of stunnel instead of a single instance with four sections... 8-)
Each instance must start and stop independently, and the program that's starting each instance has no knowlege of the existence of the other instances let alone what the configuration needs to be for them.
-
Grant Edwards -
Ludolf Holzheid -
Michal Trojnara