[stunnel-users] stunnel automatically listening to extra ports: BAD

Alan Pinstein apinstein at mac.com
Fri Jan 11 20:31:58 CET 2008 

Hi All-

I am using stunnel to secure a connection between a local python  
script using telnetlib and a custom sockets-based server requiring  
SSL, from local port 4449 to remote port 4449. This is done via:

stunnel /opt/www/domains/admin.showcasere.com/showcase/classes/ 
opensrs-php/stunnel-app.conf

where the conf file is:
> client = yes
> pid = /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid
> debug = 7
> [telnet]
> accept = 4449
> connect = admin.hostedemail.com:4449


Functionally, everything works for my application, but I am  
experiencing a bad side-effect.

stunnel is ALSO setting up listeners on HTTP and HTTPS ports, and  
when my daily logrotate scripts run and HUP apache, stunnel steals  
the web server's ports and the server won't come back up! I had 7  
hours of downtime today because of this.

I've done a bunch of debugging and can't figure out what's going on.  
I have only one guess: stunnel automatically listens on any ports  
that the process calling stunnel is listening on, in some sort of  
attempt to seamlessly add SSL to existing daemons. I can't find any  
docs or tell from the source code, but it's the only idea I can't  
rule out...

Here is the debug log of the startup of stunnel (which is run from an  
apache/php script):

Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: stunnel  
4.14 on i386-redhat-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL  
0.9.8a 11 Oct 2005
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: RAND_status  
claims sufficient entropy for the PRNG
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: PRNG seeded  
successfully
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: file ulimit  
= 1024 (can be changed with 'ulimit -n')
Jan 11 13:10:13 bigwoody stunnel: LOG6[13964:3086333632]: poll() used  
- no FD_SETSIZE limit for file descriptors
Jan 11 13:10:13 bigwoody stunnel: LOG5[13964:3086333632]: 500 clients  
allowed
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 31 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 32 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: FD 33 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]:  
SO_REUSEADDR option set on accept socket
Jan 11 13:10:13 bigwoody stunnel: LOG7[13964:3086333632]: telnet  
bound to 0.0.0.0:4449
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Created pid  
file /opt/www/domains/admin.showcasere.com/runtime/stunnel.pid
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: telnet  
accepted FD=34 from 127.0.0.1:48335
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet started
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 34 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 36 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086333632]: Cleaning up  
the signal pipe
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086333632]: Child  
process 13967 finished with code 0
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Connection  
from 127.0.0.1:48335 permitted by libwrap
Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: telnet  
connected from 127.0.0.1:48335
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: FD 35 in  
non-blocking mode
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet  
connecting 216.40.42.6:4449
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:  
connect_wait: waiting 10 seconds
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:  
connect_wait: connected
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Remote  
FD=35 initialized
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): before/connect initialization
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 write client hello A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 read server hello A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 read server certificate A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 read server done A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 write client key exchange A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 write change cipher spec A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 write finished A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 flush data
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL state  
(connect): SSLv3 read finished A
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    1 items  
in the session cache
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    1 client  
connects (SSL_connect())
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    1 client  
connects that finished
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0 client  
renegotiatations requested
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0 server  
connects (SSL_accept())
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0 server  
connects that finished
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0 server  
renegotiatiations requested
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0  
session cache hits
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0  
session cache misses
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]:    0  
session cache timeouts
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: SSL  
connected: new session negotiated
Jan 11 13:10:13 bigwoody stunnel: LOG6[13965:3086330784]: Negotiated  
ciphers: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4 
(128)  Mac=MD5
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: SSL socket  
closed on SSL_read
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: Socket  
write shutdown
Jan 11 13:10:13 bigwoody stunnel: LOG5[13965:3086330784]: Connection  
closed: 91 bytes sent to SSL, 73 bytes sent to socket
Jan 11 13:10:13 bigwoody stunnel: LOG7[13965:3086330784]: telnet  
finished (0 left)

And then, you can see what stunnel is listening on:

[root at bigwoody custom_img]# lsof -i | grep stunnel
stunnel   13965    apache    4u  IPv4 156503478       TCP  
static-216.114.79.43.primarynetwork.com:http (LISTEN)
stunnel   13965    apache    5u  IPv4 156503480       TCP  
static-216.114.79.43.primarynetwork.com:https (LISTEN)
stunnel   13965    apache   30u  IPv4 156771437       TCP  
localhost.localdomain:51333->localhost.localdomain:9676 (ESTABLISHED)
stunnel   13965    apache   33u  IPv4 156846546       TCP  
*:privatewire (LISTEN)

If I start up stunnel from the command line as "root" or another user  
even, it only listens on the port listed in the conf file.

Does anyone have any idea what's going on here? How can I turn off  
this behavior?

Thanks!
Alan

More information about the stunnel-users mailing list