[stunnel-users] Stunnel 4.26 - AIX 5.3
Spence, Thomas Civ 844 CS/SCBX
Thomas.Spence at pentagon.af.mil
Thu Jan 22 16:25:43 CET 2009
Claus,
After I type:
# stunnel
# ps -ef | grep stunnel
stunnel 295006 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel
stunnel 348182 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel
stunnel 454872 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel
stunnel 458864 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel
stunnel 589834 1 0 09:49:38 - 0:00 /usr/local/bin/stunnel
stunnel 634882 1 0 09:49:38 pts/2 0:00 /usr/local/bin/stunnel
root 643180 463028 0 09:49:40 pts/2 0:00 grep stunnel
About 10 minutes later,
# ps -ef | grep stunnel
root 381102 463028 0 10:03:59 pts/2 0:00 grep stunnel
Any idea why? Must have 'socket' in stunnel.conf? I took it off cuz I
want it to run for 24 hours/7 days...
Tom
-----Original Message-----
From: Lund, Claus [mailto:Claus.Lund at state.vt.us]
Sent: Thursday, January 22, 2009 8:21 AM
To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce at mirt.net;
stunnel-users at mirt.net
Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
If you're allowed to have the telnetd daemon available through inetd
then you can just use "connect = localhost:23" instead of "exec =
/usr/sbin/telnetd". That should work. A config file like this works on
my end when telnetd is available through inetd:
cert = /etc/stunnel/stunnel.pem
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3
; Some security enhancements for UNIX systems - comment them out on
Win32
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nogroup
; PID is created inside chroot jail
pid = /stunnel_telnet.pid
;debug = 7
output = /tmp/stunnel.log
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = zlib
[tssl]
accept = 7443
connect = localhost:23
-Claus
-----Original Message-----
From: Spence, Thomas Civ 844 CS/SCBX
[mailto:Thomas.Spence at pentagon.af.mil]
Sent: Thursday, January 22, 2009 8:13 AM
To: Lund, Claus; stunnel-announce at mirt.net; stunnel-users at mirt.net
Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Claus,
Exactly, you and I are the same method. Right now, I am using stunnel
3.24 for years that I have no problem with this one. Yes, I do have
telnetd enable through inetd like this:
telnet stream tcp6 nowait root /usr/sbin/tcpd
/usr/sbin/telnetd -a
We are using tcp-wrappers which is required.
Hope it helps...
Tom
-----Original Message-----
From: Lund, Claus [mailto:Claus.Lund at state.vt.us]
Sent: Thursday, January 22, 2009 8:00 AM
To: Spence, Thomas Civ 844 CS/SCBX; stunnel-announce at mirt.net;
stunnel-users at mirt.net
Subject: RE: Stunnel 4.26 - AIX 5.3
Hi Tom,
We use stunnel a lot (including on AIX). And I know that way back when,
I was doing some testing with a similar setup and was never successful
getting the "exec = telnetd" to work quite right when stunnel was
running as a service.
I did some quick testing right now on one of our AIX boxes (using
stunnel 4.22) and it doesn't work for me either. Everything looks fine
when stunnel is started and the first connection comes along and works
beautifully... But then stunnel dies after the connection is closed.
I assume you're using the exec = /usr/bin/telnetd option because you
don't have telnetd enabled through inetd? We can't generally run telnetd
either so I understand that requirement. But maybe you can get a waiver
and leave it running behind a port that only accepts local connections?
_______________________________
Claus Lund
System Developer
Vermont Department of Taxes
802-828-3735
-----Original Message-----
From: stunnel-users-bounces at mirt.net
[mailto:stunnel-users-bounces at mirt.net] On Behalf Of Spence, Thomas Civ
844 CS/SCBX
Sent: Wednesday, January 21, 2009 4:59 PM
To: stunnel-announce at mirt.net; stunnel-users at mirt.net
Subject: [stunnel-users] Stunnel 4.26 - AIX 5.3
Dear Users,
* I'm running Stunnel 4.26 as a service, but it dies on logoff...
* Could you tell me which one should I put comment "/* ... */" at
stunnel.c or protocol.c so I want stunnel's daemon won't stop running.
* I am using stunnel.conf, like this:
-------
pid =
cert = /usr/local/ssl/private/stunnel.pem
output = stunnel.log
[tssl]
accept = 992
exec = /usr/sbin/telnetd
-------
*stunnel.log
-------
[/usr/local/etc/stunnel]# cat *.log
2009.01.21 16:42:54 LOG7[462906:1]: Snagged 64 random bytes from //.rnd
2009.01.21 16:42:54 LOG7[462906:1]: Wrote 1024 new random bytes to
//.rnd
2009.01.21 16:42:54 LOG7[462906:1]: RAND_status claims sufficient
entropy for the PRNG
2009.01.21 16:42:54 LOG7[462906:1]: PRNG seeded successfully
2009.01.21 16:42:55 LOG7[462906:1]: Certificate:
/usr/local/etc/stunnel/stunnel.pem
2009.01.21 16:42:55 LOG7[462906:1]: Certificate loaded
2009.01.21 16:42:55 LOG7[462906:1]: Key file:
/usr/local/etc/stunnel/stunnel.pem
2009.01.21 16:42:55 LOG7[462906:1]: Private key loaded
2009.01.21 16:42:55 LOG7[462906:1]: SSL context initialized for service
tssl
2009.01.21 16:42:55 LOG5[462906:1]: stunnel 4.26 on
powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8j 07 Jan 2009
2009.01.21 16:42:55 LOG5[462906:1]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv6 Auth:LIBWRAP
2009.01.21 16:42:55 LOG6[462906:1]: file ulimit = 65534 (can be changed
with 'ulimit -n')
2009.01.21 16:42:55 LOG6[462906:1]: poll() used - no FD_SETSIZE limit
for file descriptors
2009.01.21 16:42:55 LOG5[462906:1]: 31999 clients allowed
2009.01.21 16:42:55 LOG7[462906:1]: FD 10 in non-blocking mode
2009.01.21 16:42:55 LOG7[462906:1]: FD 11 in non-blocking mode
2009.01.21 16:42:55 LOG7[462906:1]: FD 12 in non-blocking mode
2009.01.21 16:42:55 LOG7[462906:1]: SO_REUSEADDR option set on accept
socket
2009.01.21 16:42:55 LOG7[462906:1]: tssl bound to 0.0.0.0:992
2009.01.21 16:42:55 LOG7[540758:1]: No pid file being created
2009.01.21 16:43:17 LOG7[540758:1]: tssl accepted FD=0 from x.x.x.x:3532
2009.01.21 16:43:17 LOG7[540758:258]: tssl started
2009.01.21 16:43:17 LOG7[540758:258]: FD 0 in non-blocking mode
2009.01.21 16:43:17 LOG7[540758:258]: Waiting for a libwrap process
2009.01.21 16:43:17 LOG7[540758:258]: Acquired libwrap process #0
2009.01.21 16:43:17 LOG7[540758:258]: Releasing libwrap process #0
2009.01.21 16:43:17 LOG7[540758:258]: Released libwrap process #0
2009.01.21 16:43:17 LOG7[540758:258]: tssl permitted by libwrap from
x.x.x.x:3532
2009.01.21 16:43:17 LOG5[540758:258]: tssl accepted connection from
x.x.x.x:3532
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): before/accept
initialization
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read
client hello A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write
server hello A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write
certificate A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write
server done A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush
data
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read
client key exchange A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 read
finished A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write
change cipher spec A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 write
finished A
2009.01.21 16:43:17 LOG7[540758:258]: SSL state (accept): SSLv3 flush
data
2009.01.21 16:43:17 LOG7[540758:258]: 1 items in the session cache
2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects
(SSL_connect())
2009.01.21 16:43:17 LOG7[540758:258]: 0 client connects that finished
2009.01.21 16:43:17 LOG7[540758:258]: 0 client renegotiations
requested
2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects
(SSL_accept())
2009.01.21 16:43:17 LOG7[540758:258]: 1 server connects that finished
2009.01.21 16:43:17 LOG7[540758:258]: 0 server renegotiations
requested
2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache hits
2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache misses
2009.01.21 16:43:17 LOG7[540758:258]: 0 session cache timeouts
2009.01.21 16:43:17 LOG6[540758:258]: SSL accepted: new session
negotiated
2009.01.21 16:43:17 LOG6[540758:258]: Negotiated ciphers: DES-CBC3-SHA
SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
2009.01.21 16:43:17 LOG7[540758:258]: bind#1: Invalid argument (22)
2009.01.21 16:43:17 LOG7[540758:258]: bind#2: Invalid argument (22)
2009.01.21 16:43:17 LOG6[540758:258]: Local mode child started
(PID=639170)
2009.01.21 16:43:17 LOG7[540758:258]: Remote FD=13 initialized
2009.01.21 16:43:34 LOG7[540758:258]: Socket closed on read
2009.01.21 16:43:34 LOG7[540758:258]: SSL write shutdown
2009.01.21 16:43:34 LOG7[540758:258]: SSL alert (write): warning: close
notify
2009.01.21 16:43:34 LOG6[540758:258]: SSL socket closed on SSL_shutdown
2009.01.21 16:43:34 LOG7[540758:258]: Socket write shutdown
2009.01.21 16:43:34 LOG5[540758:258]: Connection closed: 8360 bytes sent
to SSL, 101 bytes sent to socket
2009.01.21 16:43:34 LOG7[540758:258]: tssl finished (0 left)
-------
Your help will be appreciate... Thank you.
________________________________
Tom Spence
AIX Sys Adm
ABIDES System Support
844th CS/SCBX
Pentagon - MD822
_______________________________________________
stunnel-users mailing list
stunnel-users at mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list