[stunnel-users] Stunnel as windows service doesn't start on restart.
Pierre DELAAGE
delaage.pierre at free.fr
Wed Sep 24 18:22:52 CEST 2014
Dear all,
I will send it to John, but I do not think it will solve this
particular issue.
Anyway, Let's try and see.
Regards
Pierre
Le 24/09/2014 17:59, 541401 at gmail.com a écrit :
> Ask Pierre for a copy of his patched 5.02, I bet that will solve your
> problem.
>
>
>
> On 09.24.2014 08:51, John Smith wrote:
>> Anyways I don't know what to say. But adding dnscache as dependency
>> didn't do anything either. Same issue service on bootup shows as
>> started but no logs. Restarting it through Service Control Manager
>> works.
>>
>> Automatic (Delayed Start) at least for me works fine. I'll continue
>> working with that for now...
>>
>> On 23 September 2014 14:27, John Smith <java.dev.mtl at gmail.com
>> <mailto:java.dev.mtl at gmail.com>> wrote:
>>
>> Ok when I have a chance I will try dnscache
>>
>> On 23 September 2014 14:05, Pierre DELAAGE
>> <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>
>> Sorry to tell but...
>>
>> On a windows 7 home machine, with a HOSTNAME in the stunnel
>> conf, NO DELAY at service startup :
>> I can start the service, then reboot,
>> then, at first, my log file is saying ": Error resolving
>> 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)"
>> and later, when I try to use the tunnel (and at that time dns
>> is working), resolving is working...
>>
>> and everything is OK so....
>>
>> Even if dns is NOT available at startup, stunnel 504 is able
>> to resolve "later" the remote server hostname.
>>
>>
>>
>> 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the
>> number of clients
>> 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
>> x86-pc-msvc-1500 platform
>> 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
>> 1.0.1i-fips 6 Aug 2014
>> 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
>> Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
>> 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
>> 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from
>> file stunnel.conf
>> 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
>> 2014.09.23 19:23:17 LOG7[2612]: Compression disabled
>> 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from
>> C:/.rnd
>> 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes
>> to C:/.rnd
>> 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
>> 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
>>
>> 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ':
>> Neither nodename nor servname known (EAI_NONAME)
>>
>> 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target
>> - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
>>
>> 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
>> C:\Users\standard\Documents\Perso\SSL\johndoe.crt
>> 2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
>> C:\Users\standard\Documents\Perso\SSL\johndoe.uky
>> 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
>> 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
>> 2014.09.23 19:23:18 LOG5[2612]: Configuration successful
>> 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348)
>> bound to 127.0.0.1:81 <http://127.0.0.1:81>
>> 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted
>> (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164>
>> 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
>> 2014.09.23 19:24:32 LOG7[2612]: New thread created
>> 2014.09.23 19:24:32 LOG7[588]: Service [https] started
>> 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted
>> connection from 127.0.0.1:49164 <http://127.0.0.1:49164>
>> 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
>> XXX.YYY.UUU.III:443
>> 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
>> XXX.YYY.UUU.III:443: waiting 10 seconds
>> 2014.09.23 19:24:32 LOG5[588]: s_connect: connected
>> XXX.YYY.UUU.III:443
>> 2014.09.23 19:24:32 LOG5[588]: Service [https] connected
>> remote server from 192.168.3.220:49165
>> <http://192.168.3.220:49165>
>> 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
>> 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect):
>> before/connect initialization
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3
>> write client hello A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> read server hello A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> read server certificate A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> read server certificate request A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> read server done A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> write client certificate A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> write client key exchange A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> write certificate verify A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> write change cipher spec A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> write finished A
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> flush data
>> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>> read finished A
>>
>> So I am sorry to say that I cannot reproduce that bug.
>>
>> Anyway there are many services, on a heavy loaded machine,
>> that can slow down the service startup or interfere with file
>> management :
>>
>> Antivirus ? try to deactivate it.
>> Firewall : the same...
>> any other piece of software that is not absolutely necessary
>> at boot time.
>>
>> Plus : Even if you don't use hostnames in conf file I suggest
>> that you try "dnscache" dependency anyway:
>> because you probably have hostnames in your certificates.
>>
>> Regards
>> Pierre
>>
>>
>>
>> Le 23/09/2014 18:05, John Smith a écrit :
>>> Network: Ethernet
>>> Multiple routers: No
>>> Firewall: No
>>> Delay: Yes, Automitic (Delayed Start) works like a charm.
>>> Capi engine: Yes tried turning it off
>>> 32 bit or 64 bit: 32bit running on 64 bit server. I don't
>>> see a 64 bit version on the download page?
>>> dnscache: Haven't tried it yet.
>>>
>>>
>>> - stunnel works fine on the server specifically with the
>>> service set to Automatic (Delayed Start). And I even tunnel
>>> properly to other machines so it not firewalls or routers or
>>> network.
>>> - Only when it's NOT (Delayed Start) stunnel doe not seem
>>> to start even though the service shows as started.
>>> - I managed to tunnel from my Desktop to the Server. I have
>>> not tried automatic service startup on Desktop because I
>>> don't have enough privilidges. But trying to setup the
>>> server, since that's the machine that will have stunnel in
>>> production.
>>>
>>>
>>>
>>>
>>> On 23 September 2014 10:04, Pierre DELAAGE
>>> <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>>
>>> Have you tried to change the service dependency from
>>> "TCPIP" (the default in the code), to "dnscache" (ok,
>>> EVEN if you do not use hostname resolution),
>>> this is just to be sure that stunnel relies on something
>>> that is using tcpip as well.
>>>
>>> question : what kind of network interface do you have :
>>>
>>> wifi ?
>>> ethernet board ?
>>>
>>> Are you traversing multiple routers ?
>>>
>>> Are you using multiple firewalls ?
>>>
>>> Have you tuned a delay as suggested a few days ago ?
>>>
>>> Can you try without specifying "capi engine" ?
>>>
>>> Are you using stunnel 32 bits or 64 bits : if 64, try
>>> the 32 version as well.
>>>
>>> I am reviewing the code and soon enter some test on
>>> w7-32bits.
>>>
>>> Regards
>>> Pierre
>>>
>>>
>>>
>>> Le 23/09/2014 15:30, John Smith a écrit :
>>>> I wish you were right but unfortunately it's running lol
>>>>
>>>> On 22 September 2014 18:24, Pierre DELAAGE
>>>> <delaage.pierre at free.fr
>>>> <mailto:delaage.pierre at free.fr>> wrote:
>>>>
>>>> When you observe that log is empty and that
>>>> "stunnel shows as started",
>>>> do a CTRL ALT DEL to check if there is any process
>>>> called "stunnel" that is really running...
>>>>
>>>> I have a doubt that, although scm says stunnel is
>>>> running, in fact it is not.
>>>>
>>>> Regards
>>>> Pierre
>>>>
>>>> Le 22/09/2014 21:43, John Smith a écrit :
>>>>> Hi I used administrator account and defaults to
>>>>> install. It is installed at Program Files (x86)
>>>>>
>>>>> The service is set to run as local system account
>>>>> and interact with desktop is checked.
>>>>>
>>>>> Once the machine is booted... Login open service
>>>>> control panel, stunnel shows as started. Go look
>>>>> at logs nothing there... In service control panel
>>>>> hit the restart button. And it comes up properly.
>>>>>
>>>>> My config is as follows:
>>>>>
>>>>> ; Debugging stuff (may useful for troubleshooting)
>>>>> ;debug = 7
>>>>> output = stunnel.log
>>>>>
>>>>> ; Initialize Microsoft CryptoAPI interface
>>>>> engine = capi
>>>>> ; Also needs "engineID = capi" in each section
>>>>> using the CAPI engine
>>>>>
>>>>> [es-tcp]
>>>>> accept = ${SERVER_IP}:9300
>>>>> connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
>>>>> cert = ....
>>>>> CAfile = ....
>>>>> verify = 2
>>>>>
>>>>> [es-http]
>>>>> accept = ${SERVER_IP}:9200
>>>>> connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
>>>>> cert = ....
>>>>> CAfile = ....
>>>>> verify = 2
>>>>>
>>>>> [es-disc-local]
>>>>> client = yes
>>>>> accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
>>>>> connect = ${SERVER_IP}:9300
>>>>> cert = ....
>>>>>
>>>>>
>>>>>
>>>>> On 22 September 2014 14:30, Pierre DELAAGE
>>>>> <delaage.pierre at free.fr
>>>>> <mailto:delaage.pierre at free.fr>> wrote:
>>>>>
>>>>> Hello,
>>>>> I can tell my patch was adressing read file
>>>>> error on conf file,
>>>>> but, unfortunately, not at all "dependencies
>>>>> of stunnel service at start up",
>>>>> which is likely to be the core pb preventing
>>>>> stunnel to start correctly at boot time for
>>>>> people on that thread.
>>>>>
>>>>> Michal added explicit dependencies at startup,
>>>>> that is necessary to solve that bug. I did not
>>>>> check yet its implementation.
>>>>>
>>>>> But maybe some services, although started, are
>>>>> still "not ready" when stunnel starts, so that
>>>>> this makes stunnel fail.
>>>>>
>>>>> I suggest that stunnel checks, not only the
>>>>> availability, but also the "efficiency" of the
>>>>> DNS service by trying to resolve a well known
>>>>> server.
>>>>> it should retry during, eg, 3 seconds, and
>>>>> then stops with some reports if failing to
>>>>> resolve the hostname,
>>>>> either by lack of network, or by lack of
>>>>> answer from the name resolver.
>>>>> But...it seems that when having problems at
>>>>> startup, it cannot even log anything....maybe
>>>>> this is due to the identity of "system user"
>>>>> of stunnel at that particular moment: user
>>>>> that may have no right to write on the HD.
>>>>>
>>>>> People should check also the installation
>>>>> location of stunnel : it is supposed (and have
>>>>> predefined shortcuts for that) to be installed
>>>>> PREFERABLY in "c:\program files\stunnel".
>>>>> I recommend to use that location.
>>>>>
>>>>> They also should try to resolve by hand the
>>>>> hostnames they put in their stunnel conf file,
>>>>> just to be sure.
>>>>>
>>>>> On some network or machines, maybe there is a
>>>>> problem with the firewall and SOME services
>>>>> tunneled by stunnel on forbidden ports.
>>>>>
>>>>> On another hand, it sounds strange that just
>>>>> restarting stunnel (in user mode or service
>>>>> mode ?) is solving the problem :
>>>>> this sounds like unavailability of DNS at startup.
>>>>>
>>>>> I did not investigate that particular problem,
>>>>> but I will perform some tests soon with the
>>>>> last 504 (or 505).
>>>>>
>>>>> Yours sincerely
>>>>> Pierre
>>>>>
>>>>>
>>>>>
>>>>> Le 22/09/2014 19:20, 541401 at gmail.com
>>>>> <mailto:541401 at gmail.com> a écrit :
>>>>>> Using Stunnel on several Windows Server 2008
>>>>>> R2 SP1 machines (all such machines are X64 as
>>>>>> the OS is only released as X64).
>>>>>>
>>>>>> During August of 2014 I reported in this
>>>>>> forum the current version of Stunnel would
>>>>>> not function as a service under the above OS,
>>>>>> even if using a delayed start, it might run
>>>>>> but it would not work. I reverted to using
>>>>>> version 4.35, which did work properly.
>>>>>>
>>>>>> Pierre DeLagge was kind enough to provide me
>>>>>> with a copy of his patched Stunnel 5.02,
>>>>>> which I am still using and which is working
>>>>>> flawlessly on my production servers. No
>>>>>> delayed start required.
>>>>>>
>>>>>> I am wondering if Pierre's 5.02 patch has
>>>>>> been incorporated into the most recently
>>>>>> released Stunnel, 5.04? Has anyone been
>>>>>> successful in getting the most current
>>>>>> version to actually work under the above
>>>>>> environment without delaying the start of the
>>>>>> service?
>>>>>>
>>>>>> Just to add a little color and background to
>>>>>> the story, I am using the native WS2008R2SP1
>>>>>> SMTP server on each machine, in conjunction
>>>>>> with Stunnel, so as to forward OS event
>>>>>> notifications through a gmail account.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 09.22.2014 06:54, John Smith wrote:
>>>>>>> I tried 5.04. on Windows Server 2008 R2
>>>>>>> Enterprise Service Pack 1 x64
>>>>>>>
>>>>>>>
>>>>>>> Same issue. Service shows as started, but no
>>>>>>> log. If I go manual restart it works.
>>>>>>>
>>>>>>> Have to put delayed startup.
>>>>>>>
>>>>>>> On 18 September 2014 16:15, John Smith
>>>>>>> <java.dev.mtl at gmail.com
>>>>>>> <mailto:java.dev.mtl at gmail.com>> wrote:
>>>>>>>
>>>>>>> For now i'm happy with 5.03 Already in
>>>>>>> production so I will have to wait next
>>>>>>> time! :)
>>>>>>>
>>>>>>> On 17 September 2014 17:10, Michal
>>>>>>> Trojnara <Michal.Trojnara at mirt.net
>>>>>>> <mailto:Michal.Trojnara at mirt.net>> wrote:
>>>>>>>
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA1
>>>>>>>
>>>>>>> Jose Alf. wrote:
>>>>>>> > Regarding stunnel service
>>>>>>> dependencies, If you read the 5.04 beta
>>>>>>> > announcement, the dependency is
>>>>>>> created automatically now when you
>>>>>>> > install stunnel as a service.
>>>>>>> Please give it a try. Looks like it
>>>>>>> > works for me.
>>>>>>> >
>>>>>>> > Thanks to Mike for implementing that.
>>>>>>>
>>>>>>> Thank you for testing it.
>>>>>>>
>>>>>>> Best regards,
>>>>>>> Mike
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG v1
>>>>>>>
>>>>>>> iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>>> yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>>> =+xFQ
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>> _______________________________________________
>>>>>>> stunnel-users mailing list
>>>>>>> stunnel-users at stunnel.org
>>>>>>> <mailto:stunnel-users at stunnel.org>
>>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> stunnel-users mailing list
>>>>>>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> stunnel-users mailing list
>>>>>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> stunnel-users mailing list
>>>>> stunnel-users at stunnel.org
>>>>> <mailto:stunnel-users at stunnel.org>
>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> <mailto:stunnel-users at stunnel.org>
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140924/746f64c6/attachment.html>
More information about the stunnel-users
mailing list