Ok when I have a chance I will try dnscache On 23 September 2014 14:05, Pierre DELAAGE <[email protected]> wrote:
> Sorry to tell but... > > On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY > at service startup : > I can start the service, then reboot, > then, at first, my log file is saying ": Error resolving 'HOSTNAME ': > Neither nodename nor servname known (EAI_NONAME)" > and later, when I try to use the tunnel (and at that time dns is working), > resolving is working... > > and everything is OK so.... > > Even if dns is NOT available at startup, stunnel 504 is able to resolve > "later" the remote server hostname. > > > > 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients > 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform > 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips > 6 Aug 2014 > 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 > SSL:ENGINE,OCSP,FIPS > 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno()) > 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file > stunnel.conf > 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled > 2014.09.23 19:23:17 LOG7[2612]: Compression disabled > 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd > 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd > 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully > 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https] > > 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither > nodename nor servname known (EAI_NONAME) > > 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying > DNS lookup* (COMMENT : stunnel is a good fellow !)* > > 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: > C:\Users\standard\Documents\Perso\SSL\johndoe.crt > 2014.09.23 19:23:18 LOG6[2612]: Loading key from file: > C:\Users\standard\Documents\Perso\SSL\johndoe.uky > 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded > 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004 > 2014.09.23 19:23:18 LOG5[2612]: Configuration successful > 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to > 127.0.0.1:81 > 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from > 127.0.0.1:49164 > 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread > 2014.09.23 19:24:32 LOG7[2612]: New thread created > 2014.09.23 19:24:32 LOG7[588]: Service [https] started > 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from > 127.0.0.1:49164 > 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443 > 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443: > waiting 10 seconds > 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443 > 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server > from 192.168.3.220:49165 > 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized > 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect > initialization > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client > hello A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server > hello A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server > certificate A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server > certificate request A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done > A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client > certificate A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key > exchange A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write > certificate verify A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change > cipher spec A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data > 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A > > So I am sorry to say that I cannot reproduce that bug. > > Anyway there are many services, on a heavy loaded machine, that can slow > down the service startup or interfere with file management : > > Antivirus ? try to deactivate it. > Firewall : the same... > any other piece of software that is not absolutely necessary at boot time. > > Plus : Even if you don't use hostnames in conf file I suggest that you try > "dnscache" dependency anyway: > because you probably have hostnames in your certificates. > > Regards > Pierre > > > > Le 23/09/2014 18:05, John Smith a écrit : > > Network: Ethernet > Multiple routers: No > Firewall: No > Delay: Yes, Automitic (Delayed Start) works like a charm. > Capi engine: Yes tried turning it off > 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit > version on the download page? > dnscache: Haven't tried it yet. > > > - stunnel works fine on the server specifically with the service set to > Automatic (Delayed Start). And I even tunnel properly to other machines so > it not firewalls or routers or network. > - Only when it's NOT (Delayed Start) stunnel doe not seem to start even > though the service shows as started. > - I managed to tunnel from my Desktop to the Server. I have not tried > automatic service startup on Desktop because I don't have enough > privilidges. But trying to setup the server, since that's the machine that > will have stunnel in production. > > > > > On 23 September 2014 10:04, Pierre DELAAGE <[email protected]> wrote: > >> Have you tried to change the service dependency from "TCPIP" (the >> default in the code), to "dnscache" (ok, EVEN if you do not use hostname >> resolution), >> this is just to be sure that stunnel relies on something that is using >> tcpip as well. >> >> question : what kind of network interface do you have : >> >> wifi ? >> ethernet board ? >> >> Are you traversing multiple routers ? >> >> Are you using multiple firewalls ? >> >> Have you tuned a delay as suggested a few days ago ? >> >> Can you try without specifying "capi engine" ? >> >> Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as >> well. >> >> I am reviewing the code and soon enter some test on w7-32bits. >> >> Regards >> Pierre >> >> >> >> Le 23/09/2014 15:30, John Smith a écrit : >> >> I wish you were right but unfortunately it's running lol >> >> On 22 September 2014 18:24, Pierre DELAAGE <[email protected]> >> wrote: >> >>> When you observe that log is empty and that "stunnel shows as started", >>> do a CTRL ALT DEL to check if there is any process called "stunnel" that >>> is really running... >>> >>> I have a doubt that, although scm says stunnel is running, in fact it is >>> not. >>> >>> Regards >>> Pierre >>> >>> Le 22/09/2014 21:43, John Smith a écrit : >>> >>> Hi I used administrator account and defaults to install. It is installed >>> at Program Files (x86) >>> >>> The service is set to run as local system account and interact with >>> desktop is checked. >>> >>> Once the machine is booted... Login open service control panel, >>> stunnel shows as started. Go look at logs nothing there... In service >>> control panel hit the restart button. And it comes up properly. >>> >>> My config is as follows: >>> >>> ; Debugging stuff (may useful for troubleshooting) >>> ;debug = 7 >>> output = stunnel.log >>> >>> ; Initialize Microsoft CryptoAPI interface >>> engine = capi >>> ; Also needs "engineID = capi" in each section using the CAPI engine >>> >>> [es-tcp] >>> accept = ${SERVER_IP}:9300 >>> connect = 127.0.0.1:9300 >>> cert = .... >>> CAfile = .... >>> verify = 2 >>> >>> [es-http] >>> accept = ${SERVER_IP}:9200 >>> connect = 127.0.0.1:9200 >>> cert = .... >>> CAfile = .... >>> verify = 2 >>> >>> [es-disc-local] >>> client = yes >>> accept = 127.0.0.1:9700 >>> connect = ${SERVER_IP}:9300 >>> cert = .... >>> >>> >>> >>> On 22 September 2014 14:30, Pierre DELAAGE <[email protected]> >>> wrote: >>> >>>> Hello, >>>> I can tell my patch was adressing read file error on conf file, >>>> but, unfortunately, not at all "dependencies of stunnel service at >>>> start up", >>>> which is likely to be the core pb preventing stunnel to start correctly >>>> at boot time for people on that thread. >>>> >>>> Michal added explicit dependencies at startup, that is necessary to >>>> solve that bug. I did not check yet its implementation. >>>> >>>> But maybe some services, although started, are still "not ready" when >>>> stunnel starts, so that this makes stunnel fail. >>>> >>>> I suggest that stunnel checks, not only the availability, but also the >>>> "efficiency" of the DNS service by trying to resolve a well known server. >>>> it should retry during, eg, 3 seconds, and then stops with some reports >>>> if failing to resolve the hostname, >>>> either by lack of network, or by lack of answer from the name resolver. >>>> But...it seems that when having problems at startup, it cannot even log >>>> anything....maybe this is due to the identity of "system user" of stunnel >>>> at that particular moment: user that may have no right to write on the HD. >>>> >>>> People should check also the installation location of stunnel : it is >>>> supposed (and have predefined shortcuts for that) to be installed >>>> PREFERABLY in "c:\program files\stunnel". >>>> I recommend to use that location. >>>> >>>> They also should try to resolve by hand the hostnames they put in their >>>> stunnel conf file, just to be sure. >>>> >>>> On some network or machines, maybe there is a problem with the firewall >>>> and SOME services tunneled by stunnel on forbidden ports. >>>> >>>> On another hand, it sounds strange that just restarting stunnel (in >>>> user mode or service mode ?) is solving the problem : >>>> this sounds like unavailability of DNS at startup. >>>> >>>> I did not investigate that particular problem, but I will perform some >>>> tests soon with the last 504 (or 505). >>>> >>>> Yours sincerely >>>> Pierre >>>> >>>> >>>> >>>> Le 22/09/2014 19:20, [email protected] a écrit : >>>> >>>> Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such >>>> machines are X64 as the OS is only released as X64). >>>> >>>> During August of 2014 I reported in this forum the current version of >>>> Stunnel would not function as a service under the above OS, even if using a >>>> delayed start, it might run but it would not work. I reverted to using >>>> version 4.35, which did work properly. >>>> >>>> Pierre DeLagge was kind enough to provide me with a copy of his patched >>>> Stunnel 5.02, which I am still using and which is working flawlessly on my >>>> production servers. No delayed start required. >>>> >>>> I am wondering if Pierre's 5.02 patch has been incorporated into the >>>> most recently released Stunnel, 5.04? Has anyone been successful in >>>> getting the most current version to actually work under the above >>>> environment without delaying the start of the service? >>>> >>>> Just to add a little color and background to the story, I am using the >>>> native WS2008R2SP1 SMTP server on each machine, in conjunction with >>>> Stunnel, so as to forward OS event notifications through a gmail account. >>>> >>>> >>>> >>>> On 09.22.2014 06:54, John Smith wrote: >>>> >>>> I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64 >>>> >>>> >>>> Same issue. Service shows as started, but no log. If I go manual >>>> restart it works. >>>> >>>> Have to put delayed startup. >>>> >>>> On 18 September 2014 16:15, John Smith <[email protected]> wrote: >>>> >>>>> For now i'm happy with 5.03 Already in production so I will have to >>>>> wait next time! :) >>>>> >>>>> On 17 September 2014 17:10, Michal Trojnara <[email protected]> >>>>> wrote: >>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>> Hash: SHA1 >>>>>> >>>>>> Jose Alf. wrote: >>>>>> > Regarding stunnel service dependencies, If you read the 5.04 beta >>>>>> > announcement, the dependency is created automatically now when you >>>>>> > install stunnel as a service. Please give it a try. Looks like it >>>>>> > works for me. >>>>>> > >>>>>> > Thanks to Mike for implementing that. >>>>>> >>>>>> Thank you for testing it. >>>>>> >>>>>> Best regards, >>>>>> Mike >>>>>> -----BEGIN PGP SIGNATURE----- >>>>>> Version: GnuPG v1 >>>>>> >>>>>> iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q >>>>>> yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR >>>>>> =+xFQ >>>>>> -----END PGP SIGNATURE----- >>>>>> _______________________________________________ >>>>>> stunnel-users mailing list >>>>>> [email protected] >>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>>>> >>>>> >>>>> >>>> >>>> >>>> _______________________________________________ >>>> stunnel-users mailing >>>> [email protected]https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> stunnel-users mailing >>>> [email protected]https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>> >>>> >>>> >>>> _______________________________________________ >>>> stunnel-users mailing list >>>> [email protected] >>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>>> >>>> >>> >>> >>> _______________________________________________ >>> stunnel-users mailing list >>> [email protected] >>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >>> >>> >> >> >> _______________________________________________ >> stunnel-users mailing list >> [email protected] >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users >> >> > > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
