Ask Pierre for a copy of his patched 5.02, I bet that will solve your
problem.
On 09.24.2014 08:51, John Smith wrote:
Anyways I don't know what to say. But adding dnscache as dependency
didn't do anything either. Same issue service on bootup shows as
started but no logs. Restarting it through Service Control Manager works.
Automatic (Delayed Start) at least for me works fine. I'll continue
working with that for now...
On 23 September 2014 14:27, John Smith <[email protected]
<mailto:[email protected]>> wrote:
Ok when I have a chance I will try dnscache
On 23 September 2014 14:05, Pierre DELAAGE <[email protected]
<mailto:[email protected]>> wrote:
Sorry to tell but...
On a windows 7 home machine, with a HOSTNAME in the stunnel
conf, NO DELAY at service startup :
I can start the service, then reboot,
then, at first, my log file is saying ": Error resolving
'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)"
and later, when I try to use the tunnel (and at that time dns
is working), resolving is working...
and everything is OK so....
Even if dns is NOT available at startup, stunnel 504 is able
to resolve "later" the remote server hostname.
2014.09.23 19:23:17 LOG7[2612]: No limit detected for the
number of clients
2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
x86-pc-msvc-1500 platform
2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
1.0.1i-fips 6 Aug 2014
2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
2014.09.23 19:23:17 LOG5[2612]: Reading configuration from
file stunnel.conf
2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
2014.09.23 19:23:17 LOG7[2612]: Compression disabled
2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from
C:/.rnd
2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to
C:/.rnd
2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ':
Neither nodename nor servname known (EAI_NONAME)
2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target
- delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
C:\Users\standard\Documents\Perso\SSL\johndoe.crt
2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
C:\Users\standard\Documents\Perso\SSL\johndoe.uky
2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
2014.09.23 19:23:18 LOG5[2612]: Configuration successful
2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound
to 127.0.0.1:81 <http://127.0.0.1:81>
2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted
(FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164>
2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
2014.09.23 19:24:32 LOG7[2612]: New thread created
2014.09.23 19:24:32 LOG7[588]: Service [https] started
2014.09.23 19:24:32 LOG5[588]: Service [https] accepted
connection from 127.0.0.1:49164 <http://127.0.0.1:49164>
2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
XXX.YYY.UUU.III:443
2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
XXX.YYY.UUU.III:443: waiting 10 seconds
2014.09.23 19:24:32 LOG5[588]: s_connect: connected
XXX.YYY.UUU.III:443
2014.09.23 19:24:32 LOG5[588]: Service [https] connected
remote server from 192.168.3.220:49165
<http://192.168.3.220:49165>
2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
2014.09.23 19:24:32 LOG7[588]: SSL state (connect):
before/connect initialization
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3
write client hello A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server hello A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server certificate A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server certificate request A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
server done A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
write client certificate A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
write client key exchange A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
write certificate verify A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
write change cipher spec A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
write finished A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
flush data
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
finished A
So I am sorry to say that I cannot reproduce that bug.
Anyway there are many services, on a heavy loaded machine,
that can slow down the service startup or interfere with file
management :
Antivirus ? try to deactivate it.
Firewall : the same...
any other piece of software that is not absolutely necessary
at boot time.
Plus : Even if you don't use hostnames in conf file I suggest
that you try "dnscache" dependency anyway:
because you probably have hostnames in your certificates.
Regards
Pierre
Le 23/09/2014 18:05, John Smith a écrit :
Network: Ethernet
Multiple routers: No
Firewall: No
Delay: Yes, Automitic (Delayed Start) works like a charm.
Capi engine: Yes tried turning it off
32 bit or 64 bit: 32bit running on 64 bit server. I don't see
a 64 bit version on the download page?
dnscache: Haven't tried it yet.
- stunnel works fine on the server specifically with the
service set to Automatic (Delayed Start). And I even tunnel
properly to other machines so it not firewalls or routers or
network.
- Only when it's NOT (Delayed Start) stunnel doe not seem to
start even though the service shows as started.
- I managed to tunnel from my Desktop to the Server. I have
not tried automatic service startup on Desktop because I
don't have enough privilidges. But trying to setup the
server, since that's the machine that will have stunnel in
production.
On 23 September 2014 10:04, Pierre DELAAGE
<[email protected] <mailto:[email protected]>> wrote:
Have you tried to change the service dependency from
"TCPIP" (the default in the code), to "dnscache" (ok,
EVEN if you do not use hostname resolution),
this is just to be sure that stunnel relies on something
that is using tcpip as well.
question : what kind of network interface do you have :
wifi ?
ethernet board ?
Are you traversing multiple routers ?
Are you using multiple firewalls ?
Have you tuned a delay as suggested a few days ago ?
Can you try without specifying "capi engine" ?
Are you using stunnel 32 bits or 64 bits : if 64, try the
32 version as well.
I am reviewing the code and soon enter some test on
w7-32bits.
Regards
Pierre
Le 23/09/2014 15:30, John Smith a écrit :
I wish you were right but unfortunately it's running lol
On 22 September 2014 18:24, Pierre DELAAGE
<[email protected] <mailto:[email protected]>>
wrote:
When you observe that log is empty and that "stunnel
shows as started",
do a CTRL ALT DEL to check if there is any process
called "stunnel" that is really running...
I have a doubt that, although scm says stunnel is
running, in fact it is not.
Regards
Pierre
Le 22/09/2014 21:43, John Smith a écrit :
Hi I used administrator account and defaults to
install. It is installed at Program Files (x86)
The service is set to run as local system account
and interact with desktop is checked.
Once the machine is booted... Login open service
control panel, stunnel shows as started. Go look at
logs nothing there... In service control panel hit
the restart button. And it comes up properly.
My config is as follows:
; Debugging stuff (may useful for troubleshooting)
;debug = 7
output = stunnel.log
; Initialize Microsoft CryptoAPI interface
engine = capi
; Also needs "engineID = capi" in each section
using the CAPI engine
[es-tcp]
accept = ${SERVER_IP}:9300
connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
cert = ....
CAfile = ....
verify = 2
[es-http]
accept = ${SERVER_IP}:9200
connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
cert = ....
CAfile = ....
verify = 2
[es-disc-local]
client = yes
accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
connect = ${SERVER_IP}:9300
cert = ....
On 22 September 2014 14:30, Pierre DELAAGE
<[email protected]
<mailto:[email protected]>> wrote:
Hello,
I can tell my patch was adressing read file
error on conf file,
but, unfortunately, not at all "dependencies of
stunnel service at start up",
which is likely to be the core pb preventing
stunnel to start correctly at boot time for
people on that thread.
Michal added explicit dependencies at startup,
that is necessary to solve that bug. I did not
check yet its implementation.
But maybe some services, although started, are
still "not ready" when stunnel starts, so that
this makes stunnel fail.
I suggest that stunnel checks, not only the
availability, but also the "efficiency" of the
DNS service by trying to resolve a well known
server.
it should retry during, eg, 3 seconds, and then
stops with some reports if failing to resolve
the hostname,
either by lack of network, or by lack of answer
from the name resolver.
But...it seems that when having problems at
startup, it cannot even log anything....maybe
this is due to the identity of "system user" of
stunnel at that particular moment: user that
may have no right to write on the HD.
People should check also the installation
location of stunnel : it is supposed (and have
predefined shortcuts for that) to be installed
PREFERABLY in "c:\program files\stunnel".
I recommend to use that location.
They also should try to resolve by hand the
hostnames they put in their stunnel conf file,
just to be sure.
On some network or machines, maybe there is a
problem with the firewall and SOME services
tunneled by stunnel on forbidden ports.
On another hand, it sounds strange that just
restarting stunnel (in user mode or service
mode ?) is solving the problem :
this sounds like unavailability of DNS at startup.
I did not investigate that particular problem,
but I will perform some tests soon with the
last 504 (or 505).
Yours sincerely
Pierre
Le 22/09/2014 19:20, [email protected]
<mailto:[email protected]> a écrit :
Using Stunnel on several Windows Server 2008
R2 SP1 machines (all such machines are X64 as
the OS is only released as X64).
During August of 2014 I reported in this forum
the current version of Stunnel would not
function as a service under the above OS, even
if using a delayed start, it might run but it
would not work. I reverted to using version
4.35, which did work properly.
Pierre DeLagge was kind enough to provide me
with a copy of his patched Stunnel 5.02, which
I am still using and which is working
flawlessly on my production servers. No
delayed start required.
I am wondering if Pierre's 5.02 patch has been
incorporated into the most recently released
Stunnel, 5.04? Has anyone been successful in
getting the most current version to actually
work under the above environment without
delaying the start of the service?
Just to add a little color and background to
the story, I am using the native WS2008R2SP1
SMTP server on each machine, in conjunction
with Stunnel, so as to forward OS event
notifications through a gmail account.
On 09.22.2014 06:54, John Smith wrote:
I tried 5.04. on Windows Server 2008 R2
Enterprise Service Pack 1 x64
Same issue. Service shows as started, but no
log. If I go manual restart it works.
Have to put delayed startup.
On 18 September 2014 16:15, John Smith
<[email protected]
<mailto:[email protected]>> wrote:
For now i'm happy with 5.03 Already in
production so I will have to wait next
time! :)
On 17 September 2014 17:10, Michal
Trojnara <[email protected]
<mailto:[email protected]>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jose Alf. wrote:
> Regarding stunnel service
dependencies, If you read the 5.04 beta
> announcement, the dependency is
created automatically now when you
> install stunnel as a service.
Please give it a try. Looks like it
> works for me.
>
> Thanks to Mike for implementing that.
Thank you for testing it.
Best regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
=+xFQ
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
[email protected]
<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
<mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected] <mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected] <mailto:[email protected]>
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
