[stunnel-users] must restart stunnel to add a new cert before it recognized it...
Rami Michael
thikrat at gmail.com
Tue Nov 14 05:54:33 CET 2006
Hello everyone,
My stunnel setup is working fine, got mysql being hit from a couple of boxes
but my question is this...
I have stunnel setup so i copy the cert created from the remote client over
to the local server so remote connections are authenticated.
Now that works fine and dandy, the issue is, if i am adding a new remote
client, i add the cert from the client to my certs.pem locally but i need to
restart the stunnel process before stunnel will "read in" the new cert.
I know this does not sound like a big deal, but if i have 20 machines
connected through stunnel to this local box and i need to restart stunnel
whenever i need to add a new box or take off an old one, i don't think its
good.
I use stunnel for mysql so i got these guys doing inserts and a broken
connection would really mess things up for me... i think maybe there is a
flag i can set? or maybe send the process some type of command to reload
the certs?
Any help would be appreciated... all relevant info included below.
All requested info for posts to the group are found below
Here is my stunnel.conf
verify = 3
CAfile = /etc/stunnel/certs.pem
cert = /etc/stunnel/stunnel.pem
setuid = nobody
setgid = nobody
pid = /tmp/stunnel.pid
debug = 7
output = /var/log/stunnel.log
client = no
[mysqls]
accept = 3309
connect = 3306
Some output from the stunnel.log at high debug level
2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on
i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003
2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from
/dev/urandom
2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient
entropy for the PRNG
2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully
2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate:
/etc/stunnel/stunnel.pem
2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file:
/etc/stunnel/stunnel.pem
2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from
/etc/stunnel/certs.pem
2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file
ulimit=1024 -> 500 clients allowed
2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode
2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on
accept socket
2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to 0.0.0.0:3309
2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode
2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode
2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file
/tmp/stunnel.pid
stunnel -V
2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory
(2)
Syntax:
stunnel [filename] | -fd [n] | -help | -version | -sockets
filename - use specified config file instead of
/etc/stunnel/stunnel.conf
-fd n - read the config file from specified file descriptor
-help - get config file help
-version - display version and defaults
-sockets - display default socket options
uname -a
Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386
GNU/Linux
gcc -v
Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--disable-checking --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-java-awt=gtk
--host=i386-redhat-linux
Thread model: posix
gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)
openssl version
OpenSSL 0.9.7a Feb 19 2003
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20061113/cf541ed3/attachment.html>
More information about the stunnel-users
mailing list