<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Dmitry,<br>
I reviewed our previous discussion on setting up stunnel by
envvars...<br>
<br>
On WCE, if you really want to have a unic code to manage envvars...<br>
well ok, you have to write a stub for ExpandEnvironmentStrings,<br>
that either performs %XX% replacement from predefined values OR
reads those values from a wce-specific "pseudo-env-txtfile".<br>
<br>
As there is only ONE user in WCE, it is quite straightforward to
write such stub, that will be universal for any wce terminal:<br>
the predefined values can be identical for any wce terminal.<br>
<br>
NB : I already mentioned that (re)configuring stunnel through envars
is not safe, at least on Win32 platforms:<br>
on those systems, env vars are stored in the registry (and
synchronised with specific system calls): every malicious sw that
can hack the registry can change env vars, it is of course very easy
in we use "user" env vars, not system env vars.<br>
<br>
Yours sincerelly,<br>
Pierre<br>
<br>
<div class="moz-cite-prefix">Le 10/09/2016 09:40, Dmitry Bakshaev a
écrit :<br>
</div>
<blockquote
cite="mid:CAK9DdiF-_TwNxF=9uoaZaKz4Yu5vfJckOd+2grL4eVmyQj+pxA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>we used patched version on many workstantions (linux and
windows) and found that this feature allows to flexibly and
automatically manage the stunnel configuration on the
workstations.</div>
<div><br>
</div>
<div>environment variables like $HOME, %USERNAME% and others
defined once and never changed, that does not affect stunnel
restart and configuration reload.</div>
<div>but it allows us to have a single configuration for all
users.</div>
<div><br>
</div>
<div>the only question that remains: how to use this feature
where there is no environment variables (WinCE, which we do
not have).</div>
<div>may by ExpandEnvironmentStringsA stub specifically for
WinCE?</div>
<div>any comments, Pierre?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-07-07 15:42 GMT+04:00 Dmitry
Bakshaev <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dab1818@gmail.com" target="_blank">dab1818@gmail.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-06-01 12:29 GMT+04:00
Pierre Delaage <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:delaage.pierre@free.fr"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:delaage.pierre@free.fr">delaage.pierre@free.fr</a></a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> Hello,<br>
To my mind, admin tasks such as conf file
customization, should be performed by admin
scripts, not app running in admin mode.<br>
<br>
With <b>GnuWin32 </b>sed AND echo commands,
things are really simple :<br>
<br>
<b>stunnel.conf :</b><b><br>
</b>
<pre>cert = %USERPROFILE%\.config\my.pem (windows)</pre>
<pre>output = %APPDATA%\stunnel.log (windows)</pre>
<br>
<b>script "envsed.bat" on Windows :</b><b><br>
</b><br>
<pre>cat stunnel.conf | ^</pre>
<pre>sed -r -e "s/^(.*)$/C\:\\Progra~2\\<wbr>GnuWin32\\bin\\echo.EXE \1/e" </pre>
every envvar "à la windows" is expanded ....
Will work the same in Linux.
</div></blockquote><div>
</div><div>yes. this is primary goal of this patch - do not edit (manually or with sed) config file for each user.
</div><div>if user added/removed, if port/host changed, etc.
</div><div>admin mantains only one config that fit all users.
</div><div>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
If we really modify stunnel to do that job, I recommend to (try to)
use stubs for WCE trying to keep one main code, and keeping an
acceptable behavior in WCE,
instead of playing with #if WCE #else etc ...
</div></blockquote><div>
I am not familiar with the Windows CE,
first and last time when seen the WinCE-device - the beginning of the 2000s.
point into the right direction if you know.
</div><div>win32 has native ExpandEnvironmentStringsA() function,
</div><div>on other platform used stub/wrapper around getvar() function (#ifndef USE_WIN32).
</div><div>WinCE do not has ExpandEnvironmentStringsA() or getvar(), besause do not has environment variables.
</div><div>#ifndef _WIN32_WCE - simple way to not execute unnecessary code at all,
</div><div>but attached patch version has ExpandEnvironmentStringsA stub for WinCE, please review it.
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
Another way to proceed is that stunnel recognizes a very small set
of "pseudo-envvars", like eg we can find in samba conf files,
such as, eg, %u for current user home folder, and that it expands
(or "translate") internally with its own logic (of course using
system calls if needed),
but in any case, stunnel has to do some work for tokenization,
something that I think dangerous :
it would not be good that stunnel expands ANY envvar, known or
UNKNOWN, without being able to predict the effects on its execution.
</div></blockquote><div>
</div><div>environment variables values owned by user. only owner or admin cat change it, not any-other user.
</div><div>starting process with admin/system/current_user privileges process <span lang="en"><span>inherits </span></span>admin/system/current_user envvars values.
stunnel not expands ANY or UNKNOWN envvars - only those that admin will specified in config file.
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
Moreover, envars can be modified on the fly in an unpredictable way:
what if stunnel reloads the conf after an envvar change ?
if it even does NOT detect the change, there may be issues ...and if
it detects the change and reloads, there may be other issues...
</div></blockquote><div>if running process not modify envvars by himself ExpandEnvironmentStrings/<wbr>getvar expands to values taken on process start.
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
Anyway, for the purpose of having multiple stunnel processes,
running in user space, started from USER command line, it does not
appear clear to me why an admin should create the USER conf
files...the USER should be aware of what is he/she doing with
stunnel?
</div></blockquote><div>admin manages stunnel and applications configuration on server and client side: hosts, ports, other stunnel options.
</div><div>user has own private certificate used with stunnel and works with applications through stunnel.
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
and it is not clear why and HOW multiple users, logged-on on the
?same? machine, each working in USER SPACE, should run stunnel
simultaneously ...
</div></blockquote><div>not necessary simultaneously - stunnel may use same ports on localhost for all users (from one global config).
</div><div>users alternately starts his own stunnel process with own certificate (path expanded from one global config).
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
Question is also : if stunnel is running as a service, how will it
deal with conf file containing ENVVARS, and what interest for this
as system-wide stunnel just need one unique conf file.
</div>
</blockquote></div>on server or client side?
for example on server with miltiple stunnel instances for create predictable log files names (without manually editing):
output = /var/log/stunnel/stunnel_${<wbr>SVCNAME}.log
</div></div>
</blockquote></div>
</div>
</blockquote>
</body></html>