[stunnel-users] stunnel automatically listening to extra ports: BAD

Luis Rodrigo Gallardo Cruz rodrigo at nul-unu.com
Fri Jan 11 22:37:22 CET 2008

[You forgot to cc: the list]

On Fri, Jan 11, 2008 at 03:24:32PM -0500, Alan Pinstein wrote:
> On Jan 11, 2008, at 3:02 PM, Luis Rodrigo Gallardo Cruz wrote:
>> On Fri, Jan 11, 2008 at 02:31:58PM -0500, Alan Pinstein wrote:
>>> Hi All-
>>> [ Stunnel listens on ports it shouldn't ]
>>> If I start up stunnel from the command line as "root" or another user
>>> even, it only listens on the port listed in the conf file.
>> Could you have some startup script that's automatically getting run
>> with your logrotate scripts?
> The problem happens the MOMENT stunnel starts. It has nothing to do with 
> the logrotate scripts.

Oh, sorry, I got confused. (/me goes and re-reads the original mail ...)

> I've done a bunch of debugging and can't figure out what's going on.
> I have only one guess: stunnel automatically listens on any ports
> that the process calling stunnel is listening on, in some sort of
> attempt to seamlessly add SSL to existing daemons. I can't find any
> docs or tell from the source code, but it's the only idea I can't
> rule out...

All this is in a *nix, right?

The following is an educated guess:

Open connections are open file descriptors, and fork()/exec() do not
close open file descriptors. Thus, stunnel is inheriting the open
connection. And, since it knows nothing about it, it does not close it
or anything like that. So it's not that it activelly listens on it,
but only that it does not bother to stop. You might check this theory
by trying to connect to the port *after* apache is shut down. If I'm
right you should get no answer at all.

So, the solution is to have the file descriptors close when exec'ing
stunnel. PHP or apache might have some option somewhere to do that
(look for "close on exec" or something similarly named), but if not,
you might have to write some sort of wrapper to do it. It's a messy
thing, because AFAIK there's no clean way to do it short of

 for (i = 0; i < [some-hopefuly-large-enough-value]; i++)

where the [large-enough-value] is determined by your system's file
descriptor limit and your desire not to loop all the way to 2^32 or

Rodrigo i-think-this-time-i-answered-the-question-asked Gallardo
GPG-Fingerprint: 7C81 E60C 442E 8FBC D975  2F49 0199 8318 ADC9 BC28
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080111/0264889d/attachment.sig>

More information about the stunnel-users mailing list