[stunnel-users] stunnel HUP bug

Michal Trojnara Michal.Trojnara at mirt.net
Wed Feb 9 13:22:11 CET 2011

Stefan Behte wrote:
> AFAIK other products like apache solve this problem
> by running a main process as root and dropping privileges/capabilities
> subprocesses/threads that handle the connections. If you want to kill
> apache, you send it to the main process, not a process running with
> privileges.
> To be honest, I do not like the way stunnel currently handles this, when
> send a -HUP, I expect it to reload my config, without exceptions. Well,
> is a design decision, a workaround exists and it's documented, but

It's a good idea, but quite tough to implement.  It would require passing
socket descriptors, configuration file, certificates, private keys, CRLs,
and possibly other stuff between processes with different permissions.

I have updated my TODO list:

Alternatively I could just drop support for setuid and chroot, as my
budget is much smaller than the budget of Apache Foundation:


More information about the stunnel-users mailing list