[stunnel-users] Weird problem starting stunnel

Matthew Lunnon mlunnon at rwa-net.co.uk
Mon Feb 3 11:55:52 CET 2014


Can anyone enlighten me on the following:

I have installed stunnel up on my Mac (OS X Lion) and it all runs just 
fine. When I put this on another machine (OS X Mountain Lion) stunnel 
refuses to start.
I include the output and the stunnel.conf file below. We have some 
experience of stunnel as we have been using it in both client and server 
mode on Windows and RedHat for years but none of my colleagues can give 
me much help here. It looks to me like although stunnel is reporting 
that it is starting with the correct stunnel.conf file it is actually 
using something else as:
1) no stunnel.log file is created
2) after successfully seeding the PRNG it seems to be Initializing inetd 
mode and starting as a service when this should be starting in client 
mode. (The only way I can get it to do something similar on the machine 
that works is to remove all the service definitions and put in a line 
service = SERVICE when it blows up but with a slightly different error 
about needing an end/connection point (not sure the exact error) and 
then it fails. Even so in this case it will still create an output log 
in the correct place)

My thoughts are that it might be something to do with the installation 
process of stunnel that hasn't been followed properly or some kind of 
permissions issue.

Apologies if I am being dim but I am at a bit of a loss to explain what 
is going on here. I do not have direct access to the second machine and 
am trying to support it over the phone.

Thanks for any help.


= Here is the output:

Last login: Fri Jan 31 10:44:30 on ttys000
Administrator:~ admin$ cd stunnel
Administrator:stunnel admin$ stunnel /Users/admin/stunnel/stunnel.conf
Clients allowed=125
stunnel 4.56 on x86_64-apple-darwin11.4.2 platform
Compiled with OpenSSL 0.9.8r 8 Feb 2011
Running  with OpenSSL 0.9.8y 5 Feb 2013
Update OpenSSL shared libraries or rebuild stunnel
Reading configuration from file /Users/admin/stunnel/stunnel.conf
Compression not enabled
Snagged 64 random bytes from /Users/admin/.rnd
Wrote 1024 new random bytes to /Users/admin/.rnd
PRNG seeded successfully
Initializing inetd mode configuration
Service [stunnel]: SSL server needs a certificate
str_stats: 2 block(s), 45 data byte(s), 116 control byte(s)
Administrator:stunnel admin$

= And here is the stunnel.conf file:

; Sample stunnel configuration file for Win32 by Michal Trojnara 2002-2012
; Some options used here may be inadequate for your particular configuration
; This sample file does *not* represent stunnel.conf defaults
; Please consult the manual for detailed description of available options

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; Debugging stuff (may useful for troubleshooting)
debug = 7
;output = stunnel.log

; Disable FIPS mode to allow non-approved protocols and algorithms
;fips = no

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Certificate/key is needed in server mode and optional in client mode
;cert = rwa2012.clientkeycert.pem
;key = stunnel.pem

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
;verify = 0
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
CAfile = /Users/admin/stunnel/ca.crt
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug

; These options provide additional security at some performance degradation
;options = SINGLE_ECDH_USE
;options = SINGLE_DH_USE

; **************************************************************************
; * Service definitions (at least one service has to be defined)           *
; **************************************************************************

cert = /Users/admin/stunnel/gounder20141401011000.pem

[Gounder IJ]
cert = /Users/admin/stunnel/gounder20141401011000.pem

Matthew Lunnon
Technical Consultant
RWA Ltd.

  mlunnon at rwa-net.co.uk
  Tel: +44 (0)29 2081 5056

More information about the stunnel-users mailing list