[stunnel-users] Stunnel as windows service doesn't start on restart.

Pierre DELAAGE delaage.pierre at free.fr
Tue Sep 23 20:05:05 CEST 2014


Sorry to tell but...

On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO 
DELAY at service startup :
I can start the service, then reboot,
then, at first, my log file is saying ": Error resolving 'HOSTNAME ': 
Neither nodename nor servname known (EAI_NONAME)"
and later, when I try to use the tunnel (and at that time dns is 
working), resolving is working...

and everything is OK so....

Even if dns is NOT available at startup, stunnel 504 is able to resolve 
"later" the remote server hostname.



2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients
2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform
2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 
1.0.1i-fips 6 Aug 2014
2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6 
SSL:ENGINE,OCSP,FIPS
2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file stunnel.conf
2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
2014.09.23 19:23:17 LOG7[2612]: Compression disabled
2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd
2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd
2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]

2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither 
nodename nor servname known (EAI_NONAME)

2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying 
DNS lookup/(COMMENT : stunnel is a good fellow !)/

2014.09.23 19:23:17 LOG6[2612]: Loading cert from file: 
C:\Users\standard\Documents\Perso\SSL\johndoe.crt
2014.09.23 19:23:18 LOG6[2612]: Loading key from file: 
C:\Users\standard\Documents\Perso\SSL\johndoe.uky
2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
2014.09.23 19:23:18 LOG5[2612]: Configuration successful
2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to 
127.0.0.1:81
2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from 
127.0.0.1:49164
2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
2014.09.23 19:24:32 LOG7[2612]: New thread created
2014.09.23 19:24:32 LOG7[588]: Service [https] started
2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from 
127.0.0.1:49164
2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443
2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait 
XXX.YYY.UUU.III:443: waiting 10 seconds
2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443
2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server 
from 192.168.3.220:49165
2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect 
initialization
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write 
client hello A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server 
hello A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server 
certificate A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server 
certificate request A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client 
certificate A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client 
key exchange A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write 
certificate verify A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change 
cipher spec A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data
2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A

So I am sorry to say that I cannot reproduce that bug.

Anyway there are many services, on a heavy loaded machine, that can slow 
down the service startup or interfere with file management :

Antivirus ? try to deactivate it.
Firewall : the same...
any other piece of software that is not absolutely necessary at boot time.

Plus : Even if you don't use hostnames in conf file I suggest that you 
try "dnscache" dependency anyway:
because you probably have hostnames in your certificates.

Regards
Pierre



Le 23/09/2014 18:05, John Smith a écrit :
> Network: Ethernet
> Multiple routers: No
> Firewall: No
> Delay: Yes, Automitic (Delayed Start) works like a charm.
> Capi engine: Yes tried turning it off
> 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit 
> version on the download page?
> dnscache: Haven't tried it yet.
>
>
> - stunnel works fine on the server specifically with the service set 
> to Automatic (Delayed Start). And I even tunnel properly to other 
> machines so it not firewalls or routers or network.
> - Only when it's NOT (Delayed Start)  stunnel doe not seem to start 
> even though the service shows as started.
> - I managed to tunnel from my Desktop to the Server. I have not tried 
> automatic service startup on Desktop because I don't have enough 
> privilidges. But trying to setup the server, since that's the machine 
> that will have stunnel in production.
>
>
>
>
> On 23 September 2014 10:04, Pierre DELAAGE <delaage.pierre at free.fr 
> <mailto:delaage.pierre at free.fr>> wrote:
>
>     Have you tried to change the service dependency from "TCPIP" (the
>     default in the code), to "dnscache" (ok, EVEN if you do not use
>     hostname resolution),
>     this is just to be sure that stunnel relies on something that is
>     using tcpip as well.
>
>     question : what kind of network interface do you have :
>
>     wifi ?
>     ethernet board ?
>
>     Are you traversing multiple routers ?
>
>     Are you using multiple firewalls ?
>
>     Have you tuned a delay as suggested a few days ago ?
>
>     Can you try without specifying "capi engine" ?
>
>     Are you using stunnel 32 bits or 64 bits : if 64, try the 32
>     version as well.
>
>     I am reviewing the code and soon enter some test on w7-32bits.
>
>     Regards
>     Pierre
>
>
>
>     Le 23/09/2014 15:30, John Smith a écrit :
>>     I wish you were right but unfortunately it's running lol
>>
>>     On 22 September 2014 18:24, Pierre DELAAGE
>>     <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>
>>         When you observe that log is empty and that "stunnel shows as
>>         started",
>>         do a CTRL ALT DEL to check if there is any process called
>>         "stunnel" that is really running...
>>
>>         I have a doubt that, although scm says stunnel is running, in
>>         fact it is not.
>>
>>         Regards
>>         Pierre
>>
>>         Le 22/09/2014 21:43, John Smith a écrit :
>>>         Hi I used administrator account and defaults to install. It
>>>         is installed at Program Files (x86)
>>>
>>>         The service is set to run as local system account and
>>>         interact with desktop is checked.
>>>
>>>         Once the machine is booted... Login open service control
>>>         panel, stunnel shows as started. Go look at logs nothing
>>>         there... In service control panel hit the restart button.
>>>         And it comes up properly.
>>>
>>>         My config is as follows:
>>>
>>>         ; Debugging stuff (may useful for troubleshooting)
>>>         ;debug = 7
>>>         output = stunnel.log
>>>
>>>         ; Initialize Microsoft CryptoAPI interface
>>>         engine = capi
>>>         ; Also needs "engineID = capi" in each section using the
>>>         CAPI engine
>>>
>>>         [es-tcp]
>>>         accept = ${SERVER_IP}:9300
>>>         connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
>>>         cert = ....
>>>         CAfile = ....
>>>         verify = 2
>>>
>>>         [es-http]
>>>         accept = ${SERVER_IP}:9200
>>>         connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
>>>         cert = ....
>>>         CAfile = ....
>>>         verify = 2
>>>
>>>         [es-disc-local]
>>>         client = yes
>>>         accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
>>>         connect = ${SERVER_IP}:9300
>>>         cert = ....
>>>
>>>
>>>
>>>         On 22 September 2014 14:30, Pierre DELAAGE
>>>         <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>>
>>>             Hello,
>>>             I can tell my patch was adressing read file error on
>>>             conf file,
>>>             but, unfortunately, not at all "dependencies of stunnel
>>>             service at start up",
>>>             which is likely to be the core pb preventing stunnel to
>>>             start correctly at boot time for people on that thread.
>>>
>>>             Michal added explicit dependencies at startup, that is
>>>             necessary to solve that bug. I did not check yet its
>>>             implementation.
>>>
>>>             But maybe some services, although started, are still
>>>             "not ready" when stunnel starts, so that this makes
>>>             stunnel fail.
>>>
>>>             I suggest that stunnel checks, not only the
>>>             availability, but also the "efficiency" of the DNS
>>>             service by trying to resolve a well known server.
>>>             it should retry during, eg, 3 seconds, and then stops
>>>             with some reports if failing to resolve the hostname,
>>>             either by lack of network, or by lack of answer from the
>>>             name resolver.
>>>             But...it seems that when having problems at startup, it
>>>             cannot even log anything....maybe this is due to the
>>>             identity of "system user" of stunnel at that particular
>>>             moment: user that may have no right to write on the HD.
>>>
>>>             People should check also the installation location of
>>>             stunnel : it is supposed (and have predefined shortcuts
>>>             for that) to be installed PREFERABLY in "c:\program
>>>             files\stunnel".
>>>             I recommend to use that location.
>>>
>>>             They also should try to resolve by hand the hostnames
>>>             they put in their stunnel conf file, just to be sure.
>>>
>>>             On some network or machines, maybe there is a problem
>>>             with the firewall and SOME services tunneled by stunnel
>>>             on forbidden ports.
>>>
>>>             On another hand, it sounds strange that just restarting
>>>             stunnel (in user mode or service mode ?) is solving the
>>>             problem :
>>>             this sounds like unavailability of DNS at startup.
>>>
>>>             I did not investigate that particular problem, but I
>>>             will perform some tests soon with the last 504 (or 505).
>>>
>>>             Yours sincerely
>>>             Pierre
>>>
>>>
>>>
>>>             Le 22/09/2014 19:20, 541401 at gmail.com
>>>             <mailto:541401 at gmail.com> a écrit :
>>>>             Using Stunnel on several Windows Server 2008 R2 SP1
>>>>             machines (all such machines are X64 as the OS is only
>>>>             released as X64).
>>>>
>>>>             During August of 2014 I reported in this forum the
>>>>             current version of Stunnel would not function as a
>>>>             service under the above OS, even if using a delayed
>>>>             start, it might run but it would not work.  I reverted
>>>>             to using version 4.35, which did work properly.
>>>>
>>>>             Pierre DeLagge was kind enough to provide me with a
>>>>             copy of his patched Stunnel 5.02, which I am still
>>>>             using and which is working flawlessly on my production
>>>>             servers.  No delayed start required.
>>>>
>>>>             I am wondering if Pierre's 5.02 patch has been
>>>>             incorporated into the most recently released Stunnel,
>>>>             5.04? Has anyone been successful in getting the most
>>>>             current version to actually work under the above
>>>>             environment without delaying the start of the service?
>>>>
>>>>             Just to add a little color and background to the story,
>>>>             I am using the native WS2008R2SP1 SMTP server on each
>>>>             machine, in conjunction with Stunnel, so as to forward
>>>>             OS event notifications through a gmail account.
>>>>
>>>>
>>>>
>>>>             On 09.22.2014 06:54, John Smith wrote:
>>>>>             I tried 5.04. on Windows Server 2008 R2 Enterprise
>>>>>             Service Pack 1 x64
>>>>>
>>>>>
>>>>>             Same issue. Service shows as started, but no log. If I
>>>>>             go manual restart it works.
>>>>>
>>>>>             Have to put delayed startup.
>>>>>
>>>>>             On 18 September 2014 16:15, John Smith
>>>>>             <java.dev.mtl at gmail.com
>>>>>             <mailto:java.dev.mtl at gmail.com>> wrote:
>>>>>
>>>>>                 For now i'm happy with 5.03 Already in production
>>>>>                 so I will have to wait next time! :)
>>>>>
>>>>>                 On 17 September 2014 17:10, Michal Trojnara
>>>>>                 <Michal.Trojnara at mirt.net
>>>>>                 <mailto:Michal.Trojnara at mirt.net>> wrote:
>>>>>
>>>>>                     -----BEGIN PGP SIGNED MESSAGE-----
>>>>>                     Hash: SHA1
>>>>>
>>>>>                     Jose Alf. wrote:
>>>>>                     > Regarding stunnel service dependencies, If
>>>>>                     you read the 5.04 beta
>>>>>                     > announcement, the dependency is created
>>>>>                     automatically now when you
>>>>>                     > install stunnel as a service. Please give it
>>>>>                     a try. Looks like it
>>>>>                     > works for me.
>>>>>                     >
>>>>>                     > Thanks to Mike for implementing that.
>>>>>
>>>>>                     Thank you for testing it.
>>>>>
>>>>>                     Best regards,
>>>>>                             Mike
>>>>>                     -----BEGIN PGP SIGNATURE-----
>>>>>                     Version: GnuPG v1
>>>>>
>>>>>                     iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>                     yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>                     =+xFQ
>>>>>                     -----END PGP SIGNATURE-----
>>>>>                     _______________________________________________
>>>>>                     stunnel-users mailing list
>>>>>                     stunnel-users at stunnel.org
>>>>>                     <mailto:stunnel-users at stunnel.org>
>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             stunnel-users mailing list
>>>>>             stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>>             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             stunnel-users mailing list
>>>>             stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>>             _______________________________________________
>>>             stunnel-users mailing list
>>>             stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>>         _______________________________________________
>>         stunnel-users mailing list
>>         stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>         https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>
>
>     _______________________________________________
>     stunnel-users mailing list
>     stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140923/01e895e3/attachment-0001.html>


More information about the stunnel-users mailing list