[stunnel-users] Stunnel as windows service doesn't start on restart.

John Smith java.dev.mtl at gmail.com
Tue Sep 23 20:27:47 CEST 2014


Ok when I have a chance I will try dnscache

On 23 September 2014 14:05, Pierre DELAAGE <delaage.pierre at free.fr> wrote:

>  Sorry to tell but...
>
> On a windows 7 home machine, with a HOSTNAME in the stunnel conf, NO DELAY
> at service startup :
> I can start the service, then reboot,
> then, at first, my log file is saying ": Error resolving 'HOSTNAME ':
> Neither nodename nor servname known (EAI_NONAME)"
> and later, when I try to use the tunnel (and at that time dns is working),
> resolving is working...
>
> and everything is OK so....
>
> Even if dns is NOT available at startup, stunnel 504 is able to resolve
> "later" the remote server hostname.
>
>
>
> 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the number of clients
> 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on x86-pc-msvc-1500 platform
> 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL 1.0.1i-fips
> 6 Aug 2014
> 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32 Sockets:SELECT,IPv6
> SSL:ENGINE,OCSP,FIPS
> 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
> 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from file
> stunnel.conf
> 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
> 2014.09.23 19:23:17 LOG7[2612]: Compression disabled
> 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from C:/.rnd
> 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to C:/.rnd
> 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
> 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
>
> 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ': Neither
> nodename nor servname known (EAI_NONAME)
>
> 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target - delaying
> DNS lookup* (COMMENT : stunnel is a good fellow !)*
>
> 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
> C:\Users\standard\Documents\Perso\SSL\johndoe.crt
> 2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
> C:\Users\standard\Documents\Perso\SSL\johndoe.uky
> 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
> 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
> 2014.09.23 19:23:18 LOG5[2612]: Configuration successful
> 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound to
> 127.0.0.1:81
> 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted (FD=208) from
> 127.0.0.1:49164
> 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
> 2014.09.23 19:24:32 LOG7[2612]: New thread created
> 2014.09.23 19:24:32 LOG7[588]: Service [https] started
> 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted connection from
> 127.0.0.1:49164
> 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting XXX.YYY.UUU.III:443
> 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait XXX.YYY.UUU.III:443:
> waiting 10 seconds
> 2014.09.23 19:24:32 LOG5[588]: s_connect: connected XXX.YYY.UUU.III:443
> 2014.09.23 19:24:32 LOG5[588]: Service [https] connected remote server
> from 192.168.3.220:49165
> 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
> 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): before/connect
> initialization
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3 write client
> hello A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server
> hello A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server
> certificate A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server
> certificate request A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read server done
> A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client
> certificate A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write client key
> exchange A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write
> certificate verify A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write change
> cipher spec A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 write finished A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 flush data
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read finished A
>
> So I am sorry to say that I cannot reproduce that bug.
>
> Anyway there are many services, on a heavy loaded machine, that can slow
> down the service startup or interfere with file management :
>
> Antivirus ? try to deactivate it.
> Firewall : the same...
> any other piece of software that is not absolutely necessary at boot time.
>
> Plus : Even if you don't use hostnames in conf file I suggest that you try
> "dnscache" dependency anyway:
> because you probably have hostnames in your certificates.
>
> Regards
> Pierre
>
>
>
> Le 23/09/2014 18:05, John Smith a écrit :
>
> Network: Ethernet
> Multiple routers: No
> Firewall: No
> Delay: Yes, Automitic (Delayed Start) works like a charm.
> Capi engine: Yes tried turning it off
> 32 bit or 64 bit: 32bit running on 64 bit server. I don't see a 64 bit
> version on the download page?
> dnscache: Haven't tried it yet.
>
>
> - stunnel works fine on the server specifically with the service set to
> Automatic (Delayed Start). And I even tunnel properly to other machines so
> it not firewalls or routers or network.
> - Only when it's NOT (Delayed Start)  stunnel doe not seem to start even
> though the service shows as started.
> - I managed to tunnel from my Desktop to the Server. I have not tried
> automatic service startup on Desktop because I don't have enough
> privilidges. But trying to setup the server, since that's the machine that
> will have stunnel in production.
>
>
>
>
> On 23 September 2014 10:04, Pierre DELAAGE <delaage.pierre at free.fr> wrote:
>
>>  Have you tried to change the service dependency from "TCPIP" (the
>> default in the code), to "dnscache" (ok, EVEN if you do not use hostname
>> resolution),
>> this is just to be sure that stunnel relies on something that is using
>> tcpip as well.
>>
>> question : what kind of network interface do you have :
>>
>> wifi ?
>> ethernet board ?
>>
>> Are you traversing multiple routers ?
>>
>> Are you using multiple firewalls ?
>>
>> Have you tuned a delay as suggested a few days ago ?
>>
>> Can you try without specifying "capi engine" ?
>>
>> Are you using stunnel 32 bits or 64 bits : if 64, try the 32 version as
>> well.
>>
>> I am reviewing the code and soon enter some test on w7-32bits.
>>
>> Regards
>> Pierre
>>
>>
>>
>> Le 23/09/2014 15:30, John Smith a écrit :
>>
>> I wish you were right but unfortunately it's running lol
>>
>> On 22 September 2014 18:24, Pierre DELAAGE <delaage.pierre at free.fr>
>> wrote:
>>
>>>  When you observe that log is empty and that "stunnel shows as started",
>>> do a CTRL ALT DEL to check if there is any process called "stunnel" that
>>> is really running...
>>>
>>> I have a doubt that, although scm says stunnel is running, in fact it is
>>> not.
>>>
>>> Regards
>>> Pierre
>>>
>>> Le 22/09/2014 21:43, John Smith a écrit :
>>>
>>> Hi I used administrator account and defaults to install. It is installed
>>> at Program Files (x86)
>>>
>>>  The service is set to run as local system account and interact with
>>> desktop is checked.
>>>
>>>  Once the machine is booted... Login open service control panel,
>>> stunnel shows as started. Go look at logs nothing there... In service
>>> control panel hit the restart button. And it comes up properly.
>>>
>>>  My config is as follows:
>>>
>>>  ; Debugging stuff (may useful for troubleshooting)
>>> ;debug = 7
>>> output = stunnel.log
>>>
>>>  ; Initialize Microsoft CryptoAPI interface
>>> engine = capi
>>> ; Also needs "engineID = capi" in each section using the CAPI engine
>>>
>>>  [es-tcp]
>>> accept = ${SERVER_IP}:9300
>>> connect = 127.0.0.1:9300
>>> cert = ....
>>> CAfile = ....
>>> verify = 2
>>>
>>>  [es-http]
>>> accept = ${SERVER_IP}:9200
>>> connect = 127.0.0.1:9200
>>> cert = ....
>>> CAfile = ....
>>> verify = 2
>>>
>>>  [es-disc-local]
>>> client = yes
>>> accept = 127.0.0.1:9700
>>> connect = ${SERVER_IP}:9300
>>> cert = ....
>>>
>>>
>>>
>>> On 22 September 2014 14:30, Pierre DELAAGE <delaage.pierre at free.fr>
>>> wrote:
>>>
>>>>  Hello,
>>>> I can tell my patch was adressing read file error on conf file,
>>>> but, unfortunately, not at all "dependencies of stunnel service at
>>>> start up",
>>>> which is likely to be the core pb preventing stunnel to start correctly
>>>> at boot time for people on that thread.
>>>>
>>>> Michal added explicit dependencies at startup, that is necessary to
>>>> solve that bug. I did not check yet its implementation.
>>>>
>>>> But maybe some services, although started, are still "not ready" when
>>>> stunnel starts, so that this makes stunnel fail.
>>>>
>>>> I suggest that stunnel checks, not only the availability, but also the
>>>> "efficiency" of the DNS service by trying to resolve a well known server.
>>>> it should retry during, eg, 3 seconds, and then stops with some reports
>>>> if failing to resolve the hostname,
>>>> either by lack of network, or by lack of answer from the name resolver.
>>>> But...it seems that when having problems at startup, it cannot even log
>>>> anything....maybe this is due to the identity of "system user" of stunnel
>>>> at that particular moment: user that may have no right to write on the HD.
>>>>
>>>> People should check also the installation location of stunnel : it is
>>>> supposed (and have predefined shortcuts for that) to be installed
>>>> PREFERABLY in "c:\program files\stunnel".
>>>> I recommend to use that location.
>>>>
>>>> They also should try to resolve by hand the hostnames they put in their
>>>> stunnel conf file, just to be sure.
>>>>
>>>> On some network or machines, maybe there is a problem with the firewall
>>>> and SOME services tunneled by stunnel on forbidden ports.
>>>>
>>>> On another hand, it sounds strange that just restarting stunnel (in
>>>> user mode or service mode ?) is solving the problem :
>>>> this sounds like unavailability of DNS at startup.
>>>>
>>>> I did not investigate that particular problem, but I will perform some
>>>> tests soon with the last 504 (or 505).
>>>>
>>>> Yours sincerely
>>>> Pierre
>>>>
>>>>
>>>>
>>>> Le 22/09/2014 19:20, 541401 at gmail.com a écrit :
>>>>
>>>> Using Stunnel on several Windows Server 2008 R2 SP1 machines (all such
>>>> machines are X64 as the OS is only released as X64).
>>>>
>>>> During August of 2014 I reported in this forum the current version of
>>>> Stunnel would not function as a service under the above OS, even if using a
>>>> delayed start, it might run but it would not work.  I reverted to using
>>>> version 4.35, which did work properly.
>>>>
>>>> Pierre DeLagge was kind enough to provide me with a copy of his patched
>>>> Stunnel 5.02, which I am still using and which is working flawlessly on my
>>>> production servers.  No delayed start required.
>>>>
>>>> I am wondering if Pierre's 5.02 patch has been incorporated into the
>>>> most recently released Stunnel, 5.04?  Has anyone been successful in
>>>> getting the most current version to actually work under the above
>>>> environment without delaying the start of the service?
>>>>
>>>> Just to add a little color and background to the story, I am using the
>>>> native WS2008R2SP1 SMTP server on each machine, in conjunction with
>>>> Stunnel, so as to forward OS event notifications through a gmail account.
>>>>
>>>>
>>>>
>>>> On 09.22.2014 06:54, John Smith wrote:
>>>>
>>>> I tried 5.04. on Windows Server 2008 R2 Enterprise Service Pack 1 x64
>>>>
>>>>
>>>>  Same issue. Service shows as started, but no log. If I go manual
>>>> restart it works.
>>>>
>>>> Have to put delayed startup.
>>>>
>>>> On 18 September 2014 16:15, John Smith <java.dev.mtl at gmail.com> wrote:
>>>>
>>>>> For now i'm happy with 5.03 Already in production so I will have to
>>>>> wait next time! :)
>>>>>
>>>>> On 17 September 2014 17:10, Michal Trojnara <Michal.Trojnara at mirt.net>
>>>>> wrote:
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Jose Alf. wrote:
>>>>>> > Regarding stunnel service dependencies, If you read the 5.04 beta
>>>>>> > announcement, the dependency is created automatically now when you
>>>>>> > install stunnel as a service. Please give it a try. Looks like it
>>>>>> > works for me.
>>>>>> >
>>>>>> > Thanks to Mike for implementing that.
>>>>>>
>>>>>> Thank you for testing it.
>>>>>>
>>>>>> Best regards,
>>>>>>         Mike
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1
>>>>>>
>>>>>> iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>> yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>> =+xFQ
>>>>>> -----END PGP SIGNATURE-----
>>>>>>  _______________________________________________
>>>>>> stunnel-users mailing list
>>>>>> stunnel-users at stunnel.org
>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing liststunnel-users at stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing liststunnel-users at stunnel.orghttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140923/958acc74/attachment-0001.html>


More information about the stunnel-users mailing list