[stunnel-users] Stunnel as windows service doesn't start on restart.

541401 at gmail.com 541401 at gmail.com
Wed Sep 24 17:59:09 CEST 2014


Ask Pierre for a copy of his patched 5.02, I bet that will solve your 
problem.



On 09.24.2014 08:51, John Smith wrote:
> Anyways I don't know what to say. But adding dnscache as dependency 
> didn't do anything either. Same issue service on bootup shows as 
> started but no logs. Restarting it through Service Control Manager works.
>
> Automatic (Delayed Start) at least for me works fine. I'll continue 
> working with that for now...
>
> On 23 September 2014 14:27, John Smith <java.dev.mtl at gmail.com 
> <mailto:java.dev.mtl at gmail.com>> wrote:
>
>     Ok when I have a chance I will try dnscache
>
>     On 23 September 2014 14:05, Pierre DELAAGE <delaage.pierre at free.fr
>     <mailto:delaage.pierre at free.fr>> wrote:
>
>         Sorry to tell but...
>
>         On a windows 7 home machine, with a HOSTNAME in the stunnel
>         conf, NO DELAY at service startup :
>         I can start the service, then reboot,
>         then, at first, my log file is saying ": Error resolving
>         'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)"
>         and later, when I try to use the tunnel (and at that time dns
>         is working), resolving is working...
>
>         and everything is OK so....
>
>         Even if dns is NOT available at startup, stunnel 504 is able
>         to resolve "later" the remote server hostname.
>
>
>
>         2014.09.23 19:23:17 LOG7[2612]: No limit detected for the
>         number of clients
>         2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
>         x86-pc-msvc-1500 platform
>         2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
>         1.0.1i-fips 6 Aug 2014
>         2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
>         Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
>         2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
>         2014.09.23 19:23:17 LOG5[2612]: Reading configuration from
>         file stunnel.conf
>         2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
>         2014.09.23 19:23:17 LOG7[2612]: Compression disabled
>         2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from
>         C:/.rnd
>         2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to
>         C:/.rnd
>         2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
>         2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
>
>         2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ':
>         Neither nodename nor servname known (EAI_NONAME)
>
>         2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target
>         - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
>
>         2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
>         C:\Users\standard\Documents\Perso\SSL\johndoe.crt
>         2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
>         C:\Users\standard\Documents\Perso\SSL\johndoe.uky
>         2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
>         2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
>         2014.09.23 19:23:18 LOG5[2612]: Configuration successful
>         2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound
>         to 127.0.0.1:81 <http://127.0.0.1:81>
>         2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted
>         (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164>
>         2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
>         2014.09.23 19:24:32 LOG7[2612]: New thread created
>         2014.09.23 19:24:32 LOG7[588]: Service [https] started
>         2014.09.23 19:24:32 LOG5[588]: Service [https] accepted
>         connection from 127.0.0.1:49164 <http://127.0.0.1:49164>
>         2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
>         XXX.YYY.UUU.III:443
>         2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
>         XXX.YYY.UUU.III:443: waiting 10 seconds
>         2014.09.23 19:24:32 LOG5[588]: s_connect: connected
>         XXX.YYY.UUU.III:443
>         2014.09.23 19:24:32 LOG5[588]: Service [https] connected
>         remote server from 192.168.3.220:49165
>         <http://192.168.3.220:49165>
>         2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
>         2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect):
>         before/connect initialization
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3
>         write client hello A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
>         server hello A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
>         server certificate A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
>         server certificate request A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
>         server done A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         write client certificate A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         write client key exchange A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         write certificate verify A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         write change cipher spec A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         write finished A
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>         flush data
>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
>         finished A
>
>         So I am sorry to say that I cannot reproduce that bug.
>
>         Anyway there are many services, on a heavy loaded machine,
>         that can slow down the service startup or interfere with file
>         management :
>
>         Antivirus ? try to deactivate it.
>         Firewall : the same...
>         any other piece of software that is not absolutely necessary
>         at boot time.
>
>         Plus : Even if you don't use hostnames in conf file I suggest
>         that you try "dnscache" dependency anyway:
>         because you probably have hostnames in your certificates.
>
>         Regards
>         Pierre
>
>
>
>         Le 23/09/2014 18:05, John Smith a écrit :
>>         Network: Ethernet
>>         Multiple routers: No
>>         Firewall: No
>>         Delay: Yes, Automitic (Delayed Start) works like a charm.
>>         Capi engine: Yes tried turning it off
>>         32 bit or 64 bit: 32bit running on 64 bit server. I don't see
>>         a 64 bit version on the download page?
>>         dnscache: Haven't tried it yet.
>>
>>
>>         - stunnel works fine on the server specifically with the
>>         service set to Automatic (Delayed Start). And I even tunnel
>>         properly to other machines so it not firewalls or routers or
>>         network.
>>         - Only when it's NOT (Delayed Start)  stunnel doe not seem to
>>         start even though the service shows as started.
>>         - I managed to tunnel from my Desktop to the Server. I have
>>         not tried automatic service startup on Desktop because I
>>         don't have enough privilidges. But trying to setup the
>>         server, since that's the machine that will have stunnel in
>>         production.
>>
>>
>>
>>
>>         On 23 September 2014 10:04, Pierre DELAAGE
>>         <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>
>>             Have you tried to change the service dependency from
>>             "TCPIP" (the default in the code), to "dnscache" (ok,
>>             EVEN if you do not use hostname resolution),
>>             this is just to be sure that stunnel relies on something
>>             that is using tcpip as well.
>>
>>             question : what kind of network interface do you have :
>>
>>             wifi ?
>>             ethernet board ?
>>
>>             Are you traversing multiple routers ?
>>
>>             Are you using multiple firewalls ?
>>
>>             Have you tuned a delay as suggested a few days ago ?
>>
>>             Can you try without specifying "capi engine" ?
>>
>>             Are you using stunnel 32 bits or 64 bits : if 64, try the
>>             32 version as well.
>>
>>             I am reviewing the code and soon enter some test on
>>             w7-32bits.
>>
>>             Regards
>>             Pierre
>>
>>
>>
>>             Le 23/09/2014 15:30, John Smith a écrit :
>>>             I wish you were right but unfortunately it's running lol
>>>
>>>             On 22 September 2014 18:24, Pierre DELAAGE
>>>             <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>>
>>>             wrote:
>>>
>>>                 When you observe that log is empty and that "stunnel
>>>                 shows as started",
>>>                 do a CTRL ALT DEL to check if there is any process
>>>                 called "stunnel" that is really running...
>>>
>>>                 I have a doubt that, although scm says stunnel is
>>>                 running, in fact it is not.
>>>
>>>                 Regards
>>>                 Pierre
>>>
>>>                 Le 22/09/2014 21:43, John Smith a écrit :
>>>>                 Hi I used administrator account and defaults to
>>>>                 install. It is installed at Program Files (x86)
>>>>
>>>>                 The service is set to run as local system account
>>>>                 and interact with desktop is checked.
>>>>
>>>>                 Once the machine is booted... Login open service
>>>>                 control panel, stunnel shows as started. Go look at
>>>>                 logs nothing there... In service control panel hit
>>>>                 the restart button. And it comes up properly.
>>>>
>>>>                 My config is as follows:
>>>>
>>>>                 ; Debugging stuff (may useful for troubleshooting)
>>>>                 ;debug = 7
>>>>                 output = stunnel.log
>>>>
>>>>                 ; Initialize Microsoft CryptoAPI interface
>>>>                 engine = capi
>>>>                 ; Also needs "engineID = capi" in each section
>>>>                 using the CAPI engine
>>>>
>>>>                 [es-tcp]
>>>>                 accept = ${SERVER_IP}:9300
>>>>                 connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
>>>>                 cert = ....
>>>>                 CAfile = ....
>>>>                 verify = 2
>>>>
>>>>                 [es-http]
>>>>                 accept = ${SERVER_IP}:9200
>>>>                 connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
>>>>                 cert = ....
>>>>                 CAfile = ....
>>>>                 verify = 2
>>>>
>>>>                 [es-disc-local]
>>>>                 client = yes
>>>>                 accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
>>>>                 connect = ${SERVER_IP}:9300
>>>>                 cert = ....
>>>>
>>>>
>>>>
>>>>                 On 22 September 2014 14:30, Pierre DELAAGE
>>>>                 <delaage.pierre at free.fr
>>>>                 <mailto:delaage.pierre at free.fr>> wrote:
>>>>
>>>>                     Hello,
>>>>                     I can tell my patch was adressing read file
>>>>                     error on conf file,
>>>>                     but, unfortunately, not at all "dependencies of
>>>>                     stunnel service at start up",
>>>>                     which is likely to be the core pb preventing
>>>>                     stunnel to start correctly at boot time for
>>>>                     people on that thread.
>>>>
>>>>                     Michal added explicit dependencies at startup,
>>>>                     that is necessary to solve that bug. I did not
>>>>                     check yet its implementation.
>>>>
>>>>                     But maybe some services, although started, are
>>>>                     still "not ready" when stunnel starts, so that
>>>>                     this makes stunnel fail.
>>>>
>>>>                     I suggest that stunnel checks, not only the
>>>>                     availability, but also the "efficiency" of the
>>>>                     DNS service by trying to resolve a well known
>>>>                     server.
>>>>                     it should retry during, eg, 3 seconds, and then
>>>>                     stops with some reports if failing to resolve
>>>>                     the hostname,
>>>>                     either by lack of network, or by lack of answer
>>>>                     from the name resolver.
>>>>                     But...it seems that when having problems at
>>>>                     startup, it cannot even log anything....maybe
>>>>                     this is due to the identity of "system user" of
>>>>                     stunnel at that particular moment: user that
>>>>                     may have no right to write on the HD.
>>>>
>>>>                     People should check also the installation
>>>>                     location of stunnel : it is supposed (and have
>>>>                     predefined shortcuts for that) to be installed
>>>>                     PREFERABLY in "c:\program files\stunnel".
>>>>                     I recommend to use that location.
>>>>
>>>>                     They also should try to resolve by hand the
>>>>                     hostnames they put in their stunnel conf file,
>>>>                     just to be sure.
>>>>
>>>>                     On some network or machines, maybe there is a
>>>>                     problem with the firewall and SOME services
>>>>                     tunneled by stunnel on forbidden ports.
>>>>
>>>>                     On another hand, it sounds strange that just
>>>>                     restarting stunnel (in user mode or service
>>>>                     mode ?) is solving the problem :
>>>>                     this sounds like unavailability of DNS at startup.
>>>>
>>>>                     I did not investigate that particular problem,
>>>>                     but I will perform some tests soon with the
>>>>                     last 504 (or 505).
>>>>
>>>>                     Yours sincerely
>>>>                     Pierre
>>>>
>>>>
>>>>
>>>>                     Le 22/09/2014 19:20, 541401 at gmail.com
>>>>                     <mailto:541401 at gmail.com> a écrit :
>>>>>                     Using Stunnel on several Windows Server 2008
>>>>>                     R2 SP1 machines (all such machines are X64 as
>>>>>                     the OS is only released as X64).
>>>>>
>>>>>                     During August of 2014 I reported in this forum
>>>>>                     the current version of Stunnel would not
>>>>>                     function as a service under the above OS, even
>>>>>                     if using a delayed start, it might run but it
>>>>>                     would not work.  I reverted to using version
>>>>>                     4.35, which did work properly.
>>>>>
>>>>>                     Pierre DeLagge was kind enough to provide me
>>>>>                     with a copy of his patched Stunnel 5.02, which
>>>>>                     I am still using and which is working
>>>>>                     flawlessly on my production servers.  No
>>>>>                     delayed start required.
>>>>>
>>>>>                     I am wondering if Pierre's 5.02 patch has been
>>>>>                     incorporated into the most recently released
>>>>>                     Stunnel, 5.04?  Has anyone been successful in
>>>>>                     getting the most current version to actually
>>>>>                     work under the above environment without
>>>>>                     delaying the start of the service?
>>>>>
>>>>>                     Just to add a little color and background to
>>>>>                     the story, I am using the native WS2008R2SP1
>>>>>                     SMTP server on each machine, in conjunction
>>>>>                     with Stunnel, so as to forward OS event
>>>>>                     notifications through a gmail account.
>>>>>
>>>>>
>>>>>
>>>>>                     On 09.22.2014 06:54, John Smith wrote:
>>>>>>                     I tried 5.04. on Windows Server 2008 R2
>>>>>>                     Enterprise Service Pack 1 x64
>>>>>>
>>>>>>
>>>>>>                     Same issue. Service shows as started, but no
>>>>>>                     log. If I go manual restart it works.
>>>>>>
>>>>>>                     Have to put delayed startup.
>>>>>>
>>>>>>                     On 18 September 2014 16:15, John Smith
>>>>>>                     <java.dev.mtl at gmail.com
>>>>>>                     <mailto:java.dev.mtl at gmail.com>> wrote:
>>>>>>
>>>>>>                         For now i'm happy with 5.03 Already in
>>>>>>                         production so I will have to wait next
>>>>>>                         time! :)
>>>>>>
>>>>>>                         On 17 September 2014 17:10, Michal
>>>>>>                         Trojnara <Michal.Trojnara at mirt.net
>>>>>>                         <mailto:Michal.Trojnara at mirt.net>> wrote:
>>>>>>
>>>>>>                             -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>                             Hash: SHA1
>>>>>>
>>>>>>                             Jose Alf. wrote:
>>>>>>                             > Regarding stunnel service
>>>>>>                             dependencies, If you read the 5.04 beta
>>>>>>                             > announcement, the dependency is
>>>>>>                             created automatically now when you
>>>>>>                             > install stunnel as a service.
>>>>>>                             Please give it a try. Looks like it
>>>>>>                             > works for me.
>>>>>>                             >
>>>>>>                             > Thanks to Mike for implementing that.
>>>>>>
>>>>>>                             Thank you for testing it.
>>>>>>
>>>>>>                             Best regards,
>>>>>>                                     Mike
>>>>>>                             -----BEGIN PGP SIGNATURE-----
>>>>>>                             Version: GnuPG v1
>>>>>>
>>>>>>                             iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>>                             yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>>                             =+xFQ
>>>>>>                             -----END PGP SIGNATURE-----
>>>>>>                             _______________________________________________
>>>>>>                             stunnel-users mailing list
>>>>>>                             stunnel-users at stunnel.org
>>>>>>                             <mailto:stunnel-users at stunnel.org>
>>>>>>                             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     _______________________________________________
>>>>>>                     stunnel-users mailing list
>>>>>>                     stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     stunnel-users mailing list
>>>>>                     stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>>                     _______________________________________________
>>>>                     stunnel-users mailing list
>>>>                     stunnel-users at stunnel.org
>>>>                     <mailto:stunnel-users at stunnel.org>
>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>>
>>>                 _______________________________________________
>>>                 stunnel-users mailing list
>>>                 stunnel-users at stunnel.org
>>>                 <mailto:stunnel-users at stunnel.org>
>>>                 https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>>             _______________________________________________
>>             stunnel-users mailing list
>>             stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>
>
>         _______________________________________________
>         stunnel-users mailing list
>         stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>         https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140924/7d51e4ec/attachment-0001.html>


More information about the stunnel-users mailing list