[stunnel-users] Stunnel as windows service doesn't start on restart.
541401 at gmail.com
541401 at gmail.com
Wed Sep 24 17:59:09 CEST 2014
Ask Pierre for a copy of his patched 5.02, I bet that will solve your
problem.
On 09.24.2014 08:51, John Smith wrote:
> Anyways I don't know what to say. But adding dnscache as dependency
> didn't do anything either. Same issue service on bootup shows as
> started but no logs. Restarting it through Service Control Manager works.
>
> Automatic (Delayed Start) at least for me works fine. I'll continue
> working with that for now...
>
> On 23 September 2014 14:27, John Smith <java.dev.mtl at gmail.com
> <mailto:java.dev.mtl at gmail.com>> wrote:
>
> Ok when I have a chance I will try dnscache
>
> On 23 September 2014 14:05, Pierre DELAAGE <delaage.pierre at free.fr
> <mailto:delaage.pierre at free.fr>> wrote:
>
> Sorry to tell but...
>
> On a windows 7 home machine, with a HOSTNAME in the stunnel
> conf, NO DELAY at service startup :
> I can start the service, then reboot,
> then, at first, my log file is saying ": Error resolving
> 'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)"
> and later, when I try to use the tunnel (and at that time dns
> is working), resolving is working...
>
> and everything is OK so....
>
> Even if dns is NOT available at startup, stunnel 504 is able
> to resolve "later" the remote server hostname.
>
>
>
> 2014.09.23 19:23:17 LOG7[2612]: No limit detected for the
> number of clients
> 2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
> x86-pc-msvc-1500 platform
> 2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
> 1.0.1i-fips 6 Aug 2014
> 2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
> Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
> 2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
> 2014.09.23 19:23:17 LOG5[2612]: Reading configuration from
> file stunnel.conf
> 2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
> 2014.09.23 19:23:17 LOG7[2612]: Compression disabled
> 2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from
> C:/.rnd
> 2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes to
> C:/.rnd
> 2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
> 2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
>
> 2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ':
> Neither nodename nor servname known (EAI_NONAME)
>
> 2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target
> - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
>
> 2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
> C:\Users\standard\Documents\Perso\SSL\johndoe.crt
> 2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
> C:\Users\standard\Documents\Perso\SSL\johndoe.uky
> 2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
> 2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
> 2014.09.23 19:23:18 LOG5[2612]: Configuration successful
> 2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348) bound
> to 127.0.0.1:81 <http://127.0.0.1:81>
> 2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted
> (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164>
> 2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
> 2014.09.23 19:24:32 LOG7[2612]: New thread created
> 2014.09.23 19:24:32 LOG7[588]: Service [https] started
> 2014.09.23 19:24:32 LOG5[588]: Service [https] accepted
> connection from 127.0.0.1:49164 <http://127.0.0.1:49164>
> 2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
> XXX.YYY.UUU.III:443
> 2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
> XXX.YYY.UUU.III:443: waiting 10 seconds
> 2014.09.23 19:24:32 LOG5[588]: s_connect: connected
> XXX.YYY.UUU.III:443
> 2014.09.23 19:24:32 LOG5[588]: Service [https] connected
> remote server from 192.168.3.220:49165
> <http://192.168.3.220:49165>
> 2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
> 2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect):
> before/connect initialization
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3
> write client hello A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
> server hello A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
> server certificate A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
> server certificate request A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
> server done A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> write client certificate A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> write client key exchange A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> write certificate verify A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> write change cipher spec A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> write finished A
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
> flush data
> 2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3 read
> finished A
>
> So I am sorry to say that I cannot reproduce that bug.
>
> Anyway there are many services, on a heavy loaded machine,
> that can slow down the service startup or interfere with file
> management :
>
> Antivirus ? try to deactivate it.
> Firewall : the same...
> any other piece of software that is not absolutely necessary
> at boot time.
>
> Plus : Even if you don't use hostnames in conf file I suggest
> that you try "dnscache" dependency anyway:
> because you probably have hostnames in your certificates.
>
> Regards
> Pierre
>
>
>
> Le 23/09/2014 18:05, John Smith a écrit :
>> Network: Ethernet
>> Multiple routers: No
>> Firewall: No
>> Delay: Yes, Automitic (Delayed Start) works like a charm.
>> Capi engine: Yes tried turning it off
>> 32 bit or 64 bit: 32bit running on 64 bit server. I don't see
>> a 64 bit version on the download page?
>> dnscache: Haven't tried it yet.
>>
>>
>> - stunnel works fine on the server specifically with the
>> service set to Automatic (Delayed Start). And I even tunnel
>> properly to other machines so it not firewalls or routers or
>> network.
>> - Only when it's NOT (Delayed Start) stunnel doe not seem to
>> start even though the service shows as started.
>> - I managed to tunnel from my Desktop to the Server. I have
>> not tried automatic service startup on Desktop because I
>> don't have enough privilidges. But trying to setup the
>> server, since that's the machine that will have stunnel in
>> production.
>>
>>
>>
>>
>> On 23 September 2014 10:04, Pierre DELAAGE
>> <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>
>> Have you tried to change the service dependency from
>> "TCPIP" (the default in the code), to "dnscache" (ok,
>> EVEN if you do not use hostname resolution),
>> this is just to be sure that stunnel relies on something
>> that is using tcpip as well.
>>
>> question : what kind of network interface do you have :
>>
>> wifi ?
>> ethernet board ?
>>
>> Are you traversing multiple routers ?
>>
>> Are you using multiple firewalls ?
>>
>> Have you tuned a delay as suggested a few days ago ?
>>
>> Can you try without specifying "capi engine" ?
>>
>> Are you using stunnel 32 bits or 64 bits : if 64, try the
>> 32 version as well.
>>
>> I am reviewing the code and soon enter some test on
>> w7-32bits.
>>
>> Regards
>> Pierre
>>
>>
>>
>> Le 23/09/2014 15:30, John Smith a écrit :
>>> I wish you were right but unfortunately it's running lol
>>>
>>> On 22 September 2014 18:24, Pierre DELAAGE
>>> <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>>
>>> wrote:
>>>
>>> When you observe that log is empty and that "stunnel
>>> shows as started",
>>> do a CTRL ALT DEL to check if there is any process
>>> called "stunnel" that is really running...
>>>
>>> I have a doubt that, although scm says stunnel is
>>> running, in fact it is not.
>>>
>>> Regards
>>> Pierre
>>>
>>> Le 22/09/2014 21:43, John Smith a écrit :
>>>> Hi I used administrator account and defaults to
>>>> install. It is installed at Program Files (x86)
>>>>
>>>> The service is set to run as local system account
>>>> and interact with desktop is checked.
>>>>
>>>> Once the machine is booted... Login open service
>>>> control panel, stunnel shows as started. Go look at
>>>> logs nothing there... In service control panel hit
>>>> the restart button. And it comes up properly.
>>>>
>>>> My config is as follows:
>>>>
>>>> ; Debugging stuff (may useful for troubleshooting)
>>>> ;debug = 7
>>>> output = stunnel.log
>>>>
>>>> ; Initialize Microsoft CryptoAPI interface
>>>> engine = capi
>>>> ; Also needs "engineID = capi" in each section
>>>> using the CAPI engine
>>>>
>>>> [es-tcp]
>>>> accept = ${SERVER_IP}:9300
>>>> connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
>>>> cert = ....
>>>> CAfile = ....
>>>> verify = 2
>>>>
>>>> [es-http]
>>>> accept = ${SERVER_IP}:9200
>>>> connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
>>>> cert = ....
>>>> CAfile = ....
>>>> verify = 2
>>>>
>>>> [es-disc-local]
>>>> client = yes
>>>> accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
>>>> connect = ${SERVER_IP}:9300
>>>> cert = ....
>>>>
>>>>
>>>>
>>>> On 22 September 2014 14:30, Pierre DELAAGE
>>>> <delaage.pierre at free.fr
>>>> <mailto:delaage.pierre at free.fr>> wrote:
>>>>
>>>> Hello,
>>>> I can tell my patch was adressing read file
>>>> error on conf file,
>>>> but, unfortunately, not at all "dependencies of
>>>> stunnel service at start up",
>>>> which is likely to be the core pb preventing
>>>> stunnel to start correctly at boot time for
>>>> people on that thread.
>>>>
>>>> Michal added explicit dependencies at startup,
>>>> that is necessary to solve that bug. I did not
>>>> check yet its implementation.
>>>>
>>>> But maybe some services, although started, are
>>>> still "not ready" when stunnel starts, so that
>>>> this makes stunnel fail.
>>>>
>>>> I suggest that stunnel checks, not only the
>>>> availability, but also the "efficiency" of the
>>>> DNS service by trying to resolve a well known
>>>> server.
>>>> it should retry during, eg, 3 seconds, and then
>>>> stops with some reports if failing to resolve
>>>> the hostname,
>>>> either by lack of network, or by lack of answer
>>>> from the name resolver.
>>>> But...it seems that when having problems at
>>>> startup, it cannot even log anything....maybe
>>>> this is due to the identity of "system user" of
>>>> stunnel at that particular moment: user that
>>>> may have no right to write on the HD.
>>>>
>>>> People should check also the installation
>>>> location of stunnel : it is supposed (and have
>>>> predefined shortcuts for that) to be installed
>>>> PREFERABLY in "c:\program files\stunnel".
>>>> I recommend to use that location.
>>>>
>>>> They also should try to resolve by hand the
>>>> hostnames they put in their stunnel conf file,
>>>> just to be sure.
>>>>
>>>> On some network or machines, maybe there is a
>>>> problem with the firewall and SOME services
>>>> tunneled by stunnel on forbidden ports.
>>>>
>>>> On another hand, it sounds strange that just
>>>> restarting stunnel (in user mode or service
>>>> mode ?) is solving the problem :
>>>> this sounds like unavailability of DNS at startup.
>>>>
>>>> I did not investigate that particular problem,
>>>> but I will perform some tests soon with the
>>>> last 504 (or 505).
>>>>
>>>> Yours sincerely
>>>> Pierre
>>>>
>>>>
>>>>
>>>> Le 22/09/2014 19:20, 541401 at gmail.com
>>>> <mailto:541401 at gmail.com> a écrit :
>>>>> Using Stunnel on several Windows Server 2008
>>>>> R2 SP1 machines (all such machines are X64 as
>>>>> the OS is only released as X64).
>>>>>
>>>>> During August of 2014 I reported in this forum
>>>>> the current version of Stunnel would not
>>>>> function as a service under the above OS, even
>>>>> if using a delayed start, it might run but it
>>>>> would not work. I reverted to using version
>>>>> 4.35, which did work properly.
>>>>>
>>>>> Pierre DeLagge was kind enough to provide me
>>>>> with a copy of his patched Stunnel 5.02, which
>>>>> I am still using and which is working
>>>>> flawlessly on my production servers. No
>>>>> delayed start required.
>>>>>
>>>>> I am wondering if Pierre's 5.02 patch has been
>>>>> incorporated into the most recently released
>>>>> Stunnel, 5.04? Has anyone been successful in
>>>>> getting the most current version to actually
>>>>> work under the above environment without
>>>>> delaying the start of the service?
>>>>>
>>>>> Just to add a little color and background to
>>>>> the story, I am using the native WS2008R2SP1
>>>>> SMTP server on each machine, in conjunction
>>>>> with Stunnel, so as to forward OS event
>>>>> notifications through a gmail account.
>>>>>
>>>>>
>>>>>
>>>>> On 09.22.2014 06:54, John Smith wrote:
>>>>>> I tried 5.04. on Windows Server 2008 R2
>>>>>> Enterprise Service Pack 1 x64
>>>>>>
>>>>>>
>>>>>> Same issue. Service shows as started, but no
>>>>>> log. If I go manual restart it works.
>>>>>>
>>>>>> Have to put delayed startup.
>>>>>>
>>>>>> On 18 September 2014 16:15, John Smith
>>>>>> <java.dev.mtl at gmail.com
>>>>>> <mailto:java.dev.mtl at gmail.com>> wrote:
>>>>>>
>>>>>> For now i'm happy with 5.03 Already in
>>>>>> production so I will have to wait next
>>>>>> time! :)
>>>>>>
>>>>>> On 17 September 2014 17:10, Michal
>>>>>> Trojnara <Michal.Trojnara at mirt.net
>>>>>> <mailto:Michal.Trojnara at mirt.net>> wrote:
>>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> Jose Alf. wrote:
>>>>>> > Regarding stunnel service
>>>>>> dependencies, If you read the 5.04 beta
>>>>>> > announcement, the dependency is
>>>>>> created automatically now when you
>>>>>> > install stunnel as a service.
>>>>>> Please give it a try. Looks like it
>>>>>> > works for me.
>>>>>> >
>>>>>> > Thanks to Mike for implementing that.
>>>>>>
>>>>>> Thank you for testing it.
>>>>>>
>>>>>> Best regards,
>>>>>> Mike
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG v1
>>>>>>
>>>>>> iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>> yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>> =+xFQ
>>>>>> -----END PGP SIGNATURE-----
>>>>>> _______________________________________________
>>>>>> stunnel-users mailing list
>>>>>> stunnel-users at stunnel.org
>>>>>> <mailto:stunnel-users at stunnel.org>
>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> stunnel-users mailing list
>>>>>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> stunnel-users mailing list
>>>>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>> _______________________________________________
>>>> stunnel-users mailing list
>>>> stunnel-users at stunnel.org
>>>> <mailto:stunnel-users at stunnel.org>
>>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> <mailto:stunnel-users at stunnel.org>
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140924/7d51e4ec/attachment.html>
More information about the stunnel-users
mailing list