[stunnel-users] Stunnel as windows service doesn't start on restart.

Pierre DELAAGE delaage.pierre at free.fr
Wed Sep 24 18:22:52 CEST 2014


Dear all,
I will send  it to John, but I do not think it will solve this 
particular issue.

Anyway, Let's try and see.

Regards
Pierre

Le 24/09/2014 17:59, 541401 at gmail.com a écrit :
> Ask Pierre for a copy of his patched 5.02, I bet that will solve your 
> problem.
>
>
>
> On 09.24.2014 08:51, John Smith wrote:
>> Anyways I don't know what to say. But adding dnscache as dependency 
>> didn't do anything either. Same issue service on bootup shows as 
>> started but no logs. Restarting it through Service Control Manager 
>> works.
>>
>> Automatic (Delayed Start) at least for me works fine. I'll continue 
>> working with that for now...
>>
>> On 23 September 2014 14:27, John Smith <java.dev.mtl at gmail.com 
>> <mailto:java.dev.mtl at gmail.com>> wrote:
>>
>>     Ok when I have a chance I will try dnscache
>>
>>     On 23 September 2014 14:05, Pierre DELAAGE
>>     <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>
>>         Sorry to tell but...
>>
>>         On a windows 7 home machine, with a HOSTNAME in the stunnel
>>         conf, NO DELAY at service startup :
>>         I can start the service, then reboot,
>>         then, at first, my log file is saying ": Error resolving
>>         'HOSTNAME ': Neither nodename nor servname known (EAI_NONAME)"
>>         and later, when I try to use the tunnel (and at that time dns
>>         is working), resolving is working...
>>
>>         and everything is OK so....
>>
>>         Even if dns is NOT available at startup, stunnel 504 is able
>>         to resolve "later" the remote server hostname.
>>
>>
>>
>>         2014.09.23 19:23:17 LOG7[2612]: No limit detected for the
>>         number of clients
>>         2014.09.23 19:23:17 LOG5[2612]: stunnel 5.04 on
>>         x86-pc-msvc-1500 platform
>>         2014.09.23 19:23:17 LOG5[2612]: Compiled/running with OpenSSL
>>         1.0.1i-fips 6 Aug 2014
>>         2014.09.23 19:23:17 LOG5[2612]: Threading:WIN32
>>         Sockets:SELECT,IPv6 SSL:ENGINE,OCSP,FIPS
>>         2014.09.23 19:23:17 LOG7[2612]: errno: (*_errno())
>>         2014.09.23 19:23:17 LOG5[2612]: Reading configuration from
>>         file stunnel.conf
>>         2014.09.23 19:23:17 LOG5[2612]: FIPS mode disabled
>>         2014.09.23 19:23:17 LOG7[2612]: Compression disabled
>>         2014.09.23 19:23:17 LOG7[2612]: Snagged 64 random bytes from
>>         C:/.rnd
>>         2014.09.23 19:23:17 LOG7[2612]: Wrote 1024 new random bytes
>>         to C:/.rnd
>>         2014.09.23 19:23:17 LOG7[2612]: PRNG seeded successfully
>>         2014.09.23 19:23:17 LOG6[2612]: Initializing service [https]
>>
>>         2014.09.23 19:23:17 LOG3[2612]: Error resolving 'HOSTNAME ':
>>         Neither nodename nor servname known (EAI_NONAME)
>>
>>         2014.09.23 19:23:17 LOG6[2612]: Cannot resolve connect target
>>         - delaying DNS lookup/(COMMENT : stunnel is a good fellow !)/
>>
>>         2014.09.23 19:23:17 LOG6[2612]: Loading cert from file:
>>         C:\Users\standard\Documents\Perso\SSL\johndoe.crt
>>         2014.09.23 19:23:18 LOG6[2612]: Loading key from file:
>>         C:\Users\standard\Documents\Perso\SSL\johndoe.uky
>>         2014.09.23 19:23:18 LOG7[2612]: Private key check succeeded
>>         2014.09.23 19:23:18 LOG7[2612]: SSL options set: 0x00000004
>>         2014.09.23 19:23:18 LOG5[2612]: Configuration successful
>>         2014.09.23 19:23:18 LOG7[2612]: Service [https] (FD=348)
>>         bound to 127.0.0.1:81 <http://127.0.0.1:81>
>>         2014.09.23 19:24:32 LOG7[2612]: Service [https] accepted
>>         (FD=208) from 127.0.0.1:49164 <http://127.0.0.1:49164>
>>         2014.09.23 19:24:32 LOG7[2612]: Creating a new thread
>>         2014.09.23 19:24:32 LOG7[2612]: New thread created
>>         2014.09.23 19:24:32 LOG7[588]: Service [https] started
>>         2014.09.23 19:24:32 LOG5[588]: Service [https] accepted
>>         connection from 127.0.0.1:49164 <http://127.0.0.1:49164>
>>         2014.09.23 19:24:32 LOG6[588]: s_connect: connecting
>>         XXX.YYY.UUU.III:443
>>         2014.09.23 19:24:32 LOG7[588]: s_connect: s_poll_wait
>>         XXX.YYY.UUU.III:443: waiting 10 seconds
>>         2014.09.23 19:24:32 LOG5[588]: s_connect: connected
>>         XXX.YYY.UUU.III:443
>>         2014.09.23 19:24:32 LOG5[588]: Service [https] connected
>>         remote server from 192.168.3.220:49165
>>         <http://192.168.3.220:49165>
>>         2014.09.23 19:24:32 LOG7[588]: Remote socket (FD=388) initialized
>>         2014.09.23 19:24:32 LOG6[588]: SNI: sending servername: HOSTNAME
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect):
>>         before/connect initialization
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv2/v3
>>         write client hello A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         read server hello A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         read server certificate A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         read server certificate request A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         read server done A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         write client certificate A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         write client key exchange A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         write certificate verify A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         write change cipher spec A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         write finished A
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         flush data
>>         2014.09.23 19:24:32 LOG7[588]: SSL state (connect): SSLv3
>>         read finished A
>>
>>         So I am sorry to say that I cannot reproduce that bug.
>>
>>         Anyway there are many services, on a heavy loaded machine,
>>         that can slow down the service startup or interfere with file
>>         management :
>>
>>         Antivirus ? try to deactivate it.
>>         Firewall : the same...
>>         any other piece of software that is not absolutely necessary
>>         at boot time.
>>
>>         Plus : Even if you don't use hostnames in conf file I suggest
>>         that you try "dnscache" dependency anyway:
>>         because you probably have hostnames in your certificates.
>>
>>         Regards
>>         Pierre
>>
>>
>>
>>         Le 23/09/2014 18:05, John Smith a écrit :
>>>         Network: Ethernet
>>>         Multiple routers: No
>>>         Firewall: No
>>>         Delay: Yes, Automitic (Delayed Start) works like a charm.
>>>         Capi engine: Yes tried turning it off
>>>         32 bit or 64 bit: 32bit running on 64 bit server. I don't
>>>         see a 64 bit version on the download page?
>>>         dnscache: Haven't tried it yet.
>>>
>>>
>>>         - stunnel works fine on the server specifically with the
>>>         service set to Automatic (Delayed Start). And I even tunnel
>>>         properly to other machines so it not firewalls or routers or
>>>         network.
>>>         - Only when it's NOT (Delayed Start)  stunnel doe not seem
>>>         to start even though the service shows as started.
>>>         - I managed to tunnel from my Desktop to the Server. I have
>>>         not tried automatic service startup on Desktop because I
>>>         don't have enough privilidges. But trying to setup the
>>>         server, since that's the machine that will have stunnel in
>>>         production.
>>>
>>>
>>>
>>>
>>>         On 23 September 2014 10:04, Pierre DELAAGE
>>>         <delaage.pierre at free.fr <mailto:delaage.pierre at free.fr>> wrote:
>>>
>>>             Have you tried to change the service dependency from
>>>             "TCPIP" (the default in the code), to "dnscache" (ok,
>>>             EVEN if you do not use hostname resolution),
>>>             this is just to be sure that stunnel relies on something
>>>             that is using tcpip as well.
>>>
>>>             question : what kind of network interface do you have :
>>>
>>>             wifi ?
>>>             ethernet board ?
>>>
>>>             Are you traversing multiple routers ?
>>>
>>>             Are you using multiple firewalls ?
>>>
>>>             Have you tuned a delay as suggested a few days ago ?
>>>
>>>             Can you try without specifying "capi engine" ?
>>>
>>>             Are you using stunnel 32 bits or 64 bits : if 64, try
>>>             the 32 version as well.
>>>
>>>             I am reviewing the code and soon enter some test on
>>>             w7-32bits.
>>>
>>>             Regards
>>>             Pierre
>>>
>>>
>>>
>>>             Le 23/09/2014 15:30, John Smith a écrit :
>>>>             I wish you were right but unfortunately it's running lol
>>>>
>>>>             On 22 September 2014 18:24, Pierre DELAAGE
>>>>             <delaage.pierre at free.fr
>>>>             <mailto:delaage.pierre at free.fr>> wrote:
>>>>
>>>>                 When you observe that log is empty and that
>>>>                 "stunnel shows as started",
>>>>                 do a CTRL ALT DEL to check if there is any process
>>>>                 called "stunnel" that is really running...
>>>>
>>>>                 I have a doubt that, although scm says stunnel is
>>>>                 running, in fact it is not.
>>>>
>>>>                 Regards
>>>>                 Pierre
>>>>
>>>>                 Le 22/09/2014 21:43, John Smith a écrit :
>>>>>                 Hi I used administrator account and defaults to
>>>>>                 install. It is installed at Program Files (x86)
>>>>>
>>>>>                 The service is set to run as local system account
>>>>>                 and interact with desktop is checked.
>>>>>
>>>>>                 Once the machine is booted... Login open service
>>>>>                 control panel, stunnel shows as started. Go look
>>>>>                 at logs nothing there... In service control panel
>>>>>                 hit the restart button. And it comes up properly.
>>>>>
>>>>>                 My config is as follows:
>>>>>
>>>>>                 ; Debugging stuff (may useful for troubleshooting)
>>>>>                 ;debug = 7
>>>>>                 output = stunnel.log
>>>>>
>>>>>                 ; Initialize Microsoft CryptoAPI interface
>>>>>                 engine = capi
>>>>>                 ; Also needs "engineID = capi" in each section
>>>>>                 using the CAPI engine
>>>>>
>>>>>                 [es-tcp]
>>>>>                 accept = ${SERVER_IP}:9300
>>>>>                 connect = 127.0.0.1:9300 <http://127.0.0.1:9300>
>>>>>                 cert = ....
>>>>>                 CAfile = ....
>>>>>                 verify = 2
>>>>>
>>>>>                 [es-http]
>>>>>                 accept = ${SERVER_IP}:9200
>>>>>                 connect = 127.0.0.1:9200 <http://127.0.0.1:9200>
>>>>>                 cert = ....
>>>>>                 CAfile = ....
>>>>>                 verify = 2
>>>>>
>>>>>                 [es-disc-local]
>>>>>                 client = yes
>>>>>                 accept = 127.0.0.1:9700 <http://127.0.0.1:9700>
>>>>>                 connect = ${SERVER_IP}:9300
>>>>>                 cert = ....
>>>>>
>>>>>
>>>>>
>>>>>                 On 22 September 2014 14:30, Pierre DELAAGE
>>>>>                 <delaage.pierre at free.fr
>>>>>                 <mailto:delaage.pierre at free.fr>> wrote:
>>>>>
>>>>>                     Hello,
>>>>>                     I can tell my patch was adressing read file
>>>>>                     error on conf file,
>>>>>                     but, unfortunately, not at all "dependencies
>>>>>                     of stunnel service at start up",
>>>>>                     which is likely to be the core pb preventing
>>>>>                     stunnel to start correctly at boot time for
>>>>>                     people on that thread.
>>>>>
>>>>>                     Michal added explicit dependencies at startup,
>>>>>                     that is necessary to solve that bug. I did not
>>>>>                     check yet its implementation.
>>>>>
>>>>>                     But maybe some services, although started, are
>>>>>                     still "not ready" when stunnel starts, so that
>>>>>                     this makes stunnel fail.
>>>>>
>>>>>                     I suggest that stunnel checks, not only the
>>>>>                     availability, but also the "efficiency" of the
>>>>>                     DNS service by trying to resolve a well known
>>>>>                     server.
>>>>>                     it should retry during, eg, 3 seconds, and
>>>>>                     then stops with some reports if failing to
>>>>>                     resolve the hostname,
>>>>>                     either by lack of network, or by lack of
>>>>>                     answer from the name resolver.
>>>>>                     But...it seems that when having problems at
>>>>>                     startup, it cannot even log anything....maybe
>>>>>                     this is due to the identity of "system user"
>>>>>                     of stunnel at that particular moment: user
>>>>>                     that may have no right to write on the HD.
>>>>>
>>>>>                     People should check also the installation
>>>>>                     location of stunnel : it is supposed (and have
>>>>>                     predefined shortcuts for that) to be installed
>>>>>                     PREFERABLY in "c:\program files\stunnel".
>>>>>                     I recommend to use that location.
>>>>>
>>>>>                     They also should try to resolve by hand the
>>>>>                     hostnames they put in their stunnel conf file,
>>>>>                     just to be sure.
>>>>>
>>>>>                     On some network or machines, maybe there is a
>>>>>                     problem with the firewall and SOME services
>>>>>                     tunneled by stunnel on forbidden ports.
>>>>>
>>>>>                     On another hand, it sounds strange that just
>>>>>                     restarting stunnel (in user mode or service
>>>>>                     mode ?) is solving the problem :
>>>>>                     this sounds like unavailability of DNS at startup.
>>>>>
>>>>>                     I did not investigate that particular problem,
>>>>>                     but I will perform some tests soon with the
>>>>>                     last 504 (or 505).
>>>>>
>>>>>                     Yours sincerely
>>>>>                     Pierre
>>>>>
>>>>>
>>>>>
>>>>>                     Le 22/09/2014 19:20, 541401 at gmail.com
>>>>>                     <mailto:541401 at gmail.com> a écrit :
>>>>>>                     Using Stunnel on several Windows Server 2008
>>>>>>                     R2 SP1 machines (all such machines are X64 as
>>>>>>                     the OS is only released as X64).
>>>>>>
>>>>>>                     During August of 2014 I reported in this
>>>>>>                     forum the current version of Stunnel would
>>>>>>                     not function as a service under the above OS,
>>>>>>                     even if using a delayed start, it might run
>>>>>>                     but it would not work.  I reverted to using
>>>>>>                     version 4.35, which did work properly.
>>>>>>
>>>>>>                     Pierre DeLagge was kind enough to provide me
>>>>>>                     with a copy of his patched Stunnel 5.02,
>>>>>>                     which I am still using and which is working
>>>>>>                     flawlessly on my production servers.  No
>>>>>>                     delayed start required.
>>>>>>
>>>>>>                     I am wondering if Pierre's 5.02 patch has
>>>>>>                     been incorporated into the most recently
>>>>>>                     released Stunnel, 5.04?  Has anyone been
>>>>>>                     successful in getting the most current
>>>>>>                     version to actually work under the above
>>>>>>                     environment without delaying the start of the
>>>>>>                     service?
>>>>>>
>>>>>>                     Just to add a little color and background to
>>>>>>                     the story, I am using the native WS2008R2SP1
>>>>>>                     SMTP server on each machine, in conjunction
>>>>>>                     with Stunnel, so as to forward OS event
>>>>>>                     notifications through a gmail account.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     On 09.22.2014 06:54, John Smith wrote:
>>>>>>>                     I tried 5.04. on Windows Server 2008 R2
>>>>>>>                     Enterprise Service Pack 1 x64
>>>>>>>
>>>>>>>
>>>>>>>                     Same issue. Service shows as started, but no
>>>>>>>                     log. If I go manual restart it works.
>>>>>>>
>>>>>>>                     Have to put delayed startup.
>>>>>>>
>>>>>>>                     On 18 September 2014 16:15, John Smith
>>>>>>>                     <java.dev.mtl at gmail.com
>>>>>>>                     <mailto:java.dev.mtl at gmail.com>> wrote:
>>>>>>>
>>>>>>>                         For now i'm happy with 5.03 Already in
>>>>>>>                         production so I will have to wait next
>>>>>>>                         time! :)
>>>>>>>
>>>>>>>                         On 17 September 2014 17:10, Michal
>>>>>>>                         Trojnara <Michal.Trojnara at mirt.net
>>>>>>>                         <mailto:Michal.Trojnara at mirt.net>> wrote:
>>>>>>>
>>>>>>>                             -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>                             Hash: SHA1
>>>>>>>
>>>>>>>                             Jose Alf. wrote:
>>>>>>>                             > Regarding stunnel service
>>>>>>>                             dependencies, If you read the 5.04 beta
>>>>>>>                             > announcement, the dependency is
>>>>>>>                             created automatically now when you
>>>>>>>                             > install stunnel as a service.
>>>>>>>                             Please give it a try. Looks like it
>>>>>>>                             > works for me.
>>>>>>>                             >
>>>>>>>                             > Thanks to Mike for implementing that.
>>>>>>>
>>>>>>>                             Thank you for testing it.
>>>>>>>
>>>>>>>                             Best regards,
>>>>>>>                                     Mike
>>>>>>>                             -----BEGIN PGP SIGNATURE-----
>>>>>>>                             Version: GnuPG v1
>>>>>>>
>>>>>>>                             iEYEARECAAYFAlQZ+NsACgkQ/NU+nXTHMtGdAgCdFUQ6YWXDdE0g4ZNoys3DSR0Q
>>>>>>>                             yLoAnRgo4jKIzb93fzEZcV79eoAQLXMR
>>>>>>>                             =+xFQ
>>>>>>>                             -----END PGP SIGNATURE-----
>>>>>>>                             _______________________________________________
>>>>>>>                             stunnel-users mailing list
>>>>>>>                             stunnel-users at stunnel.org
>>>>>>>                             <mailto:stunnel-users at stunnel.org>
>>>>>>>                             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>                     _______________________________________________
>>>>>>>                     stunnel-users mailing list
>>>>>>>                     stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     _______________________________________________
>>>>>>                     stunnel-users mailing list
>>>>>>                     stunnel-users at stunnel.org  <mailto:stunnel-users at stunnel.org>
>>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>                     stunnel-users mailing list
>>>>>                     stunnel-users at stunnel.org
>>>>>                     <mailto:stunnel-users at stunnel.org>
>>>>>                     https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>>
>>>>>
>>>>
>>>>
>>>>                 _______________________________________________
>>>>                 stunnel-users mailing list
>>>>                 stunnel-users at stunnel.org
>>>>                 <mailto:stunnel-users at stunnel.org>
>>>>                 https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>>
>>>>
>>>
>>>
>>>             _______________________________________________
>>>             stunnel-users mailing list
>>>             stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>>             https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>>
>>
>>
>>         _______________________________________________
>>         stunnel-users mailing list
>>         stunnel-users at stunnel.org <mailto:stunnel-users at stunnel.org>
>>         https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>>
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140924/746f64c6/attachment-0001.html>


More information about the stunnel-users mailing list