[stunnel-users] stunnel stopped working today, had to reboot server
chris at christopherschultz.net
Wed Feb 13 19:45:10 CET 2019
Thanks for the quick reply.
On 2/13/19 13:09, Peter Pentchev wrote:
> On Wed, Feb 13, 2019 at 12:17:24PM -0500, Christopher Schultz wrote:
>> I'm new to the list so I'm sorry if this isn't the right place to report
>> I had a server stop responding to stunnel connections sometime yesterday
>> and the resolution was ultimately to reboot the server and everything
>> was okay. Restarting the stunnel service was not enough to get things
>> working again.
>> Looking through the log file, I could see that there were some odd
>> messages coming from stunnel in the daemon.log file suggesting that
>> there might be a memory leak. I won't post them here unless requested,
>> as they may represent a potential security issue.
> Unfortunately this is a known problem with the Debian package of
> stunnel; I did not get around to backporting the fixes to the stunnel
> version that is in Debian 9.x (stretch); I'm really sorry about that.
Confirmed: I'm running Debian Stretch:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.7 (stretch)
> I could make a stretch backport of the stunnel version that is in
> unstable/testing right now - the one that will be in the upcoming
> Debian 10.x (buster). Actually I'll build a package later tonight and
> let you know where you can download it from, then I'll upload it
> to the stretch-backports suite and wait for the backports admins to
> accept it. This package will not have the memory exhaustion problem
> that the version in stretch does have.
That would be great. Will I (eventually) end up getting it via the
normal apt update mechanism? I only have these apt sources configured:
deb http://ftp.us.debian.org/debian/ stretch main
deb http://security.debian.org/ stretch/updates main
Is there a safe mitigation I can put into place before a patch? I
believe Debian's stunnel service scripts completely shut-down one
stunnel process and then start up a new one, so I might have a (very
short) interruption. I can schedule that via cron if necessary, but I'd
prefer to avoid even a small interruption if possible.
> Could you just confirm that you are indeed running Debian 9.x (stretch)?
> (it seems this way from the kernel version that you are running and
> from the symptoms; stunnel 5.06 in jessie does not have this problem)
I have 5.39. Is this older than 5.06? Or is that a typo?
> Sorry again, and thanks for your understanding!
No, it's great to get this kind of feedback right away.
I *am* curious about why a service-restart did not seem to fix things.
With the above memory-exhaustion, would you have expected a
service-restart to fix everything? (I certainly did.) Is it likely that
the "restart" didn't actually restart the service, and I was just
repeatedly testing a borked server process?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the stunnel-users