Hi, i've upgraded from stunnel-4.29 (has been working fine for a long time). It seems that stunnel-4.31 doesnt like the configuration in which it is used in inetd configuration with 'connect' as configuration directive. all of the sudden it spawns this error message when connected to: Reading configuration from file /etc/stunnel/stunnel.conf Compression enabled using zlib method RAND_status claims sufficient entropy for the PRNG PRNG seeded successfully Certificate: /etc/stunnel/felix Certificate loaded Key file: /etc/stunnel/felix Private key loaded SSL context initialized for service stunnel line 68: Each service section must define two endpoints line 68 is the 'connect' directive in the config file the config file reads (comments removed) ciphers = SSLv3:!LOW:!EXP:!NULL:!aNULL setuid = stunnel setgid = stunnel socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib chroot = /etc/stunnel/chroot cert = /etc/stunnel/felix debug = 5 connect = localhost:110
Confirmed: in a new set-up, stunnel in server mode will fail: # /etc/init.d/stunnel start * Starting stunnel ... * error starting: /etc/stunnel/stunnel.conf [ !! ] * ERROR: stunnel failed to start But the stunnel process will actually start; so the next start attempt will suceed(!) with an error that the port is already in use (true because the first stunnel process listens on it)
(In reply to comment #1) > Confirmed: in a new set-up, stunnel in server mode will fail: > > # /etc/init.d/stunnel start > * Starting stunnel ... > * error starting: /etc/stunnel/stunnel.conf > [ !! ] > * ERROR: stunnel failed to start > > But the stunnel process will actually start; so the next start attempt will > suceed(!) with an error that the port is already in use (true because the first > stunnel process listens on it) I think this bug might be related to #308931 and the original error is just a syntax error on your part. I always have an 'accept' and 'connect' section for each service and I believe you need to do that. Can you confirm that?
are you running stunnel in inetd mode? if so, read this excerpt from the manual: INETD MODE The most common use of stunnel is to listen on a network port and establish communication with either a new port via the connect option, or a new program via the exec option. However there is a special case when you wish to have some other program accept incoming connections and launch stunnel, for example with inetd, xinetd, or tcpserver. For example, if you have the following line in inetd.conf: imaps stream tcp nowait root /usr/bin/stunnel stunnel /etc/stunnel/imaps.conf In these cases, the inetd-style program is responsible for binding a network socket (imaps above) and handing it to stunnel when a connection is received. Thus you do not want stunnel to have any accept option. All the Service Level Options should be placed in the global options section, and no [service_name] section will be present. See the EXAMPLES section for example configurations.
anyway, just wanted to let you know that stunnel 4.33 version which is in the portage tree seems to work with my configuration file. yay! :D
