1

I've got STunnel configured to proxy non SSL POP3 requests to GMail on port 111. This is working fine when STunnel is running as a desktop app, but when I run the STunnel service, I can't connect to port 111 on the machine (using Outlook Express for example).

The Stunnel log file shows the port binding is succeeding, but it never sees a connection. There's something preventing the connection to that port when STunnel is running as a service?

Here's stunnel.conf

cert = stunnel.pem

; Some performance tunings  
socket = l:TCP_NODELAY=1  
socket = r:TCP_NODELAY=1  

; Some debugging stuff useful for troubleshooting  
debug = 7  
output = stunnel.log  

; Use it for client mode  
client = yes

; Service-level configuration

[gmail]  
accept = 127.0.0.1:111  
connect = pop.gmail.com:995

stunnel.log from service 

2010.10.07 12:14:22 LOG5[80444:72984]: Reading configuration from file stunnel.conf  
2010.10.07 12:14:22 LOG7[80444:72984]: Snagged 64 random bytes from C:/.rnd  
2010.10.07 12:14:23 LOG7[80444:72984]: Wrote 1024 new random bytes to C:/.rnd  
2010.10.07 12:14:23 LOG7[80444:72984]: PRNG seeded successfully  
2010.10.07 12:14:23 LOG7[80444:72984]: Certificate: stunnel.pem  
2010.10.07 12:14:23 LOG7[80444:72984]: Certificate loaded  
2010.10.07 12:14:23 LOG7[80444:72984]: Key file: stunnel.pem  
2010.10.07 12:14:23 LOG7[80444:72984]: Private key loaded  
2010.10.07 12:14:23 LOG7[80444:72984]: SSL context initialized for service gmail  
2010.10.07 12:14:23 LOG5[80444:72984]: Configuration successful  
2010.10.07 12:14:23 LOG5[80444:72984]: No limit detected for the number of clients  
2010.10.07 12:14:23 LOG7[80444:72984]: FD=156 in non-blocking mode  
2010.10.07 12:14:23 LOG7[80444:72984]: Option SO_REUSEADDR set on accept socket  
2010.10.07 12:14:23 LOG7[80444:72984]: Service gmail bound to 0.0.0.0:111  
2010.10.07 12:14:23 LOG7[80444:72984]: Service gmail opened FD=156  
2010.10.07 12:14:23 LOG5[80444:72984]: stunnel 4.34 on x86-pc-mingw32-gnu with OpenSSL 1.0.0a 1 Jun 2010  
2010.10.07 12:14:23 LOG5[80444:72984]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6

stunnel.log from desktop (working) process 

2010.10.07 12:10:31 LOG5[80824:81200]: Reading configuration from file stunnel.conf  
2010.10.07 12:10:31 LOG7[80824:81200]: Snagged 64 random bytes from C:/.rnd  
2010.10.07 12:10:32 LOG7[80824:81200]: Wrote 1024 new random bytes to C:/.rnd  
2010.10.07 12:10:32 LOG7[80824:81200]: PRNG seeded successfully  
2010.10.07 12:10:32 LOG7[80824:81200]: Certificate: stunnel.pem  
2010.10.07 12:10:32 LOG7[80824:81200]: Certificate loaded  
2010.10.07 12:10:32 LOG7[80824:81200]: Key file: stunnel.pem  
2010.10.07 12:10:32 LOG7[80824:81200]: Private key loaded  
2010.10.07 12:10:32 LOG7[80824:81200]: SSL context initialized for service gmail  
2010.10.07 12:10:32 LOG5[80824:81200]: Configuration successful  
2010.10.07 12:10:32 LOG5[80824:81200]: No limit detected for the number of clients  
2010.10.07 12:10:32 LOG7[80824:81200]: FD=156 in non-blocking mode  
2010.10.07 12:10:32 LOG7[80824:81200]: Option SO_REUSEADDR set on accept socket  
2010.10.07 12:10:32 LOG7[80824:81200]: Service gmail bound to 0.0.0.0:111  
2010.10.07 12:10:32 LOG7[80824:81200]: Service gmail opened FD=156  
2010.10.07 12:10:33 LOG5[80824:81200]: stunnel 4.34 on x86-pc-mingw32-gnu with OpenSSL 1.0.0a 1 Jun 2010  
2010.10.07 12:10:33 LOG5[80824:81200]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6  
2010.10.07 12:10:33 LOG7[80824:81844]: Service gmail accepted FD=188 from 127.0.0.1:24813  
2010.10.07 12:10:33 LOG7[80824:81844]: Creating a new thread  
2010.10.07 12:10:33 LOG7[80824:81844]: New thread created  
2010.10.07 12:10:33 LOG7[80824:25144]: Service gmail started  
2010.10.07 12:10:33 LOG7[80824:25144]: FD=188 in non-blocking mode  
2010.10.07 12:10:33 LOG7[80824:25144]: Option TCP_NODELAY set on local socket  
2010.10.07 12:10:33 LOG5[80824:25144]: Service gmail accepted connection from 127.0.0.1:24813  
2010.10.07 12:10:33 LOG7[80824:25144]: FD=212 in non-blocking mode  
2010.10.07 12:10:33 LOG6[80824:25144]: connect_blocking: connecting 209.85.227.109:995  
2010.10.07 12:10:33 LOG7[80824:25144]: connect_blocking: s_poll_wait 209.85.227.109:995: waiting 10 seconds  
2010.10.07 12:10:33 LOG5[80824:25144]: connect_blocking: connected 209.85.227.109:995  
2010.10.07 12:10:33 LOG5[80824:25144]: Service gmail connected remote server from 192.168.1.9:24814  
2010.10.07 12:10:33 LOG7[80824:25144]: Remote FD=212 initialized  
2010.10.07 12:10:33 LOG7[80824:25144]: Option TCP_NODELAY set on remote socket  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): before/connect initialization  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 write client hello A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 read server hello A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 read server certificate A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 read server done A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 write client key exchange A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 write change cipher spec A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 write finished A  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 flush data  
2010.10.07 12:10:33 LOG7[80824:25144]: SSL state (connect): SSLv3 read finished A  
2010.10.07 12:10:33 LOG7[80824:25144]:    1 items in the session cache  
2010.10.07 12:10:33 LOG7[80824:25144]:    1 client connects (SSL_connect())  
2010.10.07 12:10:33 LOG7[80824:25144]:    1 client connects that finished  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 client renegotiations requested  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 server connects (SSL_accept())  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 server connects that finished  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 server renegotiations requested  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 session cache hits  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 external session cache hits  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 session cache misses  
2010.10.07 12:10:33 LOG7[80824:25144]:    0 session cache timeouts  
2010.10.07 12:10:33 LOG6[80824:25144]: SSL connected: new session negotiated  
2010.10.07 12:10:33 LOG6[80824:25144]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5   
2010.10.07 12:10:34 LOG7[80824:25144]: SSL socket closed on SSL_read  
2010.10.07 12:10:34 LOG7[80824:25144]: Sending socket write shutdown  
2010.10.07 12:10:34 LOG5[80824:25144]: Connection closed: 53 bytes sent to SSL, 118 bytes sent to socket  
2010.10.07 12:10:34 LOG7[80824:25144]: Service gmail finished (0 left)
mgorven
  • 30,036
  • 7
  • 76
  • 121
John Francis
  • 133
  • 1
  • 6

2 Answers2

1

I've had the same problem on a W2003 x64 Datacenter server (a virtual server). Turning off the windows firefall didn't solve the problem. One thing made me wonder: the service didn't show up in the services.msc - list.

After adding service=stunnel to the conf-file it seemed to work.

Then I restarted the server and it didn't work again. I logged in, restarted the service via services.msc and it worked again. Really strange thing.

thost
  • 11
  • 1
0

Try putting:

foreground = yes

in there.

Does "stunnel.log" contain anything you can post?

gm3dmo
  • 9,632
  • 1
  • 40
  • 35
  • foreground = yes caused the server not to start. Maybe because it's a 'Unix only' option in the manual and I'm running Windows. – John Francis Oct 07 '10 at 11:11
  • I've appended an stunnel.log from the working and non-working processes. The Non-working one just never seems to receive a connection ?? – John Francis Oct 07 '10 at 12:05
  • I tried stunnel 4.34 on Windows XP, worked ok when run as a service. Do you see anything in the windows event log ?(run eventvwr.exe) when it run as a service? – gm3dmo Oct 07 '10 at 20:00
  • Yes, I've done that on XP too and it works on XP! I'm getting the problem on a Windows 2003 Server SP2 box. It's baffling me. Nothing in any of the event logs when it's running as a service. – John Francis Oct 08 '10 at 13:11
  • Is it possible that when it's run in the foreground Windows 2003 asked you if you wanted to allow stunnel to use the network and so now in the foreground it's happy for it to run whereas when it's a service the Windows firewall blocks it. Can you disable Windows firewall temporarily to test or a add a rule for allowing TCP on 995? – gm3dmo Oct 08 '10 at 17:57
  • I'd thought this one through. Unfortunately it's a Small Business Server and it's not entirely obvious how to do this as it's all done through Routing and Remote Access, not the usual Firewall tab on the network settings. – John Francis Oct 12 '10 at 16:23
  • I tried setting the STunnel service to run as the Administrator user, to see if this would use the same firewall settings as the desktop version. Still no joy :-| – John Francis Oct 25 '10 at 09:50
  • For a test have the service tunnel deliver to another tunnel on your localhost. Configure the localhost tunnel from your desktop to pass to the real destination. If that works then it must be some security/firewall setting in windows in the way (that's all assuming that the FW/security stuff just ignores localhost). – gm3dmo Oct 28 '10 at 11:19
  • I think I see what you mean. I'm already using a localhost connection to STunnel though. MS Exchange won't allow me to use localhost in its POP3 connector, so I'm using 127.0.0.1 - same thing I thought. It does feel like a firewall issue to me too, but I can't for the life of me find out what to do to get it working. If it does end up being a firewall issue, then it's blocking a localhost connection to the service STunnel. – John Francis Nov 03 '10 at 09:28