[stunnel-users] must restart stunnel to add a new cert before it
This is a discussion on [stunnel-users] must restart stunnel to add a new cert before it within the Stunnel Users forums, part of the Networking and Network Related category; --===============0990982964== Content-Type: multipart/alternative; boundary="----=_Part_90850_24309797.1163480073884" ------=_Part_90850_24309797.1163480073884 Content-Type: text/plain; charset=ISO-8859-1; ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-14-2006
|
|||
|
|||
[stunnel-users] must restart stunnel to add a new cert before it
--===============0990982964==
Content-Type: multipart/alternative; boundary="----=_Part_90850_24309797.1163480073884" ------=_Part_90850_24309797.1163480073884 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello everyone, My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this... I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good. I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs? Any help would be appreciated... all relevant info included below. All requested info for posts to the group are found below Here is my stunnel.conf verify = 3 CAfile = /etc/stunnel/certs.pem cert = /etc/stunnel/stunnel.pem setuid = nobody setgid = nobody pid = /tmp/stunnel.pid debug = 7 output = /var/log/stunnel.log client = no [mysqls] accept = 3309 connect = 3306 Some output from the stunnel.log at high debug level 2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from /dev/urandom 2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient entropy for the PRNG 2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully 2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from /etc/stunnel/certs.pem 2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on accept socket 2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to 0.0.0.0:3309 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode 2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file /tmp/stunnel.pid stunnel -V 2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory (2) Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options uname -a Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.6 20060404 (Red Hat 3.4.6-3) openssl version OpenSSL 0.9.7a Feb 19 2003 ------=_Part_90850_24309797.1163480073884 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello everyone,<br><br>My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this...<br>I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. <br>Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. <br>I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good. <br><br>I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs? <br><br>Any help would be appreciated... all relevant info included below.<br><br>All requested info for posts to the group are found below<br><br>Here is my stunnel.conf<br><br>verify = 3<br>CAfile = /etc/stunnel/certs.pem <br>cert = /etc/stunnel/stunnel.pem<br>setuid = nobody<br>setgid = nobody <br>pid = /tmp/stunnel.pid<br>debug = 7<br>output = /var/log/stunnel.log<br>client = no<br>[mysqls]<br>accept = 3309<br>connect = 3306<br><br>Some output from the stunnel.log at high debug level<br><br>2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from /dev/urandom<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient entropy for the PRNG<br>2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully <br>2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate: /etc/stunnel/stunnel.pem<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file: /etc/stunnel/stunnel.pem<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from /etc/stunnel/certs.pem <br>2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode<br>2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on accept socket <br>2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to <a href="http://0.0.0.0:3309/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0:330 9</a><br>2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode <br>2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode <br>2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file /tmp/stunnel.pid<br><br>stunnel -V<br>2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory (2)<br><br>Syntax:<br>stunnel [filename] | -fd [n] | -help | -version | -sockets <br> filename - use specified config file instead of /etc/stunnel/stunnel.conf<br> -fd n - read the config file from specified file descriptor<br> -help - get config file help<br> -version - display version and defaults <br> -sockets - display default socket options<br><br>uname -a<br>Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux<br><br>gcc -v<br>Reading specs from /usr/lib/gcc/i386-redhat-linux <div id="mb_0">/3.4.6/specs <br>Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux <br>Thread model: posix<br>gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)<br><br>openssl version<br>OpenSSL 0.9.7a Feb 19 2003<br></div> ------=_Part_90850_24309797.1163480073884-- --===============0990982964== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users --===============0990982964==-- 
|
Linear Mode
