[blfs-support] Stunnel BLFS 7.7 Boot error

Marcos Pansani marcos_pansani at yahoo.com.br
Thu Jul 16 15:46:15 PDT 2015


Thanks for Fernando tips.

I really do not know why the email went out plain. I send directly from 
yahoo webmail ....

I followed the book, creating User and group.

using the command as you pointed me "/etc/rc.d/init.d/stunnel start", 
or prompt returns like failure command:

[] Initializing inetd mode configuration
[!] Service [stunnel]: Inetd mode must define one endpoint

The file "stunnel.conf" this as follows, I have not changed anything 
from the book:

-----------------------------------------------
; File: /etc/stunnel/stunnel.conf

; Note: The pid and output locations are relative to the chroot location.

pid    = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
cert   = /etc/stunnel/stunnel.pem

;debug = 7
;output = stunnel.log

;[https]
;accept  = 443
;connect = 80
;; "TIMEOUTclose = 0" is a workaround for a design flaw in Microsoft SSL
;; Microsoft implementations do not use SSL close-notify alert and thus
;; they are vulnerable to truncation attacks
;TIMEOUTclose = 0
-----------------------------------------------

Another thing I did was in command "make docdir=/usr/share/doc/stunnel-5.10 install" 
the book. I was just giving "enter" in the questions.

I do not know if I should change something standard.

Thanks again

Marcos


      De: Fernando <fernando.famo at gmail.com>
 Para: BLFS Support List <blfs-support at lists.linuxfromscratch.org> 
 Enviadas: Quinta-feira, 16 de Julho de 2015 10:31
 Assunto: Re: [blfs-support] Stunnel BLFS 7.7 Boot error
   
Em 15-07-2015 19:31, Marcos Pansani escreveu:
> Hello guys,
>
>  I am in the BLFS 7.7 construction process is going well.
>
>  But after building the package Stunell 5:10, I boot the system to see if it's okay.
>
>  But this giving an error message in stunnel service. The message this this way:
> Starting the Stunnel Daemon...[ ] Clients allowed=500[.] stunnel 5.10
> on x86_64-unknown-linux-gnu plataform[.] Compiled/running with
> OpenSSL 1.0.2 22 Jan 2015[.] Threading:PTHREAD Sockets:POLL,IPv6
> TLS:ENGINE,FIPS,OCSP,PSK,SNI[ ] errno: (*__errno_ocation ())[.]
> Reading configuration from file /etc/stunnel/stunnel.conf[.] FIPS
> mode disabled[ ] ompression disabled[ ] PRNG seed successfully[ ]
> Initializing inetd mode configuration[!] Service [stunnel]: Inetd
> mode must define one endpoint*******
>
> From what I noticed, is a configuration error, but do not know how to
> solve, does anyone have any tips on how to set? Well provalvel the
> error that is related to what it says in the book " If you use
> stunnel to encrypt a daemon started from [x]inetd, you may need to
> disable that daemon in the /etc/[x]inetd.conf file and enable a
> corresponding <service>_stunnel service. You may have to add an
> appropriate entry in /etc/services as well. "
>    But I did not understand what should I do ...

I really don't know how to help, but you could send some info, so that 
others would probably have something to say.

Before listing the info which could help, some tips about your mail format:

As you see, your post is badly formated (actually, I reformated very 
long lines to fit under a reasonable width, which most users think is 72 
characters.

Some people here reads email in a terminal, from a text only client. If 
the mail is in html or have long lines, some of them just giv up and 
ignore. Between them you have the best people that could help.

Thus: no *html*, and if your mail client doesn't *break the lines* 
automatically, you can do it manually. Alternatives are to write the 
mails in text editors that would break the lines, then copy/paste, or 
use another client, such as Thunderbird or Seamonkey properly configured.

Another rule people like here: do not top post.

If you don't follow those rules, there is not much simpaty, and many 
will not reply to your posts.

These are onley to help you. [Só querendo ajudar, para você ter mais 
ajuda da lista.]

If you don't understand anything in English in this post, I can send you 
a translated version, just tell me here or privately.

Now, some useful info:

If you have customized the configuration, please, send the result of

$ cat /etc/stunnel/stunnel.conf

I assume that you have followed the book, creating stunnel user and group.

One thing that you perhaps might not know yet: you don't need to reboot 
to have the error messages displayed:


As root you can run:

# /etc/rc.d/init.d/stunnel
Usage: /etc/rc.d/init.d/stunnel {start|stop|restart|status}
# /etc/rc.d/init.d/stunnel status
/usr/bin/stunnel is not running.
# /etc/rc.d/init.d/stunnel start
  *  Starting the Stunnel Daemon...                    [  OK  ]
# /etc/rc.d/init.d/stunnel status
stunnel is running with Process ID(s) 13052.

I reformatted on line to not be broken by the mail client.

One important point: vulnerability or security issues.

After we release BLFS some vulnerabilities are discovered in some 
packages, and anyone using them, would better use a more recent version.

In your case, at least openssl and stunnel should be upgraded to the 
versions at BLFS svn:

http://www.linuxfromscratch.org/blfs/view/svn/index.html

Ken wrote recently that the best way to be secure, is not using a 
released BLFS, but download the latest BLFS svn.

Thus, other packages, such as browsers and mail clients should be the 
ones at BLFS svn snapshot:

http://www.linuxfromscratch.org/blfs/downloads/svn/

and build according to it, keeping an eye at

http://www.linuxfromscratch.org/blfs/view/svn/index.html

Don't use the web svn, because overnight modifications  could break your 
builds. Happened to me.

We are trying trying to write in our ticket system the changelog for the 
packages and using

Priority:     high

so that the line is yellow, when one package is released to solve some 
vulnerability:

Following link will filter just those:

http://wiki.linuxfromscratch.org/blfs/query?priority=high&desc=1ℴ=id

It should be in one line. Mail client will break it, probably, so you 
will need to copy/paste the lines, without spaces.

-- 
[]s,
Fernando de Oliveira


-- 
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/blfs-support/attachments/20150716/fda59f43/attachment.html>


More information about the blfs-support mailing list