Package: stunnel4 Version: 3:5.50-3 Severity: serious stopping or restarting stunnel4 on systems with sysvinit (or probably also any other init system using start-stop-daemon) fails as follows for me:
invoke-rc.d stunnel4 restart Restarting TLS tunnels: /etc/stunnel/stunnel.conf: /sbin/start-stop-daemon: matching only on non-root pidfile /var/lib/stunnel4///stunnel4.pid is insecure stopped And despite it claims at the end "stopped", stunnel is not stopped as ps shows: stunnel4 26991 0.0 0.0 87196 156 ? Ssl Jan21 0:00 /usr/bin/stunnel4 /etc/stunnel/stunnel.conf This is caused by the following change in dpkg 1.19.3 from 22 Jan 2019: * start-stop-daemon: Check whether standalone --pidfile use is secure. Prompted by Michael Orlitzky <mich...@orlitzky.com>. The usual fix seems to be to also specify the binary to be stopped with IIRC the --exec option. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages stunnel4 depends on: ii adduser 3.118 ii libc6 2.28-8 ii libssl1.1 1.1.1b-1 ii libsystemd0 241-1 ii libwrap0 7.6.q-28 ii lsb-base 10.2018112800 ii netbase 5.6 ii openssl 1.1.1b-1 ii perl 5.28.1-4 stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> -- Configuration Files: /etc/stunnel/stunnel.conf changed: ; Sample stunnel configuration file by Michal Trojnara 2002-2009 ; Some options used here may not be adequate for your particular configuration ; Please make sure you understand them (especially the effect of the chroot jail) ; Certificate/key is needed in server mode and optional in client mode ;cert = /etc/ssl/certs/stunnel.pem ;key = /etc/ssl/certs/stunnel.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = TLSv1 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside the chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ;compression = zlib ; Workaround for Eudora bug ;options = DONT_INSERT_EMPTY_FRAGMENTS ; Authentication stuff ;verify = 2 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile ;CAfile = /etc/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile ;CRLfile = /etc/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ;output = /var/log/stunnel4/stunnel.log ; Use it for client mode ;client = yes ; Service-level configuration ;[pop3s] ;accept = 995 ;connect = 110 ;[imaps] ;accept = 993 ;connect = 143 ;[ssmtp] ;accept = 465 ;connect = 25 ;[https] ;accept = 443 ;connect = 80 ;TIMEOUTclose = 0 [bbs] ;accept = localhost:1984 accept = 127.0.0.1:1984 connect = sym.noone.org:1983 client = yes [bbs2] ;accept = localhost:1984 accept = 127.0.0.2:1984 connect = c3pio.deuxchevaux.org:1983 client = yes ; vim:ft=dosini -- no debconf information