[sslh] Many processes
Maurice Commandeur
maurice at nieuwerbrug.org
Sat Feb 4 22:56:27 CET 2012
Aaron, Yves,
1. It was indeed a MacPorts installation.
$ port installed
Warning: port definitions are more than two weeks old, consider using selfupdate
The following ports are currently installed:
aiccu @20070115_2 (active)
openssl @1.0.0f_0 (active)
sslh @1.10_0 (active)
stunnel @4.47_0+libwrap (active)
tuntaposx @20090913_1 (active)
zlib @1.2.5_0 (active)
2. Launching as described in the README.MacOSX
- I created an extra ip on interface en0, binding sslh to that ip
- Apache uses another ip address and localhost, it is configured not to use *:443, but 192.168.20.73:443
- There where some permission problems on the logfiles ( or something, those are solved… )
This is the launchctl script I'm using
$ cat /Library/LaunchDaemons/net.rutschle.sslh.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>net.rutschle.sslh</string>
<key>ProgramArguments</key>
<array>
<string>/opt/local/sbin/sslh</string>
<string>-f</string>
<string>-v</string>
<string>-u</string>
<string>nobody</string>
<string>-p</string>
<string>192.168.20.75:443</string>
<string>--ssh</string>
<string>localhost:22</string>
<string>--ssl</string>
<string>localhost:443</string>
</array>
<key>QueueDirectories</key>
<array/>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/Library/Logs/sslh.log</string>
<key>StandardOutPath</key>
<string>/Library/Logs/sslh.log</string>
<key>WatchPaths</key>
<array/>
</dict>
</plist>
3. I do not need to reboot my machine. I know I start initially with two processes.
Starting on a running machine after a few weeks uptime :
## cleaning out zombies
$ ps -ef | grep -c [s]slh
323
$ sudo kill -1 31952
Password:
## Zombies are gone now, and somehow I get a new PID on my process….
$ ps -ef | grep -c [s]slh
2
$ ps -ef | grep [s]slh
-2 88079 1 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88080 88079 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
## now adding a ssh session via sslh
$ ps -ef | grep [s]slh
-2 88079 1 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88080 88079 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88122 88080 0 10:41PM ?? 0:00.03 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
## now adding a https session via sslh
$ ps -ef | grep [s]slh
-2 88079 1 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88080 88079 0 10:36PM ?? 0:00.00 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88122 88080 0 10:41PM ?? 0:00.03 /opt/local/sbin/sslh -f -v -u nobody -p 192.168.20.75 443 --ssh localhost 22
-2 88146 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88152 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88155 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88156 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88157 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88158 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88159 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88160 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88164 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88171 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88172 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88174 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88175 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88176 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88185 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88186 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88187 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88189 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88190 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88191 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88193 88080 0 10:42PM ?? 0:00.00 (sslh)
-2 88217 88080 0 10:42PM ?? 0:00.00 (sslh)
It seems that the https session is the felon...
Op 2 feb. 2012, om 15:42 heeft Aaron Madlon-Kay het volgende geschreven:
> Hello all. I'm running 1.10 on OS X 10.7.3 and I've never seen so many sslh processes running at once on my machine. As I'm running the default sslh-fork flavor, I note that each connection gets its own process. However as soon as the connection is closed, that particular process goes away as expected.
>
> I guess it would help to know the following:
>
> 1. Where did you get sslh from? (It seems from the launch path that you got it from MacPorts.)
>
> 2. How are you launching it? (If you're using the launchctl script I suggested, there are some problems with it in version 1.10 that I'd like to know how you addressed.)
>
> 3. Can you try rebooting and confirming that you start off initially with two sslh processes? And that additional processes spawn and die correctly for each incoming connection?
>
> Thanks,
> Aaron
>
>
> On 2012/02/02, at 22:18, Yves Rutschle wrote:
>
>> On Wed, Feb 01, 2012 at 02:29:10PM +0100, Maurice Commandeur wrote:
>>> Hi Yves,
>>
>> Please keep the mailing list posted!
>>
>>> Currently running version 1.10
>>
>> Ok, I have no theory then.
>>
>> Anyone on the mailing list runing MacOSX and 1.10? Aaron?
>>
>>>>> server:~ admin$ ps -ef | grep sslh
>>
>> Could you try the following:
>>
>> - Start afresh, do a ps -ef (you should have two sslh
>> processes)
>> - Do one connection with SSL, another ps -ef
>> - Do one connection with SSH, another ps -ef
>>
>> in order to see if zombies appear consistently. By the end
>> you should only have one sslh per active connection + 2, so
>> if you closed all connections there should only ever be 2
>> processes.
>>
>> Meanwhile I'll see if I can find a shell account for MacOSX,
>> or re-test under FreeBSD to see if I can reproduce the
>> problem.
>>
>> Cheers,
>> Y.
>>
>> _______________________________________________
>> sslh mailing list
>> sslh at rutschle.net
>> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
>
More information about the sslh
mailing list