Skip to content

security/stunnel: Add missing protocols, OCSP toggle, fix service status #5124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
newTomas wants to merge 7 commits into
base: master
Choose a base branch
from
Open

security/stunnel: Add missing protocols, OCSP toggle, fix service status #5124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5e9d40f
[stunnel] feat - Add all missing protocols
newTomas Jan 7, 2026
66fe71a
[stunnel] feat - Add OCSP AIA toggle
newTomas Jan 7, 2026
68d51b2
[stunnel] fix - Removed identd_stunnel service status detection (brea…
newTomas Jan 7, 2026
5fbd605
[stunnel] refactor - Replaced helpers.exists and == '0' with helpers.…
newTomas Jan 8, 2026
42422d5
[stunnel] fix - enable_oscp default 0 now
newTomas Jan 9, 2026
46a52cf
[stunnel] feat - Changed the text in the help for the OCSPaia settings
newTomas Jan 9, 2026
86cf3b3
Update security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stu…
fichtner Jan 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions security/stunnel/src/opnsense/mvc/app/controllers/OPNsense/Stunnel/forms/general.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,10 @@
firewall (allowed by default).
</help>
</field>
<field>
<id>stunnel.general.enable_oscp</id>
<label>enable OSCPaia</label>
<type>checkbox</type>
<help>Validate peer certificates using OCSP responders from their AIA extension. Enable if you need strict certificate revocation checking.</help>
</field>
</form>
13 changes: 12 additions & 1 deletion security/stunnel/src/opnsense/mvc/app/models/OPNsense/Stunnel/Stunnel.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<model>
<mount>//OPNsense/Stunnel</mount>
<version>1.0.4</version>
<version>1.0.5</version>
<description>
Stunnel TLS encryption proxy
</description>
Expand All @@ -18,6 +18,10 @@
<Default>0</Default>
<Required>Y</Required>
</enable_ident_server>
<enable_oscp type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</enable_oscp>
</general>
<services>
<service type="ArrayField">
Expand Down Expand Up @@ -47,11 +51,18 @@
</connect_port>
<protocol type="OptionField">
<OptionValues>
<cifs>CIFS</cifs>
<capwin>CAPWIN</capwin>
<capwinctrl>CAPWINCTRL</capwinctrl>
<connect>CONNECT</connect>
<imap>IMAP</imap>
<ldap>LDAP</ldap>
<nntp>NNTP</nntp>
<pgsql>PGSQL</pgsql>
<pop3>POP3</pop3>
<proxy>PROXY</proxy>
<smtp>SMTP</smtp>
<socks>SOCKS</socks>
</OptionValues>
<Required>N</Required>
</protocol>
Expand Down
2 changes: 1 addition & 1 deletion security/stunnel/src/opnsense/service/conf/actions.d/actions_stunnel.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ message:stunnel service restart
description:Restart Stunnel

[status]
command:/usr/local/etc/rc.d/stunnel status; /usr/local/etc/rc.d/identd_stunnel onestatus; exit 0
command:/usr/local/etc/rc.d/stunnel status; exit 0
Copy link
Member

@AdSchellevis AdSchellevis Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if there's an issue with the status call, this probably isn't the place to fix it (as it will ignore the identd process in full now).

Copy link
Author

@newTomas newTomas Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it, the check takes place in the base class
/usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableServiceControllerBase.php:

if (strpos($response, 'not running') > 0) {
    if ($this->serviceEnabled()) {
        $status = 'stopped';
    } else {
        $status = 'disabled';
    }
} elseif (strpos($response, 'is running') > 0) {
    $status = 'running';
} elseif (!$this->serviceEnabled()) {
    $status = 'disabled';
} else {
    $status = 'unknown';
}

By default, the ident is disabled, which is why the status command returns:

stunnel is running as pid 78451.
identd_stunnel is not running.

The code first searches for the string 'not running' and sets the status to 'stopped'
Ideally, the stunnel and ident status should be displayed separately, but I suspect you'll have to change the OPNsense base class to do this. Correct me if I'm wrong.

Copy link
Member

@fichtner fichtner Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the question is not which line to change but which output we expect. A single service status should return a single line IMO even though that's not always the case. We can mask one status line or filter for the backend to see the right thing.

parameters:
type:script_output
message:stunnel status
6 changes: 5 additions & 1 deletion security/stunnel/src/opnsense/service/templates/OPNsense/Stunnel/stunnel.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@ chroot = /var/run/stunnel
pid = {% if helpers.empty('OPNsense.Stunnel.general.chroot') %}/var/run/stunnel{% endif %}/stunnel.pid
debug = info
logId = unique

{% if helpers.empty('OPNsense.Stunnel.general.enable_oscp') %}
OCSPaia = no
{% else %}
OCSPaia = yes
{% endif %}

{% if helpers.exists('OPNsense.Stunnel.services.service') %}
{% for service in helpers.toList('OPNsense.Stunnel.services.service') %}
Expand Down