Package: stunnel4 Version: 3:5.49-1 Severity: important Dear Maintainer,
My stunnel4 is set up as a SOCKS VPN with configuration that is similar to <https://www.stunnel.org/socksvpn.html> My default Debian release is "testing", but in order to try TLS 1.3 early, I installed openssl 1.1.1~~pre8-1 from experimental around early August 2018. stunnel4 ran with this version of openssl just fine, negotiating TLS 1.3 with stunnel4 client + openssl 1.1.1~~pre8-1 on another host. Debian migrated openssl 1.1.1-1 to testing on 2018-10-28. Since upgrading to this version, the stunnel4 server had been failing every few hours. (The client side worked just fine though.) Typically when traffic is heavy, e.g. opening many Chrome tabs from the client side, the stunnel4 server side would fail after 20 to 30 seconds. syslog on the server reveals (I start with connection 4943 where the error occurred; stunnel4 had been running without errors until then): Oct 29 14:55:00 goo stunnel: LOG5[4943]: Service [socksSSL] accepted connection from nnn.nnn.nnn.nnn:26462 Oct 29 14:55:00 goo stunnel: LOG6[4943]: Peer certificate required Oct 29 14:55:00 goo stunnel: LOG2[4943]: INTERNAL ERROR: Double free attempt: ptr=0x7f05a801f2b0 alloc=../ssl/statem/extensions.c:949 free#1=../ssl/statem/extensions.c:948 free#2=../ssl/statem/extensions.c:948 Oct 29 14:55:00 goo stunnel: LOG6[4943]: Session id: XXXX Oct 29 14:55:00 goo stunnel: LOG6[4943]: TLS accepted: previous session reused Oct 29 14:55:00 goo stunnel: LOG6[4943]: TLSv1.3 ciphersuite: TLS_CHACHA20_POLY1305_SHA256 (256-bit encryption) Oct 29 14:55:00 goo stunnel: LOG6[4943]: Session id: XXXX Oct 29 14:55:01 goo stunnel: LOG6[4943]: SOCKS5 resolved "secure.adnxs.com" to 8 host(s) Oct 29 14:55:01 goo stunnel: LOG6[4943]: persistence: 216.58.200.4:443 not available Oct 29 14:55:01 goo stunnel: LOG6[4943]: failover: priority, starting at entry #0 Oct 29 14:55:01 goo stunnel: LOG6[4943]: s_connect: connecting 104.254.150.58:443 Oct 29 14:55:01 goo stunnel: LOG5[4943]: s_connect: connected 104.254.150.58:443 Oct 29 14:55:01 goo stunnel: LOG6[4943]: persistence: 104.254.150.58:443 cached Oct 29 14:55:01 goo stunnel: LOG5[4943]: Service [socksSSL] connected remote server from 10.240.0.4:58886 Oct 29 14:55:03 goo stunnel: LOG6[4943]: TLS closed (SSL_read) Oct 29 14:55:03 goo stunnel: LOG6[4943]: Read socket closed (readsocket) Oct 29 14:55:03 goo stunnel: LOG6[4943]: SSL_shutdown successfully sent close_notify alert Oct 29 14:55:03 goo stunnel: LOG5[4943]: Connection closed: 5651 byte(s) sent to TLS, 3003 byte(s) sent to socket (Then stunnel keeps serving 100+ connections until the kernel encounters the following.) Oct 29 14:55:18 goo kernel: [20955.029249] traps: stunnel4[7555] general protection ip:7f05c1bf6a65 sp:7f05c04d6818 error:0 in libcrypto.so.1.1[7f05c1a8a000+19f000] (At which point stunnel4 terminates.) Debian migrated openssl to 1.1.1-2 to testing on 2018-10-31. The problem persists upon upgrade to openssl 1.1.1-2. However, the problem goes away upon downgrading back to openssl 1.1.1~~pre8-1. On the face of it this looks similar to Bug #850292 <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850292> which was resolved by stunnel4 3:5.39-2. Not sure if this helps. Let me know if other logs may help. Thanks for investigating. Regards, Frank Chung -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-cloud-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages stunnel4 depends on: ii adduser 3.118 ii libc6 2.27-6 ii libssl1.1 1.1.1-2 ii libsystemd0 239-11 ii libwrap0 7.6.q-27 ii lsb-base 9.20170808 ii netbase 5.4 ii openssl 1.1.1-2 ii perl 5.26.2-7+b1 stunnel4 recommends no packages. Versions of packages stunnel4 suggests: pn logcheck-database <none> -- debconf-show failed