Forgot to cc the list:
-------- Forwarded Message --------
Subject: Re: Problems with stunnel segfaulting on every connection
Date: Thu, 8 Aug 2024 13:17:08 -0400
From: Jason Mitchell <jmitc...@bigjar.com>
To: Brett Lymn <bl...@internode.on.net>
On 8/7/24 6:13 PM, Brett Lymn wrote:
On Tue, Aug 06, 2024 at 10:01:06AM -0400, Jason Mitchell wrote:
Unfortunately, what doesn’t work for me is:
NetBSD-10.0/stunnel 5.71 (or 5.72)
It looks like stunnel is trying verify its certificate and something
in the
response causes it to crash. Here’s a snippet of the output right
before the
segfault:
2024.08.04 13:47:35 LOG7[0]: SNI: no virtual services defined
2024.08.04 13:47:35 LOG7[0]: OCSP stapling: Server callback called
2024.08.04 13:47:35 LOG6[0]: OCSP: The root CA certificate was not found
2024.08.04 13:47:35 LOG5[0]: OCSP: Connecting the AIA responder
"http://e5.o.lencr.org";
Segmentation fault (core dumped)
No suggestions but I can confirm that stunnel 5.71 on an oldish post 10
-current works for me using certificates. Maybe the cert is broken in
some way? What does:
openssl x509 -in cert_file_here -text
say?
Brett,
Thanks for the info and for responding. For the lets encrypt
certificate the openssl comand just prints the base64 pem file. For the
sectigo certificate it prints all the info about it in human readable
form (included below)
If you don't mind me asking, do you know if your clients are using
OCSP? ncat --ssl host 993 doesn't cause the segfault, strangely enough.
Also, is yours a wildcard certificate or a certificate for a single
host? And is it self signed? Finally, what version of OpenSSL are you using?
Sorry for all the questions. Thanks again!
Jason M.
Output from openssl x509 -in cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f8:6e:a2:1a:3a:da:8c:66:f5:bd:0e:1f:23:31:0b:6f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = GB, ST = Greater Manchester, L = Salford, O =
Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server
CA
Validity
Not Before: Apr 6 00:00:00 2021 GMT
Not After : May 7 23:59:59 2022 GMT
Subject: CN = *.bigjar.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:98:08:ea:18:6c:78:fe:92:58:f3:9d:20:82:4d:
ff:7b:26:bc:cc:24:ad:bf:c3:ca:0b:3e:62:be:31:
d8:f8:23:5b:56:3a:08:88:77:a1:48:9f:38:9c:a4:
d6:85:1d:b5:2a:03:8a:a1:1c:0c:dd:1b:62:71:02:
87:97:9b:1e:c1:27:2f:e1:ac:00:b8:37:51:56:c3:
1d:ff:d9:1f:e7:b4:fd:37:5c:8c:5a:83:ec:85:fc:
a8:cc:a7:91:ce:b0:05:bc:d2:12:9e:b1:99:3d:ed:
d6:46:f6:b9:db:99:d2:cd:c8:88:96:28:c0:da:b2:
d9:52:23:db:51:e0:d8:7d:01:09:67:88:42:70:48:
16:df:ac:94:2a:cc:8f:b3:24:bf:e4:5d:25:cb:1a:
7d:52:2b:10:55:65:e9:7d:23:7d:03:53:49:7c:51:
fa:69:61:0e:78:a9:2f:3d:b5:2f:0e:79:87:c8:5f:
7c:05:5b:8f:8d:15:56:75:1b:b5:84:44:92:15:af:
46:2d:cf:62:ac:ec:c8:bc:ec:ba:f9:59:62:01:eb:
83:57:66:6c:23:84:49:c0:05:ae:bc:86:a3:47:dd:
57:e3:ee:ef:c8:1b:5a:d4:4a:99:a6:a1:c1:bc:2d:
93:fd:7d:a5:23:89:66:73:c9:cb:6b:57:d7:00:2b:
d9:7b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
8D:8C:5E:C4:54:AD:8A:E1:77:E9:9B:F9:9B:05:E1:B8:01:8D:61:E1
X509v3 Subject Key Identifier:
7C:4B:E2:49:C1:DD:CF:2D:FC:0B:EE:E8:F5:C4:F9:46:C1:11:88:51
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client
Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://sectigo.com/CPS
Policy: 2.23.140.1.2.1
Authority Information Access:
CA Issuers -
URI:http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.sectigo.com
X509v3 Subject Alternative Name:
DNS:*.bigjar.com, DNS:bigjar.com
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
Timestamp : Apr 6 19:45:19.595 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:B1:22:98:F0:FF:3A:1C:F0:64:AD:EB:
F0:78:35:7C:63:FF:72:A9:26:6E:15:29:F6:5D:11:DE:
6C:AD:08:E4:B6:02:20:73:83:5D:B9:07:5D:E6:2D:34:
BD:05:74:46:AD:CF:A1:67:2B:72:13:36:75:1B:8F:A5:
C2:95:DB:A5:4B:B6:19
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
DF:A5:5E:AB:68:82:4F:1F:6C:AD:EE:B8:5F:4E:3E:5A:
EA:CD:A2:12:A4:6A:5E:8E:3B:12:C0:20:44:5C:2A:73
Timestamp : Apr 6 19:45:19.604 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DD:26:5B:9A:47:37:86:A0:2B:0A:64:
7B:71:F9:12:DF:78:D5:F4:88:60:8F:68:9C:3C:3F:16:
A4:DA:5D:1D:32:02:21:00:B5:64:26:4F:D5:C8:86:48:
D3:C4:B3:33:1D:8B:97:C1:63:F4:6D:25:B5:A0:7A:EC:
32:2C:3B:33:6C:D5:85:3B
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1d:b1:f4:38:0d:b0:f8:7e:f2:b5:8b:99:51:f1:4c:b4:92:8a:
e0:54:71:1c:ba:7b:b3:0a:8c:e1:7a:50:dc:6a:fd:ba:07:93:
55:9a:e1:61:8b:86:89:14:29:0d:e4:b2:60:a2:f8:b5:80:b0:
49:3f:f9:f0:3e:ba:64:9c:ef:89:ad:d6:99:ab:35:0c:9b:e2:
76:c6:b8:93:66:5b:7d:69:85:e0:d1:17:c4:18:b3:a3:8c:eb:
5f:a1:f8:59:e2:18:9f:39:b5:4b:d3:14:ea:44:a1:16:68:7d:
24:07:2b:38:80:63:45:dc:e8:73:b1:ff:c7:d0:50:d9:3c:1b:
24:1b:39:d2:f3:38:66:3b:f5:8a:79:c2:92:9c:57:95:36:e1:
6c:33:cd:88:79:49:82:b4:f3:f2:e4:ca:67:c2:1b:fe:14:49:
d0:b7:3f:e1:13:68:c2:54:b5:30:e0:d0:ba:03:bd:7b:39:e8:
89:b7:b3:4f:6e:f6:52:de:45:01:16:4a:14:71:73:89:3b:fd:
66:51:d2:cf:a6:a9:8e:63:89:67:26:d9:20:c6:2e:bd:60:24:
bc:4b:0e:da:47:0e:f5:e0:ff:67:31:2d:56:bc:75:68:5f:37:
b8:a6:fc:50:23:8b:8e:c6:8b:46:57:7d:fe:6c:21:7a:3c:7a:
a5:7b:00:f5
-----BEGIN CERTIFICATE-----
