Forgot to forward to the list (again).
-------- Forwarded Message --------
Subject: Re: Problems with stunnel segfaulting on every connection
Date: Mon, 12 Aug 2024 08:25:17 -0400
From: Jason Mitchell <jmitc...@bigjar.com>
To: Brett Lymn <bl...@internode.on.net>
On 8/8/24 6:20 PM, Brett Lymn wrote:
On Thu, Aug 08, 2024 at 01:17:08PM -0400, Jason Mitchell wrote:
Thanks for the info and for responding. For the lets encrypt
certificate
the openssl comand just prints the base64 pem file. For the sectigo
certificate it prints all the info about it in human readable form
(included
below)
OK, so openssl is happy with the cert, that is good.
If you don't mind me asking, do you know if your clients are
using OCSP?
ncat --ssl host 993 doesn't cause the segfault, strangely enough.
Also, is
yours a wildcard certificate or a certificate for a single host? And
is it
self signed? Finally, what version of OpenSSL are you using?
I don't know about OCSP.
Certificate is for a single host, not self signed, it is issued by
Entrust.
OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)
Brett,
Thanks for the responses (did I already say that?). I've confirmed that
OCSP stapling causes the crash. For example:
openssl s_client -connect A.B.C.D:993
Doesn't cause stunnel to crash. But
openssl s_client -connect A.B.C.D:993 -status
does cause the crash. (The -status flag enables OCSP stapling). Also, I
tested with current (10.99.11) and 9.x. In both cases stunnel crashed.
I've added a whole mess of logging to stunnel's ocsp.c and have isolated
the problem to the DNS lookup that stunnel does when it goes to get the
OCSP status information for the certificate. I confirmed this by adding
an entry to /etc/hosts for the OCSP host listed in my certificate and
stunnel didn't crash. The place where stunnel crashes in ocsp.c is
"if(!hostport2addr(&addr, host, port, 0)) { " ... which calls stunnel's
resolver.c.
The above is for stunnel 5.73, hopefully it's not too different for 5.71
or 5.72.
I'll add more logging to resolver.c today or tomorrow. Any suggestions
are greatly appreciated.
Thanks,
Jason M.
