Public bug reported: Binary package hint: stunnel4
Usually the stunnel4 process main process with lowest IP consumes 100% of CPU, TCP connections are accepted, but SSL handshake is not started. The test scenario below will make 10000 tests, but usually the test can be suspended after 500-1000 tests, stunnel is broken by then. stunnel4 on hardy x86: Description: Ubuntu 8.04.2 Release: 8.04 # apt-cache policy stunnel4 stunnel4: Installed: 3:4.21-1 Candidate: 3:4.21-1 Version table: *** 3:4.21-1 0 500 http://security.ubuntu.com hardy/universe Packages 100 /var/lib/dpkg/status # stunnel4 -version stunnel 4.21 on i486-pc-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel4.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none Test Scenario: * Generate keys: openssl req -new -newkey rsa:1024 -nodes -keyout server.key -days 3653 -x509 -out server.cert -subj "/CN=server" openssl req -new -newkey rsa:1024 -nodes -keyout client.key -days 3653 -x509 -out client.cert -subj "/CN=client" * Create config: service = test tunnel foreground = yes # Debug warnings only debug = 4 pid = /home/[username]/tmp/tunnel/tunnel.pid cert = server.cert key = server.key verify = 3 [testany] accept = 1234 exec = /home/[username]/tmp/tunnel/testcmd.sh execargs = testcmd.sh CAfile = client.cert * Create testcmd.sh script: #!/bin/bash cat >> /tmp/dump * Start tunnel in one shell stunnel4 tunnel.cfg * Start testscript in other: #!/bin/bash procCount=0 while [ "${procCount}" != "10000" ] ; do openssl s_client -key client.key -cert client.cert -connect localhost:1234 < /dev/null > /dev/null 2>&1 & let procCount=procCount+1 if [ "${procCount#*00}" = "" ] ; then echo "Test: ${procCount}" fi done pkill -KILL -f "openssl s_client" * When dead: openssl s_client -key client.key -cert client.cert -connect localhost:1234 CONNECTED(00000003) But no handshake ** Affects: stunnel4 (Ubuntu) Importance: Undecided Status: New -- Simple stunnel DOS when opening and closing connections https://bugs.launchpad.net/bugs/327222 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs