Re: [stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used

Wed, 05 Aug 2015 15:15:18 -0700 

Eugene,
I was about to report that too. I think that the earliest version that should 
be supported is 0.9.8. It will be supported by the OpenSSL team until year end. 
I found the problem is due to two functions used in verify.c that appear only 
in openssl 1.0.0 (OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req). I 
compiled successfuly agains 0.9.8zg with the following patch:

--- stunnel-5.22/src/verify.c   Thu Jul 30 05:08:46 2015
+++ stunnel-5.22.new/src/verify.c       Wed Aug 05 16:32:41 2015
@@ -722,12 +722,16 @@
         sslerror("OCSP: OCSP_sendreq_new");
         goto cleanup;
     }
+
+   #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {
         sslerror("OCSP: OCSP_REQ_CTX_add1_header");
         goto cleanup;
     }
     if(!OCSP_REQ_CTX_set1_req(req_ctx, req))
         goto cleanup;
+   #endif
+
     while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
         s_poll_init(c->fds);
         s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));

 


     On Wednesday, August 5, 2015 4:14 PM, Eugene Rudoy <[email protected]> 
wrote:
   

 Hi all,

on the one hand the "welcome to the stunnel-users mailing list"-mail
explicitly states "Never report problems with an old version of
stunnel and OpenSSL. Upgrade to the latest versions first". On the
other hand common.h contains

#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */

So it looks like OpenSSL versions >= 0.9.7 are still supported, that's
the reason I'm reporting the following bug and ignoring the
welcome-mail.


Since version 5.22 stunnel doesn't compile when OpenSSL 0.9.8 is used
(the only OpenSSL version < 1.0.0 I've tested with, 0.9.7 is probably
also affected):

/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
-DHAVE_CONFIG_H -I.
-I/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/include
-DLIBDIR='"/usr/lib/stunnel"' -DCONFDIR='"/etc/stunnel"'  -march=24kc
-mtune=24kc -msoft-float -Os -pipe -Wa,--trap -D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pthread -Wall -Wextra
-Wpedantic -Wformat=2 -Wconversion -Wno-long-long
-Wno-deprecated-declarations -D_FORTIFY_SOURCE=2 -ffunction-sections
-fdata-sections -MT stunnel-verify.o -MD -MP -MF
.deps/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' ||
echo './'`verify.c
verify.c: In function 'ocsp_get_response':
verify.c:725:5: warning: implicit declaration of function
'OCSP_REQ_CTX_add1_header' [-Wimplicit-function-declaration]
    if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {
    ^
verify.c:729:5: warning: implicit declaration of function
'OCSP_REQ_CTX_set1_req' [-Wimplicit-function-declaration]
    if(!OCSP_REQ_CTX_set1_req(req_ctx, req))
    ^
...
libtool: link: 
/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
-march=24kc -mtune=24kc -msoft-float -Os -pipe -Wa,--trap
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-pthread -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion
-Wno-long-long -Wno-deprecated-declarations -D_FORTIFY_SOURCE=2
-ffunction-sections -fdata-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now
-Wl,-z -Wl,noexecstack -Wl,--gc-sections -o stunnel stunnel-tls.o
stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o
stunnel-options.o stunnel-protocol.o stunnel-network.o
stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o
stunnel-sthreads.o stunnel-fd.o stunnel-dhparam.o stunnel-cron.o
stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o stunnel-ui_unix.o
-L/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/lib
-lssl -lcrypto -lz -ldl -lutil -pthread
libtool: link: ( cd ".libs" && rm -f "libstunnel.la" && ln -s
"../libstunnel.la" "libstunnel.la" )
stunnel-verify.o: In function `ocsp_request':
verify.c:(.text.ocsp_request+0x200): undefined reference to
`OCSP_REQ_CTX_add1_header'
verify.c:(.text.ocsp_request+0x21c): undefined reference to
`OCSP_REQ_CTX_set1_req'
collect2: error: ld returned 1 exit status

Both OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req are available
since OpenSSL 1.0.0. I've fixed the _compile_ issue for me by
partially reverting the changes from 5.22 (s. attached patch). I'm
however not sure if by doing so I'm introducing anew one of the bugs
mentioned in the 5.22-changelog as "Fixed a number of OCSP bugs".

@Michał: could you please take a look into the issue and fix it in a
proper way in case my fix is wrong? Thanks a lot!

Best regards,
Gene
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


  
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Reply via email to