Am 25.10.18 um 12:00 schrieb [email protected]: > Send stunnel-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian > jessie (Johann Hörmann) > 2. Re: stunnel 5.06 not yet linked against OpenSSL 1.0.1t on > debian jessie (Eric Eberhard) > 3. stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian > jessie (Jakob Hirsch) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 24 Oct 2018 17:29:18 +0200 > From: Johann Hörmann <[email protected]> > To: [email protected] > Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL > 1.0.1t on debian jessie > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > Hi, > > that's the log on a debian jessie, starting stunnel: > > 2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform > 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015 > 2018.10.24 ..: Running with OpenSSL 1.0.1t 3 May 2016 > 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel > > All debian packages are upgraded: > $ sudo apt-get update > ... > $ sudo apt-get upgrade > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > $ > > $ dpkg -l|egrep 'openssl|stunnel' > ... > ii openssl 1.0.1t-1+deb8u9 > ... > ii stunnel4 3:5.06-2+deb8u1 > $ > > Guess the log tells the current stunnel-package is not linked against > openssl 1.0.1t lib yet. > > No pinning is active: > $ ls -l /etc/apt/preferences > -rw-r--r-- 1 root root 0 Jun 4 2010 /etc/apt/preferences > $ > > Is that - stunnel not being linked against the current openssl-lib - a > serious problem? > Will there soon be a stunnel-package being linked against openssl 1.0.1t? > > > Thanks in Advance > -- > Hans > > > ------------------------------ > > Message: 2 > Date: Wed, 24 Oct 2018 15:02:08 -0700 > From: "Eric Eberhard" <[email protected]> > To: 'Johann Hörmann' <[email protected]>, > <[email protected]> > Subject: Re: [stunnel-users] stunnel 5.06 not yet linked against > OpenSSL 1.0.1t on debian jessie > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Static linking is much easier, especially when put in a non-standard place, > such as /usr/local/customer-name/lib -- this means if somebody does an update > of say openssl alone you won't have this problem. You can also do it > non-static as long as it is in a non-standard place and be pretty safe. > > My versions have stunnel 5.44 and openssl 1.0.2 -- works fine. It is static > and keeps on ticking. > > Eric > > -----Original Message----- > From: stunnel-users [mailto:[email protected]] On Behalf Of > Johann Hörmann > Sent: Wednesday, October 24, 2018 8:29 AM > To: [email protected] > Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t > on debian jessie > > Hi, > > that's the log on a debian jessie, starting stunnel: > > 2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform > 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015 > 2018.10.24 ..: Running with OpenSSL 1.0.1t 3 May 2016 > 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel > > All debian packages are upgraded: > $ sudo apt-get update > ... > $ sudo apt-get upgrade > 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. > $ > > $ dpkg -l|egrep 'openssl|stunnel' > ... > ii openssl 1.0.1t-1+deb8u9 > ... > ii stunnel4 3:5.06-2+deb8u1 > $ > > Guess the log tells the current stunnel-package is not linked against openssl > 1.0.1t lib yet. > > No pinning is active: > $ ls -l /etc/apt/preferences > -rw-r--r-- 1 root root 0 Jun 4 2010 /etc/apt/preferences $ > > Is that - stunnel not being linked against the current openssl-lib - a > serious problem? > Will there soon be a stunnel-package being linked against openssl 1.0.1t? > > > Thanks in Advance > -- > Hans > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > > > ------------------------------ > > Message: 3 > Date: Thu, 25 Oct 2018 10:58:48 +0200 > From: Jakob Hirsch <[email protected]> > To: [email protected] > Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL > 1.0.1t on debian jessie > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > Hi, > > On 2018-10-24 17:29, Johann Hörmann wrote: >> Is that - stunnel not being linked against the current openssl-lib - a >> serious problem? > > It is usually not necessary to rebuild all packages using a specific lib > just because it got updated. > >> Will there soon be a stunnel-package being linked against openssl 1.0.1t? > > The debian people are doing that, so that would be something to ask > them, specifically the package maintainers (see > https://packages.debian.org/jessie/stunnel4). But since jessie support > ended last June and LTS won't rebuild , I would not hold my breath. > > Why do you care about this in the first place? You are using a stunnel > version that is 4 years old and got last patched more than 3 years ago. > If it's of any importance to you, you should really upgrade to stretch > (optionally with bpo) or at least use jessie-backports. > > > Regards > Jakob > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > ------------------------------ > > End of stunnel-users Digest, Vol 171, Issue 16 > ********************************************** > Thanks a lot for your valuable advices, Eric and Jakob!
Being just a dumb user, i supposed the distribution should stay 'in harmony': Ok now i know for oldstable this can be solved by backports or compiling stunnel with a static openssl-lib. Upgrading to stretch is not yet a choice because i am using stunnel with 'verify=3' which results in checking the self-signed client-certs at the server: Can't tell why but my cacert file was generated with a CAFile value of FALSE, which worked until jessie but at stretch the request results in a reject by the openssl-lib because of the FALSE-value. So first i have to renew and deploy all my customers certs - about 80 - with a stretch-conform cacert performing with CAFile=true. Hans -- https://hoermann-solutions.com _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
