We have just hit the same problem with 5.45. 5.41 does not appear to exhibit the same issue.The problem appears to be linked to the client/session.Using sni if we hit the url with one client the page loads fine, if we hit stunnel with a second connection from another client on a different IP their page reloads fine. But if we reload either of those pages stunnel segfaults with the following message -Jun 22 11:42:31 lbmaster kernel: stunnel[6510]: segfault at 178 ip 00007fc64fcb5fe0 sp 00007fc6500f5948 error 4 in libssl.so.1.0.0[7fc64fc75000+65000]The above was generated with stunnel 5.45 and openssl 1.0.2j-fips. I also tested it with stunnel built against 1.1.0h and had the same issue.Below is the config -pid = /var/run/stunnel/stunnel.pid
debug = local1.0
socket = a:IP_FREEBIND=yes
fips = no
sslVersion = all
[VIP_Name-1]
cert = /etc/loadbalancer.org/certs/sslcert1/sslcert1.pem
ciphers = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES
accept = 192.168.0.112:443
connect = 192.168.0.112:80
delay = yes
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = DONT_INSERT_EMPTY_FRAGMENTS
renegotiation = no
local = 192.168.0.112
TIMEOUTclose = 0
[fizzygood]
sni = VIP_Name-1:lb1.testdomain.co.uk
cert = /etc/loadbalancer.org/certs/sslcert1/sslcert1.pem
ciphers = ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA256:!RC4:!MD5:!aNULL:!EDH:!3DES
connect = 192.168.0.112:80
delay = yes
options = NO_SSLv3
options = NO_TLSv1
options = DONT_INSERT_EMPTY_FRAGMENTS
renegotiation = no
local = 192.168.0.112On Thu, 21 Jun 2018 at 20:08, Per Salmi <per.salmi@gmail.com> wrote:I have exactly the same problem with stunnel 5.45 and 5.46 crashing on second request!Running on Windows 10 Pro x64 1803.I also use https to separate traffic to two different sites on the same server as the stunnel service./Per_______________________________________________Den tor 21 juni 2018 19:04Javier <jamilist.stn@gmx.es> skrev:Hi,
isn't annoying when you are using an old version, 5.44, and all goes
fine, you notice you are outdated and then comes the problems after
update? :-P
The thing is that yesterday I needed the HTTPS server so I run
Stunnel 5.44 for my non-SSL app and all was fine. I updated to 5.46
just because I forgot the last time and didn't even run again because
I didn't need it.
Today I used it and... I had a crash. I tested 5.45 to trace versions
back, and it crashes as well. Back to 5.44 and no crash.
The crash happens when there is a reload/reconnect/multiconnect
(example, 2 connections html+images) by the browser when connects to
an HTTPS server.
It only happens when using a SNI service.
I've been able to trace back the log on those versions and when fails
in 5.45 and 5.46 is at the time when it needs to switch to the SNI
service.
(log from 5.44)
SNI: requested servername: xxx
SNI: matched pattern: xxx
SNI: switched to service [xxx] <<<<----- BEFORE SWITCH, IT CRASHES on 5.45 and 5.46
Imagine you load https://xxx/.
The first time is fine, the second, crashes stunnel. Not happening
with 5.44.
I haven't seen any change to SNI in manual so... :-?
These are the configs for the used virtual servers. Nothing has been
changed, anyway:
[SSL]
client = no
accept = y.y.y.1:4747
connect = y.y.y.2:443
[SSL-xxx-SNI]
client = no
sni = SSL:xxx
connect = y.y.y.2:443
cert = pem
key = pem
Don't mind the port numbers. They aren't in conflict.
Running on Windows 2000.
Regards.
_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
--