[stunnel-users] Stunnel 5.57b2 OpenSSL 1.1.1g

Hi,

I have an issue with stunnel since OpenSSL was updated to 1.1.1g.

Stunnel has been build from scratch after the update and gives those errors:

[ ] Clients allowed=500 [.] stunnel 5.57 on x86_64-pc-linux-gnu platform [.] Compiled/running with OpenSSL 1.1.1g 21 Apr 2020 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI [ ] errno: (*__errno_location ()) [.] Reading configuration from file /etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [.] FIPS mode disabled [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [dns_local] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x02100004 (+0x00000000, -0x00000000) [ ] No certificate or private key specified [!] error queue: crypto/x509/by_file.c:205: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib [!] error queue: crypto/pem/pem_info.c:196: error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib [!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error [!] error queue: crypto/asn1/tasn_dec.c:1118: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header [!] SSL_CTX_load_verify_locations: crypto/asn1/asn1_lib.c:91: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long [!] Service [dns_local]: Failed to initialize TLS context [ ] Deallocating section defaults [ ] Deallocating section [dns_local] [ ] Deallocating section defaults

Config:

chroot=/var/lib/stunnel pid=/var/run/stunnel.pid debug = debug

[dns_local] sslVersion = TLSv1.3 client = yes accept = localhost:1053 connect = 185.95.218.42:853 checkHost = dns.digitale-gesellschaft.ch verifyPeer = yes CAfile = /etc/stunnel/cf.crt

[dns_local_fallback] sslVersion = TLSv1.3 client = yes accept = localhost:1054 connect = 185.95.218.43:853 checkHost = dns.digitale-gesellschaft.ch verifyPeer = yes CAfile = /etc/stunnel/cf43.crt

OpenSSL check of the cert files seems OK:

openssl x509 -text -noout -in /etc/stunnel/cf.crt Certificate: Data: Version: 3 (0x2) Serial Number: 03:16:19:87:62:ac:be:ec:92:7b:6e:75:b8:a3:2e:ba:ea:28 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: May 17 21:00:22 2020 GMT Not After : Aug 15 21:00:22 2020 GMT Subject: CN = dns.digitale-gesellschaft.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c0:01:03:42:24:5b:07:7e:46:06:fc:e0:21:56: 93:c4:6a:3c:88:c8:df:be:91:d6:d8:7a:b7:fc:3f: 8c:f1:b9:74:ec:c1:3b:2b:02:fe:27:93:1e:d6:d3: a1:95:31:ed:c7:06:26:28:74:60:7e:70:53:39:4b: e5:43:c2:81:dc:50:f3:d7:9e:0b:87:5b:2c:e8:a8: eb:71:bc:7b:04:92:d5:be:66:ba:0e:d8:9f:27:28: 77:9f:7c:68:2f:2f:64:2d:8a:86:f7:cf:c6:3a:c1: 1b:d4:e9:95:d6:c0:f3:77:f3:cd:79:16:40:86:ce: d5:dc:be:b2:c6:5b:7c:fe:e3:68:8d:25:61:41:a8: 99:b3:f4:62:60:19:bf:96:32:46:ef:e4:6a:c2:3d: 00:f6:44:b9:63:94:50:0e:fb:a0:e1:88:eb:79:cf: b7:a5:d1:29:0c:d6:bf:ee:ad:1b:9b:8e:7c:94:4f: f8:5a:0e:a7:5e:62:e7:67:61:9e:83:cb:a0:f7:56: f6:bc:ec:df:4d:60:6a:fe:08:fa:1c:ae:17:05:54: 0f:b0:f8:1f:6c:78:ca:a0:99:ec:4b:06:b3:79:97: 88:d1:7e:c8:93:cf:15:6b:9d:ea:d2:ef:88:da:1b: e8:2b:dd:0d:6e:f2:7e:f3:75:60:03:6a:87:64:79: e6:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 9C:E3:0E:F4:F1:60:60:EC:21:7D:D8:D6:5F:0E:7B:FF:90:DB:68:01 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name: DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org

CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA: E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C Timestamp : May 17 22:00:22.318 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:3D:7F:5A:57:E3:CE:42:A0:2A:16:FD:59: AE:7A:11:19:AE:BE:BE:AA:5A:4A:B0:1E:66:8E:D6:21: A8:35:F8:CB:02:21:00:DB:06:63:54:26:03:76:28:CD: 05:BF:08:8B:1B:95:2B:D2:A1:B3:AC:63:6A:DD:84:E7: 84:3A:70:A6:54:31:2B Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : May 17 22:00:22.412 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:EA:BC:2D:B6:B1:71:0B:CE:75:A7:15: 86:D2:C0:05:49:08:38:CC:B9:EF:DA:1F:23:53:1A:5F: BD:31:19:A5:0A:02:20:21:2F:94:08:61:D0:A8:CA:3F: 71:D3:54:4D:E3:56:50:91:51:A6:01:16:77:9E:AE:31: 2E:43:E1:68:C0:CE:F2 Signature Algorithm: sha256WithRSAEncryption 9b:b8:24:f8:30:fc:77:5d:67:91:40:c7:bf:58:cf:64:67:7f: 87:33:8e:04:19:93:98:bb:35:cb:4e:b3:78:c0:04:5c:48:f4: 74:38:f2:57:02:38:3b:84:19:aa:9b:39:08:1d:f9:62:f4:c7: af:e4:17:40:02:99:7a:c5:24:fc:ee:b1:d5:95:b0:a2:58:f0: db:44:0f:50:3c:92:81:e8:8f:81:4d:e1:eb:e4:86:5d:d0:c8: 31:d2:30:07:7f:56:48:65:bd:a0:01:38:19:81:e4:80:38:21: 1f:ae:13:96:54:cd:9f:b1:cb:b2:47:00:f0:8b:d4:0d:61:29: 99:cb:71:ee:f6:53:ab:27:45:33:7b:0c:f4:e4:85:58:a7:8e: 58:8e:88:04:0d:e8:03:18:41:e6:8f:b5:c1:c1:9d:da:57:0a: 85:d7:19:05:4f:f9:8f:8c:b5:60:3f:67:f0:d8:fd:10:98:ad: de:25:88:7b:67:0f:bd:e1:7c:21:fb:35:8c:b2:26:78:de:b1: 54:a4:e9:9f:e0:48:d6:1a:0e:60:a6:f6:21:8c:b3:df:21:a1: 0c:16:d4:ab:93:3a:5d:94:22:34:40:5b:7e:ef:ea:f8:a1:15: d6:8d:69:aa:40:fe:ae:6f:79:dd:49:49:1a:88:0f:15:61:19: 00:f8:41:6c

openssl x509 -text -noout -in /etc/stunnel/cf43.crt Certificate: Data: Version: 3 (0x2) Serial Number: 03:2b:84:39:5e:99:3d:2d:85:52:63:3a:d2:fa:bc:2e:60:4b Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Validity Not Before: Mar 16 22:01:15 2020 GMT Not After : Jun 14 22:01:15 2020 GMT Subject: CN = dns.digitale-gesellschaft.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bc:0e:73:84:9c:89:7c:f8:2a:db:79:5f:78:ac: 39:a8:c5:25:b4:86:5b:9e:1c:3c:14:a6:17:ae:67: f1:02:17:0b:dc:36:ea:a1:9c:57:91:5b:5a:91:6b: df:7b:4c:74:7e:6c:e2:eb:5f:a5:95:02:25:43:c1: 3e:f0:67:5d:80:27:6f:37:72:0e:1f:b7:c3:13:e2: 3a:a5:13:b6:41:d0:01:aa:d0:7f:68:d4:5e:10:95: ee:17:bb:8d:8b:77:a3:7e:c8:9e:7a:8a:35:8a:09: 00:82:80:67:70:34:ac:f5:bc:24:4a:b9:c4:df:1f: 1e:e4:48:66:a8:76:60:d8:a3:d5:64:3b:9d:7e:7b: 18:99:f7:31:a5:28:4e:a4:47:24:25:af:18:32:d5: f9:98:67:21:f7:49:23:c2:72:00:73:e5:25:ca:af: a5:ae:df:00:62:d8:f2:5e:1e:8a:26:5a:63:5b:22: e1:eb:2d:b4:e9:57:de:16:8c:a0:72:db:ff:82:46: b8:d8:55:ad:55:84:e5:65:b5:86:8b:47:00:ea:85: 0d:74:c6:9d:9f:95:e4:3a:19:fe:3d:8f:5f:4b:f8: ed:a5:93:3f:ea:31:fd:41:74:7e:6b:ae:bf:98:9a: 70:85:d8:9f:51:85:fc:5e:11:eb:b9:60:6a:c3:bf: 81:f7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: DE:64:78:2F:E4:81:84:C3:C9:3F:5C:01:DB:D0:42:E2:0D:CB:48:B8 X509v3 Authority Key Identifier: keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

X509v3 Subject Alternative Name: DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org

CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32: 7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58 Timestamp : Mar 16 23:01:15.249 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:04:32:96:55:70:AB:40:41:3B:E2:6C:E3: 8E:78:1E:82:F7:84:57:6A:76:2C:11:2B:24:A6:BB:72: 59:F1:F9:8A:02:20:67:12:DB:64:C1:D8:15:5D:3F:ED: 8B:8F:01:68:B8:A1:D2:B0:20:2B:32:54:11:14:82:72: 06:B8:E6:1C:1C:69 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA: E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C Timestamp : Mar 16 23:01:15.303 2020 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:1B:C7:5B:F2:A9:04:12:6A:62:E8:33:F9: BD:08:39:1D:0F:F3:39:8D:F2:F8:37:E3:C8:05:CC:1B: E7:31:F7:83:02:20:12:47:02:D3:E3:93:48:9A:F3:5A: B9:F4:12:85:87:0F:D4:F2:B7:79:F5:8C:DD:77:D4:5E: BE:D0:95:27:83:9C Signature Algorithm: sha256WithRSAEncryption 82:30:ea:0a:6f:45:53:e7:f8:a0:80:69:47:a4:7d:ee:6a:78: a3:34:00:f1:bb:0d:c8:3a:1f:37:8e:25:f9:9d:cc:a5:e0:15: 03:a5:da:2a:28:af:89:97:f9:d6:20:61:ae:1e:16:80:f4:1a: 2c:08:ac:74:f3:80:2f:ae:17:f7:f4:b4:1c:b7:f1:59:f9:73: fd:12:cb:e3:48:36:bd:fe:99:38:69:44:7f:3b:dc:38:98:54: 75:f5:00:d0:de:93:eb:5a:4d:5e:65:d0:99:9e:64:75:8f:cd: e4:6f:1e:22:d5:8f:cb:4d:78:ef:0e:70:38:b7:f0:af:4d:30: 7b:9a:ea:1d:6c:b7:cb:18:2b:de:5a:18:d2:4b:bb:e6:79:b2: 45:8b:01:dc:d1:15:45:cc:cc:f0:5d:a6:98:10:90:72:d2:da: ef:7a:3c:1c:af:42:f0:7f:85:5b:49:53:e8:b3:51:11:e4:93: fc:b3:8a:dc:bc:5c:40:8d:bb:36:be:36:87:09:de:23:19:29: 1d:f3:7e:70:5b:43:43:ad:6e:a4:b4:55:ac:9e:f5:10:05:31: a7:a5:00:66:8a:e7:67:4e:02:2a:2d:40:d4:2c:e8:f1:bb:35: 8d:b7:cf:52:b0:71:04:72:d0:ab:fb:e6:f6:c7:45:33:db:88: d5:90:f0:32

Any suggestions?

Thanks.