Many thanks Mike.
You were right. There is something wrong with my manual install of openssl 1.0.0e. I just recompiled stunnel 4.47 from sources, using the openssl libraries provided by fink and it went like a charm.
However, I'm now running into another issue. I'm trying to configure stunnel with sni. I read the man page, the how to, the previous mailing list messages and googled as much as I could but can't seem to find an answer.
When I configure stunnel to tunnelize http (i.e. [https] service), everything works fine. When I configure stunnel with sni to tunnelize several virtual hosts (i.e. [virtual] + [sni1] + [sni2]), it crashes on a segmentation fault when testing the connection to the virtual host with openssl or with a brower. When I configure only the virtual service without any sni virtual hosts (i.e. [virtual] only without any defined sni), everything runs fine.
I'm running into the exact same issue with stunnel 4.46 installed from fink - SNI won't work which is very sad.
I have the feeling that this is related to the OpenSSL distributed by Fink and I'm currently checking with the maintainer whether the distributed pre-compiled OpenSSL was compiled with --enable-tls
Do you think that this might be related to something wrong in fink's openssl or the fink openssl libraries against which I have build stunnel?
I'm currently checking with the maintainer of the ssl package on Fink whether it has been built with the --enable-tlsext option, but it seems that it has been (I've been trying to run an OpenSSL server with -tls option and connect with an OpenSSL client with -tls option and it connects correctly).
Here is the console output of stunnel in foreground debug mode:
2011.11.23 20:21:38 LOG7[26580:2689165344]: Clients allowed=125 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=3 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=4 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG5[26580:2689165344]: stunnel 4.47 on powerpc-apple-darwin9.8.0 platform 2011.11.23 20:21:38 LOG5[26580:2689165344]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2011.11.23 20:21:38 LOG5[26580:2689165344]: Threading:PTHREAD SSL:ENGINE Auth:none Sockets:SELECT,IPv4 2011.11.23 20:21:38 LOG5[26580:2689165344]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf 2011.11.23 20:21:38 LOG7[26580:2689165344]: Snagged 64 random bytes from /Users/cedriclor/.rnd 2011.11.23 20:21:38 LOG7[26580:2689165344]: Wrote 1024 new random bytes to /Users/cedriclor/.rnd 2011.11.23 20:21:38 LOG7[26580:2689165344]: PRNG seeded successfully 2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service virtual 2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key 2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1 2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01000004 2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized 2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service sni1 2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key 2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1 2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01010004 2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized 2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service sni2 2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /sw/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded 2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem 2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key 2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1 2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01010004 2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized 2011.11.23 20:21:38 LOG5[26580:2689165344]: Configuration successful 2011.11.23 20:21:38 LOG7[26580:2689165344]: accept socket: FD=6 allocated (non-blocking mode) 2011.11.23 20:21:38 LOG7[26580:2689165344]: Option SO_REUSEADDR set on accept socket 2011.11.23 20:21:38 LOG7[26580:2689165344]: Service virtual bound to 127.0.0.1:8081 2011.11.23 20:21:38 LOG7[26580:2689165344]: Service virtual opened FD=6 2011.11.23 20:21:39 LOG7[26580:2689165344]: Created pid file /stunnel.pid 2011.11.23 20:21:50 LOG7[26580:2689165344]: local socket: FD=7 allocated (non-blocking mode) 2011.11.23 20:21:50 LOG7[26580:2689165344]: Service virtual accepted FD=7 from 127.0.0.1:50132 Segmentation fault
Here is my stunnel.conf:
chroot = /sw/var/lib/stunnel
pid = /stunnel.pid
debug = 7 foreground = yes
cert = /usr/local/etc/stunnel/stunnel.pem key = /usr/local/etc/stunnel/stunnel.pem
[virtual] accept = 127.0.0.1:8081 cert = /usr/local/etc/stunnel/stunnel.pem connect = mydefaulthost.mydomain.com:80
[sni1] sni = virtual:myfirstsecuredvirtualhost.mydomain.com:8081 cert = /usr/local/etc/stunnel/stunnel.pem connect = myfirstvirtualhost.mydomain.com:80
[sni2] sni = virtual:myfirstsecuredvirtualhost.mydomain.com:8081 cert = /usr/local/etc/stunnel/stunnel.pem connect = mysecondvirtualhost.mydomain.com:80
And here is the output of an openssl test:
macosx-ppc:~ cedriclor$ openssl s_client -connect myfirstsecuredvirtualhost.mydomain.com:8081 CONNECTED(00000003) 2689165412:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 211 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
The same with the option -tls1:
macosx-ppc:~ cedriclor$ openssl s_client -connect myfirstsecuredvirtualhost.mydomain.com:8081 -tls1 CONNECTED(00000003) 2689165412:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1322079696 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
Regards,
Cédric
On Nov 23, 2011, at 2:44 PM, Michal Trojnara wrote:
Cedric Lor wrote:
I've been trying to compile stunner (4.47) on a power pc Mac OS X Leopard (OS X 10.5) platform after a manual update to openssl v.1.0.0.e
[cut]
libtool: link: gcc -pthread -fstack-protector -g -O2 -Wall -Wextra -Wno-long-long -pedantic -o stunnel stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o stunnel-options.o stunnel-protocol.o stunnel-network.o stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o stunnel-sthreads.o stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o -L/usr/local/ssl/lib64 -L/usr/local/ssl/lib -lssl -lcrypto -lz -ldl -lutil -lpthread -lwrap -pthread Undefined symbols: "_EC_KEY_new_by_curve_name", referenced from: _context_init in stunnel-ctx.o
There is something wrong with your manual installation of OpenSSL 1.0.0e on your machine. The linker finds your old library instead of the new one. Make sure the library files are properly installed in /usr/local/ssl/lib. You could also rename the old library files for the time of building stunnel.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users