Hello,
I am experiencing an issue with stunnel versions 5.73 and above where the server logs are continuously filled with the following message: "OCSP: SSL_get_certificate"
This issue does not occur in version 5.72. I am using PSK for encryption and have not configured OCSP. Here are the details of my setup:
[.] stunnel 5.74 on amd64-portbld-freebsd14.1 platform [.] Compiled with OpenSSL 3.0.13 30 Jan 2024 [.] Running with OpenSSL 3.0.15 3 Sep 2024
- Server configuration file: ``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] accept = 6478 connect = 6378 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key
[fuzzy] accept = 6477 connect = 6377 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key ```
- Client configuration file: ``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] client = yes accept = localhost:6478 connect = host.example.org:6478 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt
[fuzzy] client = yes accept = localhost:6477 connect = host.example.org:6477 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt ```
- Relevant log entries: ``` Dec 27 09:00:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate ```
As a temporary workaround, I generated a self-signed certificate and configured stunnel to use it. This has resolved the issue with OCSP messages. However, I believe this is not the intended behavior when using PSK without configuring OCSP.
I would appreciate any help or guidance on how to properly configure stunnel to avoid this issue without requiring a self-signed certificate.
Thank you, Alexander
Hi Alexander,
How often do you receive those errors that fill your logs? I only found a single line in your email, so it is hard for me to estimate the volume.
Best regards, Mike
27 Dec 2024 13:51:44 Alexander Moisseev via stunnel-users stunnel-users@stunnel.org:
Hello,
I am experiencing an issue with stunnel versions 5.73 and above where the server logs are continuously filled with the following message: "OCSP: SSL_get_certificate"
This issue does not occur in version 5.72. I am using PSK for encryption and have not configured OCSP. Here are the details of my setup:
[.] stunnel 5.74 on amd64-portbld-freebsd14.1 platform [.] Compiled with OpenSSL 3.0.13 30 Jan 2024 [.] Running with OpenSSL 3.0.15 3 Sep 2024
- Server configuration file:
``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] accept = 6478 connect = 6378 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key
[fuzzy] accept = 6477 connect = 6377 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key ```
- Client configuration file:
``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] client = yes accept = localhost:6478 connect = host.example.org:6478 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt
[fuzzy] client = yes accept = localhost:6477 connect = host.example.org:6477 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt ```
- Relevant log entries:
``` Dec 27 09:00:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate ```
As a temporary workaround, I generated a self-signed certificate and configured stunnel to use it. This has resolved the issue with OCSP messages. However, I believe this is not the intended behavior when using PSK without configuring OCSP.
I would appreciate any help or guidance on how to properly configure stunnel to avoid this issue without requiring a self-signed certificate.
Thank you, Alexander _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
On 27.12.2024 15:56, Michał Trojnara via stunnel-users wrote:
Hi Alexander,
How often do you receive those errors that fill your logs? I only found a single line in your email, so it is hard for me to estimate the volume. Dec 27 08:55:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate
Dec 27 08:55:10 mx syslogd: last message repeated 1 times Dec 27 08:57:10 mx syslogd: last message repeated 4 times Dec 27 08:59:10 mx syslogd: last message repeated 4 times Dec 27 09:00:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate Dec 27 09:00:10 mx syslogd: last message repeated 1 times Dec 27 09:02:10 mx syslogd: last message repeated 4 times Dec 27 09:12:10 mx syslogd: last message repeated 20 times Dec 27 09:18:10 mx syslogd: last message repeated 12 times Dec 27 09:18:48 mx stunnel[22113]: LOG5[per-day]: DH parameters updated Dec 27 09:19:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate Dec 27 09:19:10 mx syslogd: last message repeated 1 times Dec 27 09:21:10 mx syslogd: last message repeated 4 times Dec 27 09:31:10 mx syslogd: last message repeated 20 times Dec 27 09:41:11 mx syslogd: last message repeated 20 times Dec 27 09:51:11 mx syslogd: last message repeated 20 times Dec 27 10:01:11 mx syslogd: last message repeated 20 times Dec 27 10:11:11 mx syslogd: last message repeated 20 times Dec 27 10:22:11 mx syslogd: last message repeated 22 times Dec 27 10:32:12 mx syslogd: last message repeated 20 times Dec 27 10:42:12 mx syslogd: last message repeated 20 times Dec 27 10:52:12 mx syslogd: last message repeated 20 times Dec 27 11:02:12 mx syslogd: last message repeated 20 times Dec 27 11:12:13 mx syslogd: last message repeated 20 times Dec 27 11:22:13 mx syslogd: last message repeated 20 times Dec 27 11:32:13 mx syslogd: last message repeated 20 times Dec 27 11:37:13 mx syslogd: last message repeated 10 times
Hi Alexander,
So it's two log lines per minute (1 log line per minute per stunnel.conf section). It may seem like a lot, because your server does not seem to produce many other logs. I will address it in the next version of stunnel.
Best regards, Mike
27 Dec 2024 14:11:16 Alexander Moisseev via stunnel-users stunnel-users@stunnel.org:
On 27.12.2024 15:56, Michał Trojnara via stunnel-users wrote:
Hi Alexander, How often do you receive those errors that fill your logs? I only found a single line in your email, so it is hard for me to estimate the volume. Dec 27 08:55:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate
Dec 27 08:55:10 mx syslogd: last message repeated 1 times Dec 27 08:57:10 mx syslogd: last message repeated 4 times Dec 27 08:59:10 mx syslogd: last message repeated 4 times Dec 27 09:00:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate Dec 27 09:00:10 mx syslogd: last message repeated 1 times Dec 27 09:02:10 mx syslogd: last message repeated 4 times Dec 27 09:12:10 mx syslogd: last message repeated 20 times Dec 27 09:18:10 mx syslogd: last message repeated 12 times Dec 27 09:18:48 mx stunnel[22113]: LOG5[per-day]: DH parameters updated Dec 27 09:19:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate Dec 27 09:19:10 mx syslogd: last message repeated 1 times Dec 27 09:21:10 mx syslogd: last message repeated 4 times Dec 27 09:31:10 mx syslogd: last message repeated 20 times Dec 27 09:41:11 mx syslogd: last message repeated 20 times Dec 27 09:51:11 mx syslogd: last message repeated 20 times Dec 27 10:01:11 mx syslogd: last message repeated 20 times Dec 27 10:11:11 mx syslogd: last message repeated 20 times Dec 27 10:22:11 mx syslogd: last message repeated 22 times Dec 27 10:32:12 mx syslogd: last message repeated 20 times Dec 27 10:42:12 mx syslogd: last message repeated 20 times Dec 27 10:52:12 mx syslogd: last message repeated 20 times Dec 27 11:02:12 mx syslogd: last message repeated 20 times Dec 27 11:12:13 mx syslogd: last message repeated 20 times Dec 27 11:22:13 mx syslogd: last message repeated 20 times Dec 27 11:32:13 mx syslogd: last message repeated 20 times Dec 27 11:37:13 mx syslogd: last message repeated 10 times _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org
-
Alexander Moisseev -
Michał Trojnara