Am 25.10.18 um 12:00 schrieb stunnel-users-request@stunnel.org:
Send stunnel-users mailing list submissions to stunnel-users@stunnel.org
To subscribe or unsubscribe via the World Wide Web, visit https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users or, via email, send a message with subject or body 'help' to stunnel-users-request@stunnel.org
You can reach the person managing the list at stunnel-users-owner@stunnel.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of stunnel-users digest..."
Today's Topics:
- stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie (Johann Hörmann)
- Re: stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie (Eric Eberhard)
- stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie (Jakob Hirsch)
Message: 1 Date: Wed, 24 Oct 2018 17:29:18 +0200 From: Johann Hörmann support@hans-hoermann.de To: stunnel-users@stunnel.org Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie Message-ID: f9fb3d42-c0f2-dffd-e0b1-249d8e068081@hans-hoermann.de Content-Type: text/plain; charset=utf-8
Hi,
that's the log on a debian jessie, starting stunnel:
2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015 2018.10.24 ..: Running with OpenSSL 1.0.1t 3 May 2016 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel
All debian packages are upgraded: $ sudo apt-get update ... $ sudo apt-get upgrade 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. $
$ dpkg -l|egrep 'openssl|stunnel' ... ii openssl 1.0.1t-1+deb8u9 ... ii stunnel4 3:5.06-2+deb8u1 $
Guess the log tells the current stunnel-package is not linked against openssl 1.0.1t lib yet.
No pinning is active: $ ls -l /etc/apt/preferences -rw-r--r-- 1 root root 0 Jun 4 2010 /etc/apt/preferences $
Is that - stunnel not being linked against the current openssl-lib - a serious problem? Will there soon be a stunnel-package being linked against openssl 1.0.1t?
Thanks in Advance
Hans
Message: 2 Date: Wed, 24 Oct 2018 15:02:08 -0700 From: "Eric Eberhard" flash@vicsmba.com To: 'Johann Hörmann' support@hans-hoermann.de, stunnel-users@stunnel.org Subject: Re: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie Message-ID: 03bb01d46be5$40d264c0$c2772e40$@vicsmba.com Content-Type: text/plain; charset="utf-8"
Static linking is much easier, especially when put in a non-standard place, such as /usr/local/customer-name/lib -- this means if somebody does an update of say openssl alone you won't have this problem. You can also do it non-static as long as it is in a non-standard place and be pretty safe.
My versions have stunnel 5.44 and openssl 1.0.2 -- works fine. It is static and keeps on ticking.
Eric
-----Original Message----- From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Johann Hörmann Sent: Wednesday, October 24, 2018 8:29 AM To: stunnel-users@stunnel.org Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie
Hi,
that's the log on a debian jessie, starting stunnel:
2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015 2018.10.24 ..: Running with OpenSSL 1.0.1t 3 May 2016 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel
All debian packages are upgraded: $ sudo apt-get update ... $ sudo apt-get upgrade 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. $
$ dpkg -l|egrep 'openssl|stunnel' ... ii openssl 1.0.1t-1+deb8u9 ... ii stunnel4 3:5.06-2+deb8u1 $
Guess the log tells the current stunnel-package is not linked against openssl 1.0.1t lib yet.
No pinning is active: $ ls -l /etc/apt/preferences -rw-r--r-- 1 root root 0 Jun 4 2010 /etc/apt/preferences $
Is that - stunnel not being linked against the current openssl-lib - a serious problem? Will there soon be a stunnel-package being linked against openssl 1.0.1t?
Thanks in Advance
Hans _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Message: 3 Date: Thu, 25 Oct 2018 10:58:48 +0200 From: Jakob Hirsch jh@plonk.de To: stunnel-users@stunnel.org Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie Message-ID: a518f51f-180d-b1a3-96e1-c3f976dd1e42@Message-ID.plonk.de Content-Type: text/plain; charset=utf-8
Hi,
On 2018-10-24 17:29, Johann Hörmann wrote:
Is that - stunnel not being linked against the current openssl-lib - a serious problem?
It is usually not necessary to rebuild all packages using a specific lib just because it got updated.
Will there soon be a stunnel-package being linked against openssl 1.0.1t?
The debian people are doing that, so that would be something to ask them, specifically the package maintainers (see https://packages.debian.org/jessie/stunnel4). But since jessie support ended last June and LTS won't rebuild , I would not hold my breath.
Why do you care about this in the first place? You are using a stunnel version that is 4 years old and got last patched more than 3 years ago. If it's of any importance to you, you should really upgrade to stretch (optionally with bpo) or at least use jessie-backports.
Regards Jakob
Subject: Digest Footer
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
End of stunnel-users Digest, Vol 171, Issue 16
Thanks a lot for your valuable advices, Eric and Jakob!
Being just a dumb user, i supposed the distribution should stay 'in harmony': Ok now i know for oldstable this can be solved by backports or compiling stunnel with a static openssl-lib.
Upgrading to stretch is not yet a choice because i am using stunnel with 'verify=3' which results in checking the self-signed client-certs at the server:
Can't tell why but my cacert file was generated with a CAFile value of FALSE, which worked until jessie but at stretch the request results in a reject by the openssl-lib because of the FALSE-value.
So first i have to renew and deploy all my customers certs - about 80 - with a stretch-conform cacert performing with CAFile=true.
Hans
-
Johann Hörmann