Hi All

we have a segmentation fault on the stunnel 5.57 running on RHEL7

Dec 10 16:54:32 prod001 kernel: stunnel[1572]: segfault at 278 ip 00007f3fdca229c2 sp 00007f3fd9011a28 error 6 in libssl.so.1.0.2k[7f3fdc9da000+67000]

$ uname -a Linux prod001 3.10.0-1160.2.1.el7.x86_64 #1 SMP Mon Sep 21 21:00:09 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux

$ rpm -qa|grep openssl openssl-devel-1.0.2k-19.el7.x86_64 xmlsec1-openssl-1.2.20-7.el7_4.x86_64 openssl-1.0.2k-19.el7.x86_64 openssl-libs-1.0.2k-19.el7.x86_64

below is the configuration =================================== pid = /home/admin/run/stunnel.pid

socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1

#debug = 2 debug = 7 output = /home/admin/log/stunnel.log

######################################################## ### ### INSTANCE 1: program1 ###

### Tunnel for remote connection (Server_aaS) ### [program1-remote-to-local] cert = /home/admin/config/certs/prod001.crt key = /home/admin/config/certs/prod001.key accept = 192.168.1.33:7011 connect = 192.168.1.33:7001

### Tunnel for local connection ### [program1-local-to-local] client = yes CAfile = /home/admin/config/certs/prod001.crt accept = 127.0.0.1:7011 connect = 192.168.1.33:7011

### Tunnel to connect remote Tunnel ### SERVER-02 192.168.1.34:7021 ### [program1-01-to-02] client = yes CAfile = /home/admin/config/certs/prod002.crt accept = 192.168.1.33:7021 connect = 192.168.1.34:7021

==========================================

$ ./stunnel -help Initializing inetd mode configuration stunnel 5.57 on x86_64-pc-linux-gnu platform Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

Global options: chroot = directory to chroot stunnel process compression = compression type EGD = path to Entropy Gathering Daemon socket engine = auto|engine_id engineCtrl = cmd[:arg] engineDefault = TASK_LIST fips = yes|no FIPS 140-2 mode foreground = yes|quiet|no foreground mode (don't fork, log to stderr) log = append|overwrite log file output = file to append log messages pid = pid file RNDbytes = bytes to read from random seed files RNDfile = path to file with random seed data RNDoverwrite = yes|no overwrite seed datafiles with new random data syslog = yes|no send logging messages to syslog

Service-level options: accept = [host:]port accept connections on specified host:port CApath = CA certificate directory for 'verify' option CAfile = CA certificate file for 'verify' option cert = certificate chain checkEmail = peer certificate email address checkHost = peer certificate host name pattern checkIP = peer certificate IP address ciphers = permitted ciphers for TLS 1.2 or older client = yes|no client mode (remote service uses TLS) config = command[:parameter] to execute connect = [host:]port to connect CRLpath = CRL directory CRLfile = CRL file curves = ECDH curve names debug = [facility].level (e.g. daemon.info) delay = yes|no delay DNS lookup for 'connect' option engineId = ID of engine to read the key from engineNum = number of engine to read the key from exec = file execute local inetd-type program execArgs = arguments for 'exec' (including $0) failover = rr|prio failover strategy ident = username for IDENT (RFC 1413) checking include = directory with configuration file snippets key = certificate private key local = IP address to be used as source for remote connections logId = connection identifier type OCSP = OCSP responder URL OCSPaia = yes|no check the AIA responders from certificates OCSPflag = OCSP responder flags OCSPnonce = yes|no send and verify the OCSP nonce extension options = TLS option to set/reset protocol = protocol to negotiate before TLS initialization currently supported: cifs, connect, imap, nntp, pgsql, pop3, proxy, smtp, socks protocolAuthentication = authentication type for protocol negotiations protocolDomain = domain for protocol negotiations protocolHost = host:port for protocol negotiations protocolPassword = password for protocol negotiations protocolUsername = username for protocol negotiations PSKidentity = identity for PSK authentication PSKsecrets = secrets for PSK authentication pty = yes|no allocate pseudo terminal for 'exec' option redirect = [host:]port to redirect on authentication failures renegotiation = yes|no support renegotiation requireCert = yes|no require client certificate reset = yes|no send TCP RST on error retry = yes|no retry connect+exec section service = service name setgid = groupname for setgid() setuid = username for setuid() sessionCacheSize = session cache size sessionCacheTimeout = session cache timeout (in seconds) sessiond = [host:]port use sessiond at host:port sni = master_service:host_name for an SNI virtual service socket = a|l|r:option=value[:value] set an option on accept/local/remote socket sslVersion = all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2 TLS method stack = thread stack size (in bytes) ticketKeySecret = secret key for encryption/decryption TLSv1.3 tickets ticketMacSecret = key for HMAC operations on TLSv1.3 tickets TIMEOUTbusy = seconds to wait for expected data TIMEOUTclose = seconds to wait for close_notify TIMEOUTconnect = seconds to connect remote host TIMEOUTidle = seconds to keep an idle connection transparent = none|source|destination|both transparent proxy mode verify = level of peer certificate verification verifyChain = yes|no verify certificate chain verifyPeer = yes|no verify peer certificate