Debian Bug#460019: cert= produces output on stderr even with log= set
----- Forwarded message from Bryan Donlan <bd@fushizen.net> ----- Version: 3:4.21-1 With the following configuration: output = /srv/stun/log compression = zlib CApath = /srv/stun/keys cert = /srv/stun/server.pem connect = localhost:9999 verify = 3 The following is output on stderr: 2008.01.10 02:54:19 LOG5[11786:3083495088]: Peer certificate location /srv/stun/keys This confuses clients when stunnel is driven direcly from xinetd. This output, if it is produced at all, should be placed in the log file. ----- End forwarded message ----- The issue is that verify_init (verify.c:103) calls s_log(LOG_NOTICE, "Peer certificate location %s", section->ca_dir); apparently before the logfile is setup. Could the log file initialization be moved earlier in the starup sequence? Or maybe this log call's severity could be lowered.
Luis Rodrigo Gallardo Cruz wrote:
The following is output on stderr: 2008.01.10 02:54:19 LOG5[11786:3083495088]: Peer certificate location /srv/stun/keys
Please try the following beta version: ftp://stunnel.mirt.net/stunnel/stunnel-4.22b2.tar.gz Best regards, Mike
On Fri, Jan 11, 2008 at 10:24:34PM +0100, Michal Trojnara wrote:
Luis Rodrigo Gallardo Cruz wrote:
The following is output on stderr: 2008.01.10 02:54:19 LOG5[11786:3083495088]: Peer certificate location /srv/stun/keys
Please try the following beta version: ftp://stunnel.mirt.net/stunnel/stunnel-4.22b2.tar.gz
I get even more output with this version. I know some (most?) of the errors shown below are caused by my hastily made up config, but the substance of the bug report is that the messages are going to stderr, and not to the configured logfile $ cat /tmp/test-conf output = /tmp/log compression = zlib cert = /etc/ssl/certs/ssl-cert-snakeoil.pem connect = localhost:9999 verify = 3 $ stunnel4 /tmp/test-conf 2008.01.15 00:09:29 LOG6[14154:3082619632]: Compression enabled using zlib method 2008.01.15 00:09:29 LOG6[14154:3082619632]: Unable to retrieve any random data from /home/rodrigo/.rnd 2008.01.15 00:09:29 LOG7[14154:3082619632]: Wrote 0 new random bytes to /home/rodrigo/.rnd 2008.01.15 00:09:29 LOG7[14154:3082619632]: RAND_status claims sufficient entropy for the PRNG 2008.01.15 00:09:29 LOG7[14154:3082619632]: PRNG seeded successfully 2008.01.15 00:09:29 LOG4[14154:3082619632]: Wrong permissions on /etc/ssl/certs/ssl-cert-snakeoil.pem 2008.01.15 00:09:29 LOG7[14154:3082619632]: Certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem 2008.01.15 00:09:29 LOG7[14154:3082619632]: Certificate loaded 2008.01.15 00:09:29 LOG7[14154:3082619632]: Key file: /etc/ssl/certs/ssl-cert-snakeoil.pem 2008.01.15 00:09:29 LOG3[14154:3082619632]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2008.01.15 00:09:29 LOG3[14154:3082619632]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
Luis Rodrigo Gallardo Cruz wrote:
I get even more output with this version. I know some (most?) of the errors shown below are caused by my hastily made up config, but the substance of the bug report is that the messages are going to stderr, and not to the configured logfile [cut] 2008.01.15 00:09:29 LOG3[14154:3082619632]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
The errors can't go to the *configured* log file, because your *configuration* is not correct (invalid certificate). The new stunnel buffers the log messages until the configuration file is parsed. Then all the logs are sent to the configured log destinations. Please try again with a valid configuration. Best regards, Mike
On Tue, Jan 15, 2008 at 08:40:45AM +0100, Michal Trojnara wrote:
Luis Rodrigo Gallardo Cruz wrote:
I get even more output with this version. I know some (most?) of the errors shown below are caused by my hastily made up config, but the substance of the bug report is that the messages are going to stderr, and not to the configured logfile [cut] 2008.01.15 00:09:29 LOG3[14154:3082619632]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
The errors can't go to the *configured* log file, because your *configuration* is not correct (invalid certificate). The new stunnel buffers the log messages until the configuration file is parsed. Then all the logs are sent to the configured log destinations. Please try again with a valid configuration.
Indeed! Thanks, I'll mark the bug as pending in Debian.
On Fri, Jan 11, 2008 at 10:24:34PM +0100, Michal Trojnara wrote:
Please try the following beta version: ftp://stunnel.mirt.net/stunnel/stunnel-4.22b2.tar.gz
The file tools/stunnel.conf-sample.in was not converted to use automake's dirs. The following patch has the required changes: ---------------------------------------------------------------------- --- stunnel.orig/tools/stunnel.conf-sample.in 2008-01-14 23:12:28.000000000 -0600 +++ stunnel/tools/stunnel.conf-sample.in 2008-01-14 23:16:20.000000000 -0600 @@ -3,14 +3,14 @@ ; Please make sure you understand them (especially the effect of chroot jail) ; Certificate/key is needed in server mode and optional in client mode -cert = @prefix@/etc/stunnel/mail.pem -;key = @prefix@/etc/stunnel/mail.pem +cert = @sysconfdir@/stunnel/mail.pem +;key = @sysconfdir@/stunnel/mail.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 -chroot = @prefix@/var/lib/stunnel/ +chroot = @localstatedir@/lib/stunnel/ setuid = nobody setgid = @DEFAULT_GROUP@ ; PID is created inside chroot jail @@ -30,12 +30,12 @@ ; CApath is located inside chroot jail ;CApath = /certs ; It's often easier to use CAfile -;CAfile = @prefix@/etc/stunnel/certs.pem +;CAfile = @sysconfdir@/stunnel/certs.pem ; Don't forget to c_rehash CRLpath ; CRLpath is located inside chroot jail ;CRLpath = /crls ; Alternatively you can use CRLfile -;CRLfile = @prefix@/etc/stunnel/crls.pem +;CRLfile = @sysconfdir@/stunnel/crls.pem ; Some debugging stuff useful for troubleshooting ;debug = 7 ----------------------------------------------------------------------
Luis Rodrigo Gallardo Cruz wrote:
The file tools/stunnel.conf-sample.in was not converted to use automake's dirs. The following patch has the required changes: [cut] -cert = @prefix@/etc/stunnel/mail.pem -;key = @prefix@/etc/stunnel/mail.pem +cert = @sysconfdir@/stunnel/mail.pem +;key = @sysconfdir@/stunnel/mail.pem
It's expanded *by default* (at least on my machine) to: cert = ${prefix}/etc/stunnel/mail.pem ;key = ${prefix}/etc/stunnel/mail.pem It's fine on Makefile, but it does not work with other files. You need to specify --sysconfdir explicitly to have correct results. It looks like I'm not the only one suffering from this problem: http://man.sourcentral.org/debian-unstable/1+python You'll easily find several other examples with your favorite search engine. Best regards, Mike
participants (2)
-
Luis Rodrigo Gallardo Cruz -
Michal Trojnara