I've gotten v5.17 compiled on AIX 5.3 & 6.1 with the following
xlccmp.13.1.0 13.1.0.3 COMMITTED XL C compiler openssl.base 1.0.1.513 COMMITTED Open Secure Socket Layer IV71446m9a Ifix for Openssl CVE
Everything seems to have compiled fine. I packaged it up, installed, and set up a quick config. The server side aborts on me. Debug output follows. Need some direction on where to look next. Thanks in advance!
2015.05.06 12:08:03 LOG7[ui]: Clients allowed=31999 2015.05.06 12:08:03 LOG5[ui]: stunnel 5.17 on powerpc-ibm-aix5.3.0.0 platform 2015.05.06 12:08:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2015.05.06 12:08:03 LOG5[ui]: Threading:PTHREAD Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2015.05.06 12:08:03 LOG7[ui]: errno: (*_Errno()) 2015.05.06 12:08:03 LOG5[ui]: Reading configuration from file /opt/freeware/etc/stunnel/stunnel.conf 2015.05.06 12:08:03 LOG5[ui]: UTF-8 byte order mark not detected 2015.05.06 12:08:03 LOG7[ui]: Compression disabled 2015.05.06 12:08:03 LOG7[ui]: Snagged 64 random bytes from //.rnd 2015.05.06 12:08:03 LOG7[ui]: Wrote 1024 new random bytes to //.rnd 2015.05.06 12:08:03 LOG7[ui]: PRNG seeded successfully 2015.05.06 12:08:03 LOG6[ui]: Initializing service [client] 2015.05.06 12:08:03 LOG6[ui]: Loading certificate from file: /usr/share/ssl/certs/skdkgesaix53-client-cert.pem 2015.05.06 12:08:03 LOG6[ui]: Loading key from file: /usr/share/ssl/certs/skdkgesaix53-client-key.pem 2015.05.06 12:08:03 LOG7[ui]: Private key check succeeded 2015.05.06 12:08:03 LOG7[ui]: Verify directory set to /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: Added /usr/share/ssl/certs revocation lookup directory 2015.05.06 12:08:03 LOG6[ui]: Peer certificate location /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: SSL options: 0x01000004 (+0x03000000, -0x02000000) 2015.05.06 12:08:03 LOG6[ui]: Initializing service [server] 2015.05.06 12:08:03 LOG6[ui]: Loading certificate from file: /usr/share/ssl/certs/skdkgesaix53-server-cert.pem 2015.05.06 12:08:03 LOG6[ui]: Loading key from file: /usr/share/ssl/certs/skdkgesaix53-server-key.pem 2015.05.06 12:08:03 LOG7[ui]: Private key check succeeded 2015.05.06 12:08:03 LOG7[ui]: Verify directory set to /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: Added /usr/share/ssl/certs revocation lookup directory 2015.05.06 12:08:03 LOG6[ui]: Peer certificate location /usr/share/ssl/certs 2015.05.06 12:08:03 LOG7[ui]: DH initialization 2015.05.06 12:08:03 LOG7[ui]: Could not load DH parameters from /usr/share/ssl/certs/skdkgesaix53-server-cert.pem 2015.05.06 12:08:03 LOG7[ui]: Using hardcoded DH parameters 2015.05.06 12:08:03 LOG7[ui]: DH initialized with 2048-bit key 2015.05.06 12:08:03 LOG7[ui]: ECDH initialization 2015.05.06 12:08:03 LOG7[ui]: ECDH initialized with curve prime256v1 2015.05.06 12:08:03 LOG7[ui]: SSL options: 0x01004004 (+0x03004000, -0x02000000) 2015.05.06 12:08:03 LOG5[ui]: Configuration successful 2015.05.06 12:08:03 LOG7[ui]: Listening file descriptor created (FD=7) 2015.05.06 12:08:03 LOG7[ui]: Service [client] (FD=7) bound to 127.0.0.1:22 2015.05.06 12:08:03 LOG7[ui]: Listening file descriptor created (FD=8) 2015.05.06 12:08:03 LOG7[ui]: Service [server] (FD=8) bound to 172.26.85.13:2222 2015.05.06 12:08:04 LOG7[main]: Created pid file /var/pid/stunnel.pid 2015.05.06 12:08:29 LOG7[main]: Service [server] accepted (FD=3) from 172.26.85.14:52649 2015.05.06 12:08:29 LOG7[0]: Service [server] started 2015.05.06 12:08:29 LOG5[0]: Service [server] accepted connection from 172.26.85.14:52649 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): before/accept initialization 2015.05.06 12:08:29 LOG7[0]: SNI: no virtual services defined 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 read client hello A 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 write server hello A 2015.05.06 12:08:29 LOG7[0]: SSL state (accept): SSLv3 write certificate A INTERNAL ERROR: Bad magic at tls.c, line 182
--Doug
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06.05.2015 18:14, Eckert, Doug wrote:
I've gotten v5.17 compiled on AIX 5.3 & 6.1 with the following
xlccmp.13.1.0 13.1.0.3 COMMITTED XL C compiler openssl.base 1.0.1.513 COMMITTED Open Secure Socket Layer IV71446m9a Ifix for Openssl CVE
Everything seems to have compiled fine. I packaged it up, installed, and set up a quick config. The server side aborts on me. Debug output follows. Need some direction on where to look next. Thanks in advance!
[cut]
2015.05.06 12:08:03 LOG5[ui]: stunnel 5.17 on powerpc-ibm-aix5.3.0.0 platform 2015.05.06 12:08:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
[cut]
INTERNAL ERROR: Bad magic at tls.c, line 182
There seems to be a bug in your OpenSSL. OPENSSL_free() function was invoked on a memory block that was *not* allocated with OPENSSL_malloc(), or it was already released (double free).
You may try to compile your OpenSSL from source.
Mike
Thanks for the reply!
I've re-tried without eFix IV71446m9a (interim fixes for CVE & such) applied and got the same result. I was hoping it was something that may have been introduced recently. I've opened a support case against OpenSSL 1.0.1.513, as it's likely to manifest in other ways as well.
On Thu, May 7, 2015 at 2:12 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06.05.2015 18:14, Eckert, Doug wrote:
I've gotten v5.17 compiled on AIX 5.3 & 6.1 with the following
xlccmp.13.1.0 13.1.0.3 COMMITTED XL C compiler openssl.base 1.0.1.513 COMMITTED Open Secure Socket Layer IV71446m9a Ifix for Openssl CVE
Everything seems to have compiled fine. I packaged it up, installed, and set up a quick config. The server side aborts on me. Debug output follows. Need some direction on where to look next. Thanks in advance!
[cut]
2015.05.06 12:08:03 LOG5[ui]: stunnel 5.17 on powerpc-ibm-aix5.3.0.0 platform 2015.05.06 12:08:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
[cut]
INTERNAL ERROR: Bad magic at tls.c, line 182
There seems to be a bug in your OpenSSL. OPENSSL_free() function was invoked on a memory block that was *not* allocated with OPENSSL_malloc(), or it was already released (double free).
You may try to compile your OpenSSL from source.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJVSwJYAAoJEC78f/DUFuAUUZ8P/RSlI2Gi/0jKZntJ/7HckgU7 OqoqzWQcd/++zLgKsBa6ZKTRP70C5eAe0z26ecQczASQURzmTVNiqvBrjyVKmWRO VJM0KVLeI5d38bRx5qBkxR3ZLa7/H68YdbczC6YiEaYGBIUUsxV19/8QXwcZGDvO 3odKzy0n21TaMvdM9ACLCZHD02Pq1dQwFwYl8POhtezKbF0Rgh2OHJgVETE6Ha39 ttS+muqGpaXcNQGpJ1EYtWdsSYKbSNEOawmEil9LMWYKsekbWYYf3JbJPSkL+ILO 1H8vv2v5lqoihtp96PdMgx9sLn6xxbgy89UwuxS3WOIB2+/ZT0KCx5FoDh/1KwsZ ie1C+4o62CY1a8Zf07l1Z5Cc9U81GJpDhM04rUmfTldhWZaBbQJtOwRNlh2droHe uBKd7VuFV9R62wVWKtZfB0wIWzh4QMkYh/bnw+B+n9gZBenGm/8ySa2bcp3v0aXs bRebIh42yECfVdFJVLA9L08hB07OoDxog2PljNuJDPN3RCp9Rozjb4CY0Vjl+GZ/ mzbOFOsN6bxb2X1WDDH6N87XHW4dcp2xqZmKp6Mw8PhXduE2DRdK9e3zTj6Pmu+K f8yK7022MkqMoiHW26Jv6c60t6WY6GDE+Rzf+A67yQEFbYB4pg2QrKuRvoXnLXdy l1HO01v+ra2zYfQF0y/v =aSTh -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Stunnel v5.03 is the most recent version we're using, although with earlier OpenSSL versions in place.
With that in mind, I compiled stunnel v5.03 with same OpenSSL 1.0.1.513 and iFix IV71446m9a applied as with the v5.17 attempt. I'm able to create sessions with no problem. The internal error/bad magic does not occur.
On Thu, May 7, 2015 at 2:12 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06.05.2015 18:14, Eckert, Doug wrote:
I've gotten v5.17 compiled on AIX 5.3 & 6.1 with the following
xlccmp.13.1.0 13.1.0.3 COMMITTED XL C compiler openssl.base 1.0.1.513 COMMITTED Open Secure Socket Layer IV71446m9a Ifix for Openssl CVE
Everything seems to have compiled fine. I packaged it up, installed, and set up a quick config. The server side aborts on me. Debug output follows. Need some direction on where to look next. Thanks in advance!
[cut]
2015.05.06 12:08:03 LOG5[ui]: stunnel 5.17 on powerpc-ibm-aix5.3.0.0 platform 2015.05.06 12:08:03 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
[cut]
INTERNAL ERROR: Bad magic at tls.c, line 182
There seems to be a bug in your OpenSSL. OPENSSL_free() function was invoked on a memory block that was *not* allocated with OPENSSL_malloc(), or it was already released (double free).
You may try to compile your OpenSSL from source.
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJVSwJYAAoJEC78f/DUFuAUUZ8P/RSlI2Gi/0jKZntJ/7HckgU7 OqoqzWQcd/++zLgKsBa6ZKTRP70C5eAe0z26ecQczASQURzmTVNiqvBrjyVKmWRO VJM0KVLeI5d38bRx5qBkxR3ZLa7/H68YdbczC6YiEaYGBIUUsxV19/8QXwcZGDvO 3odKzy0n21TaMvdM9ACLCZHD02Pq1dQwFwYl8POhtezKbF0Rgh2OHJgVETE6Ha39 ttS+muqGpaXcNQGpJ1EYtWdsSYKbSNEOawmEil9LMWYKsekbWYYf3JbJPSkL+ILO 1H8vv2v5lqoihtp96PdMgx9sLn6xxbgy89UwuxS3WOIB2+/ZT0KCx5FoDh/1KwsZ ie1C+4o62CY1a8Zf07l1Z5Cc9U81GJpDhM04rUmfTldhWZaBbQJtOwRNlh2droHe uBKd7VuFV9R62wVWKtZfB0wIWzh4QMkYh/bnw+B+n9gZBenGm/8ySa2bcp3v0aXs bRebIh42yECfVdFJVLA9L08hB07OoDxog2PljNuJDPN3RCp9Rozjb4CY0Vjl+GZ/ mzbOFOsN6bxb2X1WDDH6N87XHW4dcp2xqZmKp6Mw8PhXduE2DRdK9e3zTj6Pmu+K f8yK7022MkqMoiHW26Jv6c60t6WY6GDE+Rzf+A67yQEFbYB4pg2QrKuRvoXnLXdy l1HO01v+ra2zYfQF0y/v =aSTh -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On 12.05.2015 18:29, Eckert, Doug wrote:
With that in mind, I compiled stunnel v5.03 with same OpenSSL 1.0.1.513 and iFix IV71446m9a applied as with the v5.17 attempt. I'm able to create sessions with no problem. The internal error/bad magic does not occur.
Additional security checks to the OpenSSL memory management functions were introduced in stunnel 5.09. The enclosed patch disables them in the latest stunnel 5.17.
Mike
-
Eckert, Doug -
Michal Trojnara