[stunnel-users] getting better, now "verify=0" causes Bus Error. (Re: I am having problems with the 4.5x-series also: Pan connects, nothing else happens.)

Michal Trojnara Michal.Trojnara at mirt.net
Thu Jan 12 11:18:38 CET 2012 

SciFi wrote:
> 2012.01.11 20:48:52 LOG5[25326:2697274688]: stunnel 4.52 on x86_64- 
> apple-darwin10.8.0 platform
> 2012.01.11 20:48:52 LOG5[25326:2697274688]: Compiled with OpenSSL  
> 1.1.0-dev xx XXX xxxx
> 2012.01.11 20:48:52 LOG5[25326:2697274688]: Running  with OpenSSL  
> 0.9.8r 8 Feb 2011
> 2012.01.11 20:48:52 LOG5[25326:2697274688]: Update OpenSSL shared  
> libraries or rebuild stunnel
[cut]
> Program received signal EXC_BAD_ACCESS, Could not access memory.
> Reason: KERN_PROTECTION_FAILURE at address: 0x00000020
> [Switching to process 25326 thread 0x1403]
> 0x94b0b2d6 in X509_get_subject_name ()
> (gdb) bt
> #0  0x94b0b2d6 in X509_get_subject_name ()
> #1  0x0000f213 in verify_callback ()
[cut]
> I'm sorry, that's about as deep as I know to go.  ;)

The level of details is perfectly fine.  Different numeric part of the  
OpenSSL version number indicates major changes in code *and* data  
structures.  This is very likely to cause crashes.  The architecture  
details of 0.9.8 and 1.1.0 are very different.

I modified stunnel to make it independent from the layout of  
X509_STORE_CTX data structure:
ftp://ftp.stunnel.org/stunnel/beta/stunnel-4.52b3.tar.gz
It's still better to run stunnel with the version of OpenSSL it was  
compiled with.

> But I should be able to do more tests with detailed instructions if  
> needed.
>
> For now, I will comment-out the "verify" line, and use this build  
> with your basic .conf file even tho it makes me remain highly  
> paranoid.  ;(

That's good.  Without certificate-based authentication, SSL is  
vulnerable to man-in-the-middle attacks.

Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120112/f20f4207/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120112/f20f4207/attachment.sig>

More information about the stunnel-users mailing list