[stunnel-users] OpenSSL 1.1.1 secure level and also an old problem rearing up

Peter Pentchev roam at ringlet.net
Fri Aug 24 18:15:53 CEST 2018


Hi,

Sorry to be the bearer of a "those OS vendors did something again and
now we have to catch up with them... again..." type of news, but, well,
the maintainers of the Debian package of OpenSSL upgraded it to
a prerelease 1.1.1 version and, in the process, changed the default
cipher selection in the openssl.cnf file to 'SECLEVEL=2'.

Unfortunately, this means that the server certificate used in the
stunnel test suite is not considered strong enough, so the test suite is
failing.  More details may be found in the description of the Debian bug
https://bugs.debian.org/906981 and the error message itself is at
https://ci.debian.net/data/autopkgtest/testing/amd64/s/stunnel4/865956/log.gz
(look for all the lines containing "SSL_CTX_use_certificate:ca md too weak")

So my first reaction was to stop running the stunnel test suite and
only leave my functional test script; however, I then had another idea
and tried to get the stunnel test suite to explicitly specify SECLEVEL=1
using the attached patch.  This actually helped a bit - it made most of
the tests pass - but then I hit a problem with e.g. 037_failover_prio1:
if there is a "ciphers" option in the config file, stunnel eventually
dies with an error that I seem to remember having seen before; take
a look at this gdb backtrace from stunnel 5.48:

(gdb) bt                                                                                                              
#0  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51                                             
#1  0x00007f0a349882f1 in __GI_abort () at abort.c:79                                                                 
#2  0x000055b1aa3ad645 in fatal_debug (txt=0x55b1aa3c503c "Bad magic", file=0x55b1aa3ca6dd "ssl.c", line=118)         
    at log.c:379                                                                                                      
#3  0x000055b1aa3ae066 in get_alloc_list_ptr (ptr=0x7f0a24014520, file=0x55b1aa3ca6dd "ssl.c", line=118) at str.c:429 
#4  0x000055b1aa3ae229 in str_detach_debug (ptr=ptr at entry=0x7f0a24014520, file=file at entry=0x55b1aa3ca6dd "ssl.c",     
    line=line at entry=118) at str.c:378                                                                                 
#5  0x000055b1aa3ae884 in str_detach_debug (line=118, file=0x55b1aa3ca6dd "ssl.c", ptr=0x7f0a24014520) at str.c:413   
#6  str_free_debug (ptr=0x7f0a24014520, file=0x55b1aa3ca6dd "ssl.c", line=118) at str.c:413                           
#7  0x00007f0a34f7661a in CRYPTO_free_ex_data () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1                      
#8  0x00007f0a35112a98 in SSL_SESSION_free () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1                            
#9  0x00007f0a34f7a1bc in OPENSSL_LH_doall_arg () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1                     
#10 0x00007f0a35114177 in SSL_CTX_flush_sessions () from /usr/lib/x86_64-linux-gnu/libssl.so.1.1                      
#11 0x000055b1aa3c3701 in unbind_ports () at stunnel.c:439                                                            
#12 0x000055b1aa3c3799 in main_cleanup () at stunnel.c:224                                                            
#13 0x000055b1aa3ad720 in main (argc=<optimized out>, argv=<optimized out>) at ui_unix.c:79                           
(gdb)

(the line numbers may be a bit off from the stock stunnel source, since
 I also added a setrlimit(RLIMIT_CORE, infinity) patch)

So, yeah, what would be the best way forward here?  I guess I might
create a new certificate specifically for the Debian package's test
suite, but I think the double-free problem may also need to be fixed.
Let me know if you need any more information about reproducing it or any
more data in case it doesn't happen on your end.
  
Thanks for everything you're doing for stunnel, and keep up the great
work!

G'luck,
Peter

-- 
Peter Pentchev  roam@{ringlet.net,debian.org,FreeBSD.org} pp at storpool.com
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
-------------- next part --------------
Description: Use cipher security level 0 in the tests.
Debian-Bug: https://bugs.debian.org/906981
Forwarded: not-yet
Author: Peter Pentchev <roam at ringlet.net>
Last-Update: 2018-08-24

--- a/tests/recipes/010_require_cert
+++ b/tests/recipes/010_require_cert
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/011_verify_peer
+++ b/tests/recipes/011_verify_peer
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/012_verify_chain
+++ b/tests/recipes/012_verify_chain
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/013_CRL_file
+++ b/tests/recipes/013_CRL_file
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/015_p12_cert
+++ b/tests/recipes/015_p12_cert
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/020_IPv6
+++ b/tests/recipes/020_IPv6
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/021_FIPS
+++ b/tests/recipes/021_FIPS
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
   fips = yes
 
   [client]
--- a/tests/recipes/022_bind
+++ b/tests/recipes/022_bind
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/030_simple_execute
+++ b/tests/recipes/030_simple_execute
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/031_redirect
+++ b/tests/recipes/031_redirect
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_1]
   client = yes
--- a/tests/recipes/032_no_redirect
+++ b/tests/recipes/032_no_redirect
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_1]
   client = yes
--- a/tests/recipes/033_redirect_exec
+++ b/tests/recipes/033_redirect_exec
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_1]
   client = yes
--- a/tests/recipes/034_no_redirect_exec
+++ b/tests/recipes/034_no_redirect_exec
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_1]
   client = yes
--- a/tests/recipes/035_SNI
+++ b/tests/recipes/035_SNI
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/036_no_SNI
+++ b/tests/recipes/036_no_SNI
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/037_failover_prio1
+++ b/tests/recipes/037_failover_prio1
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/038_failover_prio2
+++ b/tests/recipes/038_failover_prio2
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/039_failover_rr
+++ b/tests/recipes/039_failover_rr
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/040_reload
+++ b/tests/recipes/040_reload
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_1]
   client = yes
@@ -26,6 +27,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client_2]
   client = yes
--- a/tests/recipes/041_exec_connect
+++ b/tests/recipes/041_exec_connect
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/042_inetd
+++ b/tests/recipes/042_inetd
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [server]
   accept = 127.0.0.1:${https1}
@@ -21,6 +22,7 @@
   debug = debug
   syslog = no
   output = ${result_path}/stunnel_0.log
+  ciphers = DEFAULT at SECLEVEL=1
   service = inetd client
   client = yes
   connect = 127.0.0.1:${https1}
--- a/tests/recipes/043_session_delay
+++ b/tests/recipes/043_session_delay
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/044_session_nodelay
+++ b/tests/recipes/044_session_nodelay
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/110_failure_require_cert
+++ b/tests/recipes/110_failure_require_cert
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/111_failure_verify_peer
+++ b/tests/recipes/111_failure_verify_peer
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/112_failure_verify_chain
+++ b/tests/recipes/112_failure_verify_chain
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/113_failure_CRL_file
+++ b/tests/recipes/113_failure_CRL_file
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/120_failure_no_cert
+++ b/tests/recipes/120_failure_no_cert
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
--- a/tests/recipes/121_failure_wrong_config
+++ b/tests/recipes/121_failure_wrong_config
@@ -7,6 +7,7 @@
   syslog = no
   pid = ${result_path}/stunnel.pid
   output = ${result_path}/stunnel.log
+  ciphers = DEFAULT at SECLEVEL=1
 
   [client]
   client = yes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20180824/5c834169/attachment.sig>


More information about the stunnel-users mailing list