[stunnel-users] Stunnel 5.57b2 OpenSSL 1.1.1g

Olaf Brandt olaf at brandt.berlin
Tue May 19 08:11:27 CEST 2020


Hi,

I have an issue with stunnel since OpenSSL was updated to 1.1.1g.

Stunnel has been build from scratch after the update and gives those errors:

[ ] Clients allowed=500
[.] stunnel 5.57 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.1.1g  21 Apr 2020
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [dns_local]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] No certificate or private key specified
[!] error queue: crypto/x509/by_file.c:205: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
[!] error queue: crypto/pem/pem_info.c:196: error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib
[!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:1118: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header
[!] SSL_CTX_load_verify_locations: crypto/asn1/asn1_lib.c:91: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
[!] Service [dns_local]: Failed to initialize TLS context
[ ] Deallocating section defaults
[ ] Deallocating section [dns_local]
[ ] Deallocating section defaults

Config:

chroot=/var/lib/stunnel
pid=/var/run/stunnel.pid
debug = debug

[dns_local]
sslVersion = TLSv1.3
client = yes
accept = localhost:1053
connect = 185.95.218.42:853
checkHost = dns.digitale-gesellschaft.ch
verifyPeer = yes
CAfile = /etc/stunnel/cf.crt


[dns_local_fallback]
sslVersion = TLSv1.3
client = yes
accept = localhost:1054
connect = 185.95.218.43:853
checkHost = dns.digitale-gesellschaft.ch
verifyPeer = yes
CAfile = /etc/stunnel/cf43.crt

OpenSSL check of the cert files seems OK:

openssl x509 -text -noout -in /etc/stunnel/cf.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:16:19:87:62:ac:be:ec:92:7b:6e:75:b8:a3:2e:ba:ea:28
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: May 17 21:00:22 2020 GMT
            Not After : Aug 15 21:00:22 2020 GMT
        Subject: CN = dns.digitale-gesellschaft.ch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c0:01:03:42:24:5b:07:7e:46:06:fc:e0:21:56:
                    93:c4:6a:3c:88:c8:df:be:91:d6:d8:7a:b7:fc:3f:
                    8c:f1:b9:74:ec:c1:3b:2b:02:fe:27:93:1e:d6:d3:
                    a1:95:31:ed:c7:06:26:28:74:60:7e:70:53:39:4b:
                    e5:43:c2:81:dc:50:f3:d7:9e:0b:87:5b:2c:e8:a8:
                    eb:71:bc:7b:04:92:d5:be:66:ba:0e:d8:9f:27:28:
                    77:9f:7c:68:2f:2f:64:2d:8a:86:f7:cf:c6:3a:c1:
                    1b:d4:e9:95:d6:c0:f3:77:f3:cd:79:16:40:86:ce:
                    d5:dc:be:b2:c6:5b:7c:fe:e3:68:8d:25:61:41:a8:
                    99:b3:f4:62:60:19:bf:96:32:46:ef:e4:6a:c2:3d:
                    00:f6:44:b9:63:94:50:0e:fb:a0:e1:88:eb:79:cf:
                    b7:a5:d1:29:0c:d6:bf:ee:ad:1b:9b:8e:7c:94:4f:
                    f8:5a:0e:a7:5e:62:e7:67:61:9e:83:cb:a0:f7:56:
                    f6:bc:ec:df:4d:60:6a:fe:08:fa:1c:ae:17:05:54:
                    0f:b0:f8:1f:6c:78:ca:a0:99:ec:4b:06:b3:79:97:
                    88:d1:7e:c8:93:cf:15:6b:9d:ea:d2:ef:88:da:1b:
                    e8:2b:dd:0d:6e:f2:7e:f3:75:60:03:6a:87:64:79:
                    e6:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                9C:E3:0E:F4:F1:60:60:EC:21:7D:D8:D6:5F:0E:7B:FF:90:DB:68:01
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                    Timestamp : May 17 22:00:22.318 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:3D:7F:5A:57:E3:CE:42:A0:2A:16:FD:59:
                                AE:7A:11:19:AE:BE:BE:AA:5A:4A:B0:1E:66:8E:D6:21:
                                A8:35:F8:CB:02:21:00:DB:06:63:54:26:03:76:28:CD:
                                05:BF:08:8B:1B:95:2B:D2:A1:B3:AC:63:6A:DD:84:E7:
                                84:3A:70:A6:54:31:2B
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                    Timestamp : May 17 22:00:22.412 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:EA:BC:2D:B6:B1:71:0B:CE:75:A7:15:
                                86:D2:C0:05:49:08:38:CC:B9:EF:DA:1F:23:53:1A:5F:
                                BD:31:19:A5:0A:02:20:21:2F:94:08:61:D0:A8:CA:3F:
                                71:D3:54:4D:E3:56:50:91:51:A6:01:16:77:9E:AE:31:
                                2E:43:E1:68:C0:CE:F2
    Signature Algorithm: sha256WithRSAEncryption
         9b:b8:24:f8:30:fc:77:5d:67:91:40:c7:bf:58:cf:64:67:7f:
         87:33:8e:04:19:93:98:bb:35:cb:4e:b3:78:c0:04:5c:48:f4:
         74:38:f2:57:02:38:3b:84:19:aa:9b:39:08:1d:f9:62:f4:c7:
         af:e4:17:40:02:99:7a:c5:24:fc:ee:b1:d5:95:b0:a2:58:f0:
         db:44:0f:50:3c:92:81:e8:8f:81:4d:e1:eb:e4:86:5d:d0:c8:
         31:d2:30:07:7f:56:48:65:bd:a0:01:38:19:81:e4:80:38:21:
         1f:ae:13:96:54:cd:9f:b1:cb:b2:47:00:f0:8b:d4:0d:61:29:
         99:cb:71:ee:f6:53:ab:27:45:33:7b:0c:f4:e4:85:58:a7:8e:
         58:8e:88:04:0d:e8:03:18:41:e6:8f:b5:c1:c1:9d:da:57:0a:
         85:d7:19:05:4f:f9:8f:8c:b5:60:3f:67:f0:d8:fd:10:98:ad:
         de:25:88:7b:67:0f:bd:e1:7c:21:fb:35:8c:b2:26:78:de:b1:
         54:a4:e9:9f:e0:48:d6:1a:0e:60:a6:f6:21:8c:b3:df:21:a1:
         0c:16:d4:ab:93:3a:5d:94:22:34:40:5b:7e:ef:ea:f8:a1:15:
         d6:8d:69:aa:40:fe:ae:6f:79:dd:49:49:1a:88:0f:15:61:19:
         00:f8:41:6c

openssl x509 -text -noout -in /etc/stunnel/cf43.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:2b:84:39:5e:99:3d:2d:85:52:63:3a:d2:fa:bc:2e:60:4b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Mar 16 22:01:15 2020 GMT
            Not After : Jun 14 22:01:15 2020 GMT
        Subject: CN = dns.digitale-gesellschaft.ch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bc:0e:73:84:9c:89:7c:f8:2a:db:79:5f:78:ac:
                    39:a8:c5:25:b4:86:5b:9e:1c:3c:14:a6:17:ae:67:
                    f1:02:17:0b:dc:36:ea:a1:9c:57:91:5b:5a:91:6b:
                    df:7b:4c:74:7e:6c:e2:eb:5f:a5:95:02:25:43:c1:
                    3e:f0:67:5d:80:27:6f:37:72:0e:1f:b7:c3:13:e2:
                    3a:a5:13:b6:41:d0:01:aa:d0:7f:68:d4:5e:10:95:
                    ee:17:bb:8d:8b:77:a3:7e:c8:9e:7a:8a:35:8a:09:
                    00:82:80:67:70:34:ac:f5:bc:24:4a:b9:c4:df:1f:
                    1e:e4:48:66:a8:76:60:d8:a3:d5:64:3b:9d:7e:7b:
                    18:99:f7:31:a5:28:4e:a4:47:24:25:af:18:32:d5:
                    f9:98:67:21:f7:49:23:c2:72:00:73:e5:25:ca:af:
                    a5:ae:df:00:62:d8:f2:5e:1e:8a:26:5a:63:5b:22:
                    e1:eb:2d:b4:e9:57:de:16:8c:a0:72:db:ff:82:46:
                    b8:d8:55:ad:55:84:e5:65:b5:86:8b:47:00:ea:85:
                    0d:74:c6:9d:9f:95:e4:3a:19:fe:3d:8f:5f:4b:f8:
                    ed:a5:93:3f:ea:31:fd:41:74:7e:6b:ae:bf:98:9a:
                    70:85:d8:9f:51:85:fc:5e:11:eb:b9:60:6a:c3:bf:
                    81:f7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                DE:64:78:2F:E4:81:84:C3:C9:3F:5C:01:DB:D0:42:E2:0D:CB:48:B8
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Mar 16 23:01:15.249 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:04:32:96:55:70:AB:40:41:3B:E2:6C:E3:
                                8E:78:1E:82:F7:84:57:6A:76:2C:11:2B:24:A6:BB:72:
                                59:F1:F9:8A:02:20:67:12:DB:64:C1:D8:15:5D:3F:ED:
                                8B:8F:01:68:B8:A1:D2:B0:20:2B:32:54:11:14:82:72:
                                06:B8:E6:1C:1C:69
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                    Timestamp : Mar 16 23:01:15.303 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:1B:C7:5B:F2:A9:04:12:6A:62:E8:33:F9:
                                BD:08:39:1D:0F:F3:39:8D:F2:F8:37:E3:C8:05:CC:1B:
                                E7:31:F7:83:02:20:12:47:02:D3:E3:93:48:9A:F3:5A:
                                B9:F4:12:85:87:0F:D4:F2:B7:79:F5:8C:DD:77:D4:5E:
                                BE:D0:95:27:83:9C
    Signature Algorithm: sha256WithRSAEncryption
         82:30:ea:0a:6f:45:53:e7:f8:a0:80:69:47:a4:7d:ee:6a:78:
         a3:34:00:f1:bb:0d:c8:3a:1f:37:8e:25:f9:9d:cc:a5:e0:15:
         03:a5:da:2a:28:af:89:97:f9:d6:20:61:ae:1e:16:80:f4:1a:
         2c:08:ac:74:f3:80:2f:ae:17:f7:f4:b4:1c:b7:f1:59:f9:73:
         fd:12:cb:e3:48:36:bd:fe:99:38:69:44:7f:3b:dc:38:98:54:
         75:f5:00:d0:de:93:eb:5a:4d:5e:65:d0:99:9e:64:75:8f:cd:
         e4:6f:1e:22:d5:8f:cb:4d:78:ef:0e:70:38:b7:f0:af:4d:30:
         7b:9a:ea:1d:6c:b7:cb:18:2b:de:5a:18:d2:4b:bb:e6:79:b2:
         45:8b:01:dc:d1:15:45:cc:cc:f0:5d:a6:98:10:90:72:d2:da:
         ef:7a:3c:1c:af:42:f0:7f:85:5b:49:53:e8:b3:51:11:e4:93:
         fc:b3:8a:dc:bc:5c:40:8d:bb:36:be:36:87:09:de:23:19:29:
         1d:f3:7e:70:5b:43:43:ad:6e:a4:b4:55:ac:9e:f5:10:05:31:
         a7:a5:00:66:8a:e7:67:4e:02:2a:2d:40:d4:2c:e8:f1:bb:35:
         8d:b7:cf:52:b0:71:04:72:d0:ab:fb:e6:f6:c7:45:33:db:88:
         d5:90:f0:32

Any suggestions?

Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2224 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200519/f1216ab9/attachment.key>


More information about the stunnel-users mailing list