Fwd: Problems with stunnel segfaulting on every connection

To: NetBSD Users Mailing List <netbsd-users%NetBSD.org@localhost>
Subject: Fwd: Problems with stunnel segfaulting on every connection
From: Jason Mitchell <jmitchel%bigjar.com@localhost>
Date: Mon, 12 Aug 2024 08:44:16 -0400

Forgot to forward to the list (again).

-------- Forwarded Message --------

Subject:	Re: Problems with stunnel segfaulting on every connection
Date:	Mon, 12 Aug 2024 08:25:17 -0400
From:	Jason Mitchell <jmitchel%bigjar.com@localhost>
To:	Brett Lymn <blymn%internode.on.net@localhost>

On 8/8/24 6:20 PM, Brett Lymn wrote:

On Thu, Aug 08, 2024 at 01:17:08PM -0400, Jason Mitchell wrote:

Thanks for the info and for responding. For the lets encrypt certificate
the openssl comand just prints the base64 pem file. For the sectigo
certificate it prints all the info about it in human readable form (included
below)

OK, so openssl is happy with the cert, that is good.

If you don't mind me asking, do you know if your clients are using OCSP?
ncat --ssl host 993 doesn't cause the segfault, strangely enough. Also, is
yours a wildcard certificate or a certificate for a single host? And is it
self signed? Finally, what version of OpenSSL are you using?

I don't know about OCSP.

Certificate is for a single host, not self signed, it is issued by
Entrust.

OpenSSL 3.0.12 24 Oct 2023 (Library: OpenSSL 3.0.12 24 Oct 2023)

Brett,

Thanks for the responses (did I already say that?). I've confirmed that OCSP stapling causes the crash. For example:

openssl s_client -connect A.B.C.D:993

Doesn't cause stunnel to crash. But

openssl s_client -connect A.B.C.D:993 -status

does cause the crash. (The -status flag enables OCSP stapling). Also, I tested with current (10.99.11) and 9.x. In both cases stunnel crashed.

I've added a whole mess of logging to stunnel's ocsp.c and have isolated the problem to the DNS lookup that stunnel does when it goes to get the OCSP status information for the certificate. I confirmed this by adding an entry to /etc/hosts for the OCSP host listed in my certificate and stunnel didn't crash. The place where stunnel crashes in ocsp.c is "if(!hostport2addr(&addr, host, port, 0)) { " ... which calls stunnel's resolver.c.

The above is for stunnel 5.73, hopefully it's not too different for 5.71 or 5.72.

I'll add more logging to resolver.c today or tomorrow. Any suggestions are greatly appreciated.

Thanks,

Jason M.

Prev by Date: Re: create /tmp with ffs vs. tmpfs ?
Next by Date: Re: create /tmp with ffs vs. tmpfs ?
Previous by Thread: Fwd: Problems with stunnel segfaulting on every connection
Next by Thread: Need advice on ZFS
Indexes:

Home | Main Index | Thread Index | Old Index