Bug#335510: Bug#334180: Bug#335510: fails to start
On Tue, Oct 25, 2005 at 07:46:19PM +0200, Kurt Roeckx wrote:
>
> It seems that stunnel4 calls SSLeay_add_ssl_algorithms() instead
> of SSL_library_init(), which is a define for the later anyway,
> and postfix calls OpenSSL_add_ssl_algorithms(), which is also a
> define for the later. So it seems that this isn't going to be
> the problem and I'll need to take a deeper look.
Taking a look at stunnel4 again, it seems that ssl_init() is
called to late.
I've tried with the attached patch, and now it works.
Kurt
--- src/stunnel.c.old 2005-10-25 17:57:09.676529824 +
+++ src/stunnel.c 2005-10-25 17:57:48.746590272 +
@@ -81,6 +81,8 @@
void main_initialize(char *arg1, char *arg2) {
struct stat st; /* buffer for stat */
+ssl_init(); /* initialize SSL library */
+context_init(); /* initialize global SSL context */
sthreads_init(); /* initialize critical sections & SSL callbacks */
parse_config(arg1, arg2);
log_open();
@@ -102,8 +104,6 @@
}
void main_execute(void) {
-ssl_init(); /* initialize SSL library */
-context_init(); /* initialize global SSL context */
/* check if started from inetd */
if(local_options.next) { /* there are service sections -> daemon mode */
daemon_loop();
Bug#334180: Bug#335510: fails to start
On Tue, Oct 25, 2005 at 01:11:56AM +0200, Kurt Roeckx wrote: > On Mon, Oct 24, 2005 at 03:33:23PM -0700, Steve Langasek wrote: > > > > Yes, I'm quite convinced at this point that this is a libssl bug, as it has > > appeared now on three different packages without any apparent > > misconfiguration. Reassigning to libssl0.9.8. I hope the openssl > > maintainers know what this is; I haven't been able to find any references to > > the elusive libz.so in the actual openssl sources. > > I'm wondering if this is the same problem as we had with > libcrypt-ssleay-perl (#334938) not calling SSL_library_init(). > Atleast stunnel4 and postfix don't seem to be calling this, > but dovecot-imapd seems to do it, not sure at the right time, > didn't have time to look at it. It seems that stunnel4 calls SSLeay_add_ssl_algorithms() instead of SSL_library_init(), which is a define for the later anyway, and postfix calls OpenSSL_add_ssl_algorithms(), which is also a define for the later. So it seems that this isn't going to be the problem and I'll need to take a deeper look. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335271: Bug#334180: Bug#335510: fails to start
On Mon, Oct 24, 2005 at 03:33:23PM -0700, Steve Langasek wrote: > > Yes, I'm quite convinced at this point that this is a libssl bug, as it has > appeared now on three different packages without any apparent > misconfiguration. Reassigning to libssl0.9.8. I hope the openssl > maintainers know what this is; I haven't been able to find any references to > the elusive libz.so in the actual openssl sources. I'm wondering if this is the same problem as we had with libcrypt-ssleay-perl (#334938) not calling SSL_library_init(). Atleast stunnel4 and postfix don't seem to be calling this, but dovecot-imapd seems to do it, not sure at the right time, didn't have time to look at it. So I have to wonder if this is a change in requirement to call this function in 0.9.8. I will take a closer look at this later, but would appreciate if someone could test that calling SSL_library_init() fixes the problem or not. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#335510: fails to start
Processing commands for [EMAIL PROTECTED]: > reassign 335510 libssl0.9.8 Bug#335510: fails to start Bug reassigned from package `stunnel4' to `libssl0.9.8'. > reassign 334180 libssl0.9.8 Bug#334180: dovecot-imapd does not load shared libraries or ssl certs Bug reassigned from package `dovecot-imapd' to `libssl0.9.8'. > reassign 335271 libssl0.9.8 Bug#335271: postfix: TLS library fails to load libz.so (makes certificates unusable) Bug reassigned from package `postfix' to `libssl0.9.8'. > merge 335510 334180 335271 Bug#334180: dovecot-imapd does not load shared libraries or ssl certs Bug#335271: postfix: TLS library fails to load libz.so (makes certificates unusable) Bug#335510: fails to start Merged 334180 335271 335510. > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#334180: Bug#335510: fails to start
reassign 335510 libssl0.9.8 reassign 334180 libssl0.9.8 reassign 335271 libssl0.9.8 merge 335510 334180 335271 thanks On Mon, Oct 24, 2005 at 07:15:25PM +0200, Julien Lemoine wrote: > Hello Delian, >In my opinion this is not a problem of stunnel4. The version is > simply linked with openssl 0.9.8 instead > of 0.9.7. So if there is a problem, it is probably with libssl and not > stunnel4. >I reproduced your problem by putting the same file for cert and key > filename. > Stunnel4 works fine with separation of cert and key files : > Extract of configuration : > cert = /etc/stunnel/cert.pem > key = /etc/stunnel/key.pem > Log : > 2005.10.24 19:07:23 LOG5[15299:16384]: stunnel 4.11 on i486-pc-linux-gnu > PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 > 2005.10.24 19:07:23 LOG5[15299:16384]: 500 clients allowed > So I think libssl 0.9.8 does not accept any more cert and key file > merged in the same file. Yes, I'm quite convinced at this point that this is a libssl bug, as it has appeared now on three different packages without any apparent misconfiguration. Reassigning to libssl0.9.8. I hope the openssl maintainers know what this is; I haven't been able to find any references to the elusive libz.so in the actual openssl sources. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#335510: fails to start
On Monday 24 October 2005 20:15, Julien Lemoine wrote: > In my opinion this is not a problem of stunnel4. The version is > simply linked with openssl 0.9.8 instead > of 0.9.7. So if there is a problem, it is probably with libssl and not > stunnel4. > > I reproduced your problem by putting the same file for cert and key > filename. > Stunnel4 works fine with separation of cert and key files : > Extract of configuration : > cert = /etc/stunnel/cert.pem > key = /etc/stunnel/key.pem > > Log : > 2005.10.24 19:07:23 LOG5[15299:16384]: stunnel 4.11 on i486-pc-linux-gnu > PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 > 2005.10.24 19:07:23 LOG5[15299:16384]: 500 clients allowed > > So I think libssl 0.9.8 does not accept any more cert and key file > merged in the same file. > Best Regards. OK, thank you for clearing this out. However we should probably contact libssl maintainters or its developers to figure this out. If you're right the stunnel documentation should be updated, because AFAIR I've followed it when generating my configs and certificates. Cheers, Delian
Bug#335510: fails to start
Hello Delian, In my opinion this is not a problem of stunnel4. The version is simply linked with openssl 0.9.8 instead of 0.9.7. So if there is a problem, it is probably with libssl and not stunnel4. I reproduced your problem by putting the same file for cert and key filename. Stunnel4 works fine with separation of cert and key files : Extract of configuration : cert = /etc/stunnel/cert.pem key = /etc/stunnel/key.pem Log : 2005.10.24 19:07:23 LOG5[15299:16384]: stunnel 4.11 on i486-pc-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 2005.10.24 19:07:23 LOG5[15299:16384]: 500 clients allowed So I think libssl 0.9.8 does not accept any more cert and key file merged in the same file. Best Regards. Delian Krustev wrote: Package: stunnel4 Version: 2:4.110-2 Severity: grave This version of stunnel fails to start on both testing and unstable. Here's what's in the logs: Oct 24 14:29:37 deb-off stunnel[4502]: stunnel 4.11 on i486-pc-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 Oct 24 14:29:38 deb-off stunnel[4502]: Snagged 64 random bytes from /root/.rnd Oct 24 14:29:38 deb-off stunnel[4502]: Wrote 1024 new random bytes to /root/.rnd Oct 24 14:29:38 deb-off stunnel[4502]: RAND_status claims sufficient entropy for the PRNG Oct 24 14:29:38 deb-off stunnel[4502]: PRNG seeded successfully Oct 24 14:29:38 deb-off stunnel[4502]: Error reading certificate file: /etc/ssl/certs/stunnel.pem Oct 24 14:29:38 deb-off stunnel[4502]: error stack: 25070067 : error:25070067:DSO support routines:DSO_load:could not load the shared library Oct 24 14:29:38 deb-off stunnel[4502]: SSL_CTX_use_certificate_chain_file: 25066067: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library The previous version works ok with the same config and certificate file. I've downgraded to it and it still works ok. Here's the config: cert = /etc/ssl/certs/stunnel.pem key = /etc/ssl/certs/stunnel.pem setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel4/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages stunnel4 depends on: ii adduser 3.73 Add and remove users and groups ii libc6 2.3.5-7GNU C Library: Shared libraries an ii libssl0.9.8 0.9.8a-2 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii netbase 4.22 Basic TCP/IP networking system ii openssl 0.9.8a-2 Secure Socket Layer (SSL) binary a ii perl-modules 5.8.7-7Core Perl modules stunnel4 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335510: fails to start
Package: stunnel4 Version: 2:4.110-2 Severity: grave This version of stunnel fails to start on both testing and unstable. Here's what's in the logs: Oct 24 14:29:37 deb-off stunnel[4502]: stunnel 4.11 on i486-pc-linux-gnu PTHREAD+POLL+IPv6+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 Oct 24 14:29:38 deb-off stunnel[4502]: Snagged 64 random bytes from /root/.rnd Oct 24 14:29:38 deb-off stunnel[4502]: Wrote 1024 new random bytes to /root/.rnd Oct 24 14:29:38 deb-off stunnel[4502]: RAND_status claims sufficient entropy for the PRNG Oct 24 14:29:38 deb-off stunnel[4502]: PRNG seeded successfully Oct 24 14:29:38 deb-off stunnel[4502]: Error reading certificate file: /etc/ssl/certs/stunnel.pem Oct 24 14:29:38 deb-off stunnel[4502]: error stack: 25070067 : error:25070067:DSO support routines:DSO_load:could not load the shared library Oct 24 14:29:38 deb-off stunnel[4502]: SSL_CTX_use_certificate_chain_file: 25066067: error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library The previous version works ok with the same config and certificate file. I've downgraded to it and it still works ok. Here's the config: cert = /etc/ssl/certs/stunnel.pem key = /etc/ssl/certs/stunnel.pem setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel4/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 debug = 7 [pop3s] accept = 995 connect = 110 [imaps] accept = 993 connect = 143 [ssmtp] accept = 465 connect = 25 -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages stunnel4 depends on: ii adduser 3.73 Add and remove users and groups ii libc6 2.3.5-7GNU C Library: Shared libraries an ii libssl0.9.8 0.9.8a-2 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii netbase 4.22 Basic TCP/IP networking system ii openssl 0.9.8a-2 Secure Socket Layer (SSL) binary a ii perl-modules 5.8.7-7Core Perl modules stunnel4 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
