Re: stunnel crashes with weak certificates... could it be OpenSSL?
On Fri, Feb 12, 2010 at 01:04:01PM -0700, Thomas J. Hruska wrote: > Roger Cruz wrote: >> I posted the following message in the stunnel group. I'm following that >> posting here because I believe this may be an issue with the underlying >> library which is OpenSSL. Is there a known issue with certificates for >> version 0.9.8b that are aware of? What version of OpenSSL contains the >> fix if there is one? >> Roger > > 0.9.8b is ancient (almost 4 years old). There have been many security > updates and patches since then. Current release is 0.9.8l (with a beta of > 0.9.8m also available). Try updating OpenSSL first to 0.9.8l. Also, the reported crash was in the Kerberos library, and it is unwise to attempt to enable the Kerberos ciphers, they are obsolete and insecure (single DES). If the Kerberos ciphers are off by default, the OP should not enable them. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: stunnel crashes with weak certificates... could it be OpenSSL?
Roger Cruz wrote: I posted the following message in the stunnel group. I'm following that posting here because I believe this may be an issue with the underlying library which is OpenSSL. Is there a known issue with certificates for version 0.9.8b that are aware of? What version of OpenSSL contains the fix if there is one? Roger 0.9.8b is ancient (almost 4 years old). There have been many security updates and patches since then. Current release is 0.9.8l (with a beta of 0.9.8m also available). Try updating OpenSSL first to 0.9.8l. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel crashes with weak certificates... could it be OpenSSL?
I posted the following message in the stunnel group. I'm following that posting here because I believe this may be an issue with the underlying library which is OpenSSL. Is there a known issue with certificates for version 0.9.8b that are aware of? What version of OpenSSL contains the fix if there is one? Roger -- We ran Nessus on a Linux system and found that stunnel crashes when the weak certificate suite is enabled. GDB shows the stack trace below and it appears to be in the SSL library. My search on this mailing list led me to this message that appears to report a similar problem http://mirt.net/pipermail/stunnel-users/2008-January/001830.html Am I to understand that the problem is really with OpenSSL and that's what needs to be upgraded? If so, do we know what version will have the fixed problem? I'm going to post in the OpenSSL forum as well, but I wanted to start here since from our perspective, Stunnel is the one crashing. Thank you Roger Cruz 2010.02.05 12:49:11 LOG7[13524:3086718672]: Cleaning up the signal pipe 2010.02.05 12:49:11 LOG6[13524:3086718672]: Child process 13575 finished with code 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xb7fa7b90 (LWP 13574)] 0x007b24a7 in krb5_is_referral_realm () from /usr/lib/libkrb5.so.3 (gdb) bt #0 0x007b24a7 in krb5_is_referral_realm () from /usr/lib/libkrb5.so.3 #1 0x0089d338 in kssl_keytab_is_available () from /lib/libssl.so.6 #2 0x008803b1 in ssl3_choose_cipher () from /lib/libssl.so.6 #3 0x0087b2a2 in ssl3_get_client_hello () from /lib/libssl.so.6 #4 0x0087bc85 in ssl3_accept () from /lib/libssl.so.6 #5 0x0089109a in SSL_accept () from /lib/libssl.so.6 #6 0x00884d0d in ssl23_get_client_hello () from /lib/libssl.so.6 #7 0x0088554b in ssl23_accept () from /lib/libssl.so.6 #8 0x0089109a in SSL_accept () from /lib/libssl.so.6 #9 0x003628e2 in ?? () from /usr/sbin/stunnel #10 0x00363acd in ?? () from /usr/sbin/stunnel #11 0x003645ba in ?? () from /usr/sbin/stunnel #12 0x003646a8 in client () from /usr/sbin/stunnel #13 0x0025f45b in start_thread () from /lib/libpthread.so.0 #14 0x00448e5e in clone () from /lib/libc.so.6 (gdb) quit [r...@p20xen1 current_hq]# stunnel -version stunnel 4.15 on i686-redhat-linux-gnu with OpenSSL 0.9.8b 04 May 2006 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = 5 pid = /var/run/stunnel.pid RNDbytes= 64 RNDfile = /dev/urandom RNDoverwrite= yes Service-level options cert= /etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH key = /etc/stunnel/stunnel.pem session = 300 seconds TIMEOUTbusy = 300 seconds TIMEOUTclose= 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none