[stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used

Jose Alf. josealf at rocketmail.com
Thu Aug 6 00:13:40 CEST 2015


Eugene,
I was about to report that too. I think that the earliest version that should be supported is 0.9.8. It will be supported by the OpenSSL team until year end. I found the problem is due to two functions used in verify.c that appear only in openssl 1.0.0 (OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req). I compiled successfuly agains 0.9.8zg with the following patch:

--- stunnel-5.22/src/verify.c   Thu Jul 30 05:08:46 2015
+++ stunnel-5.22.new/src/verify.c       Wed Aug 05 16:32:41 2015
@@ -722,12 +722,16 @@
         sslerror("OCSP: OCSP_sendreq_new");
         goto cleanup;
     }
+
+   #if OPENSSL_VERSION_NUMBER >= 0x1000000fL
     if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {
         sslerror("OCSP: OCSP_REQ_CTX_add1_header");
         goto cleanup;
     }
     if(!OCSP_REQ_CTX_set1_req(req_ctx, req))
         goto cleanup;
+   #endif
+
     while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
         s_poll_init(c->fds);
         s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));

 


     On Wednesday, August 5, 2015 4:14 PM, Eugene Rudoy <gene.devel at gmail.com> wrote:
   

 Hi all,

on the one hand the "welcome to the stunnel-users mailing list"-mail
explicitly states "Never report problems with an old version of
stunnel and OpenSSL. Upgrade to the latest versions first". On the
other hand common.h contains

#if OPENSSL_VERSION_NUMBER<0x0090700fL
#error OpenSSL 0.9.7 or later is required
#endif /* OpenSSL older than 0.9.7 */

So it looks like OpenSSL versions >= 0.9.7 are still supported, that's
the reason I'm reporting the following bug and ignoring the
welcome-mail.


Since version 5.22 stunnel doesn't compile when OpenSSL 0.9.8 is used
(the only OpenSSL version < 1.0.0 I've tested with, 0.9.7 is probably
also affected):

/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
-DHAVE_CONFIG_H -I.
-I/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/include
-DLIBDIR='"/usr/lib/stunnel"' -DCONFDIR='"/etc/stunnel"'  -march=24kc
-mtune=24kc -msoft-float -Os -pipe -Wa,--trap -D_LARGEFILE_SOURCE
-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pthread -Wall -Wextra
-Wpedantic -Wformat=2 -Wconversion -Wno-long-long
-Wno-deprecated-declarations -D_FORTIFY_SOURCE=2 -ffunction-sections
-fdata-sections -MT stunnel-verify.o -MD -MP -MF
.deps/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' ||
echo './'`verify.c
verify.c: In function 'ocsp_get_response':
verify.c:725:5: warning: implicit declaration of function
'OCSP_REQ_CTX_add1_header' [-Wimplicit-function-declaration]
    if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {
    ^
verify.c:729:5: warning: implicit declaration of function
'OCSP_REQ_CTX_set1_req' [-Wimplicit-function-declaration]
    if(!OCSP_REQ_CTX_set1_req(req_ctx, req))
    ^
...
libtool: link: /home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
-march=24kc -mtune=24kc -msoft-float -Os -pipe -Wa,--trap
-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-pthread -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion
-Wno-long-long -Wno-deprecated-declarations -D_FORTIFY_SOURCE=2
-ffunction-sections -fdata-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now
-Wl,-z -Wl,noexecstack -Wl,--gc-sections -o stunnel stunnel-tls.o
stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o
stunnel-options.o stunnel-protocol.o stunnel-network.o
stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o
stunnel-sthreads.o stunnel-fd.o stunnel-dhparam.o stunnel-cron.o
stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o stunnel-ui_unix.o
-L/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/lib
-lssl -lcrypto -lz -ldl -lutil -pthread
libtool: link: ( cd ".libs" && rm -f "libstunnel.la" && ln -s
"../libstunnel.la" "libstunnel.la" )
stunnel-verify.o: In function `ocsp_request':
verify.c:(.text.ocsp_request+0x200): undefined reference to
`OCSP_REQ_CTX_add1_header'
verify.c:(.text.ocsp_request+0x21c): undefined reference to
`OCSP_REQ_CTX_set1_req'
collect2: error: ld returned 1 exit status

Both OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req are available
since OpenSSL 1.0.0. I've fixed the _compile_ issue for me by
partially reverting the changes from 5.22 (s. attached patch). I'm
however not sure if by doing so I'm introducing anew one of the bugs
mentioned in the 5.22-changelog as "Fixed a number of OCSP bugs".

@Michał: could you please take a look into the issue and fix it in a
proper way in case my fix is wrong? Thanks a lot!

Best regards,
Gene
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150805/1c647f16/attachment.html>


More information about the stunnel-users mailing list