<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yui_3_16_0_1_1438812403457_3202">Eugene,</div><div id="yui_3_16_0_1_1438812403457_3203"><br></div><div dir="ltr" id="yui_3_16_0_1_1438812403457_2983">I was about to report that too. I think that the earliest version that should be supported is 0.9.8. It will be supported by the OpenSSL team until year end. I found the problem is due to two functions used in verify.c that appear only in openssl 1.0.0 (OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req). I compiled successfuly agains 0.9.8zg with the following patch:<br></div><div id="yui_3_16_0_1_1438812403457_3729" dir="ltr"><br></div><div id="yui_3_16_0_1_1438812403457_3724" dir="ltr">--- stunnel-5.22/src/verify.c Thu Jul 30 05:08:46 2015<br class="" id="yui_3_16_0_1_1438812403457_3687">+++ stunnel-5.22.new/src/verify.c Wed Aug 05 16:32:41 2015<br class="" id="yui_3_16_0_1_1438812403457_3689">@@ -722,12 +722,16 @@<br class="" id="yui_3_16_0_1_1438812403457_3691"> sslerror("OCSP: OCSP_sendreq_new");<br class="" id="yui_3_16_0_1_1438812403457_3693"> goto cleanup;<br class="" id="yui_3_16_0_1_1438812403457_3695"> }<br class="" id="yui_3_16_0_1_1438812403457_3697">+<br class="" id="yui_3_16_0_1_1438812403457_3699">+ #if OPENSSL_VERSION_NUMBER >= 0x1000000fL<br class="" id="yui_3_16_0_1_1438812403457_3701"> if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {<br class="" id="yui_3_16_0_1_1438812403457_3703"> sslerror("OCSP: OCSP_REQ_CTX_add1_header");<br class="" id="yui_3_16_0_1_1438812403457_3705"> goto cleanup;<br class="" id="yui_3_16_0_1_1438812403457_3707"> }<br class="" id="yui_3_16_0_1_1438812403457_3709"> if(!OCSP_REQ_CTX_set1_req(req_ctx, req))<br class="" id="yui_3_16_0_1_1438812403457_3711"> goto cleanup;<br class="" id="yui_3_16_0_1_1438812403457_3713">+ #endif<br class="" id="yui_3_16_0_1_1438812403457_3715">+<br class="" id="yui_3_16_0_1_1438812403457_3717"> while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {<br class="" id="yui_3_16_0_1_1438812403457_3719"> s_poll_init(c->fds);<br class="" id="yui_3_16_0_1_1438812403457_3721"> s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));<br class="" id="yui_3_16_0_1_1438812403457_3723"><br></div><div id="yui_3_16_0_1_1438812403457_2976"><span></span></div> <br><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> On Wednesday, August 5, 2015 4:14 PM, Eugene Rudoy <gene.devel@gmail.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container">Hi all,<br><br>on the one hand the "welcome to the stunnel-users mailing list"-mail<br>explicitly states "Never report problems with an old version of<br>stunnel and OpenSSL. Upgrade to the latest versions first". On the<br>other hand common.h contains<br><br>#if OPENSSL_VERSION_NUMBER<0x0090700fL<br>#error OpenSSL 0.9.7 or later is required<br>#endif /* OpenSSL older than 0.9.7 */<br><br>So it looks like OpenSSL versions >= 0.9.7 are still supported, that's<br>the reason I'm reporting the following bug and ignoring the<br>welcome-mail.<br><br><br>Since version 5.22 stunnel doesn't compile when OpenSSL 0.9.8 is used<br>(the only OpenSSL version < 1.0.0 I've tested with, 0.9.7 is probably<br>also affected):<br><br>/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc<br>-DHAVE_CONFIG_H -I.<br>-I/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/include<br>-DLIBDIR='"/usr/lib/stunnel"' -DCONFDIR='"/etc/stunnel"' -march=24kc<br>-mtune=24kc -msoft-float -Os -pipe -Wa,--trap -D_LARGEFILE_SOURCE<br>-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pthread -Wall -Wextra<br>-Wpedantic -Wformat=2 -Wconversion -Wno-long-long<br>-Wno-deprecated-declarations -D_FORTIFY_SOURCE=2 -ffunction-sections<br>-fdata-sections -MT stunnel-verify.o -MD -MP -MF<br>.deps/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f 'verify.c' ||<br>echo './'`verify.c<br>verify.c: In function 'ocsp_get_response':<br>verify.c:725:5: warning: implicit declaration of function<br>'OCSP_REQ_CTX_add1_header' [-Wimplicit-function-declaration]<br> if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) {<br> ^<br>verify.c:729:5: warning: implicit declaration of function<br>'OCSP_REQ_CTX_set1_req' [-Wimplicit-function-declaration]<br> if(!OCSP_REQ_CTX_set1_req(req_ctx, req))<br> ^<br>...<br>libtool: link: /home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc<br>-march=24kc -mtune=24kc -msoft-float -Os -pipe -Wa,--trap<br>-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64<br>-pthread -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion<br>-Wno-long-long -Wno-deprecated-declarations -D_FORTIFY_SOURCE=2<br>-ffunction-sections -fdata-sections -Wl,-z -Wl,relro -Wl,-z -Wl,now<br>-Wl,-z -Wl,noexecstack -Wl,--gc-sections -o stunnel stunnel-tls.o<br>stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o<br>stunnel-options.o stunnel-protocol.o stunnel-network.o<br>stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o<br>stunnel-sthreads.o stunnel-fd.o stunnel-dhparam.o stunnel-cron.o<br>stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o stunnel-ui_unix.o<br>-L/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/lib<br>-lssl -lcrypto -lz -ldl -lutil -pthread<br>libtool: link: ( cd ".libs" && rm -f "libstunnel.la" && ln -s<br>"../libstunnel.la" "libstunnel.la" )<br>stunnel-verify.o: In function `ocsp_request':<br>verify.c:(.text.ocsp_request+0x200): undefined reference to<br>`OCSP_REQ_CTX_add1_header'<br>verify.c:(.text.ocsp_request+0x21c): undefined reference to<br>`OCSP_REQ_CTX_set1_req'<br>collect2: error: ld returned 1 exit status<br><br>Both OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req are available<br>since OpenSSL 1.0.0. I've fixed the _compile_ issue for me by<br>partially reverting the changes from 5.22 (s. attached patch). I'm<br>however not sure if by doing so I'm introducing anew one of the bugs<br>mentioned in the 5.22-changelog as "Fixed a number of OCSP bugs".<br><br>@MichaĆ: could you please take a look into the issue and fix it in a<br>proper way in case my fix is wrong? Thanks a lot!<br><br>Best regards,<br>Gene<br>_______________________________________________<br>stunnel-users mailing list<br><a ymailto="mailto:stunnel-users@stunnel.org" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br><a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br><br><br></div> </div> </div> </div></div></body></html>