I’m trying to do a proof of concept using Stunnel on AIX 6.1.
Without stunnel I’d have:
Telnet session -> listening service
With stunnel, I want:
telnet session -> stunnel client –[secure connection]--> Stunnel server -->listening service.
The stunnel client seems to be working fine, but the stunnel server abends as soon as it receives a secure connection.
Client:
Accepts non-secure on port 33342. Forwards to secure socket 33343
stunnel stunnel.conf.2
2017.02.21 09:31:35 LOG5[ui]: stunnel 5.40 on powerpc-ibm-aix6.1.0.0 platform
2017.02.21 09:31:35 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j 26 Sep 2016
2017.02.21 09:31:35 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2017.02.21 09:31:35 LOG5[ui]: Reading configuration from file /bmo/stunnel/bin/stunnel.conf.2
2017.02.21 09:31:35 LOG5[ui]: UTF-8 byte order mark detected
2017.02.21 09:31:35 LOG5[ui]: FIPS mode disabled
2017.02.21 09:31:35 LOG6[ui]: Initializing service [hif]
2017.02.21 09:31:35 LOG6[ui]: Loading certificate from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:35 LOG6[ui]: Certificate loaded from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:35 LOG6[ui]: Loading private key from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:35 LOG4[ui]: Insecure file permissions on /bmo/stunnel/stunnel.pem
2017.02.21 09:31:35 LOG6[ui]: Private key loaded from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:35 LOG4[ui]: Service [hif] needs authentication to prevent MITM attacks
2017.02.21 09:31:35 LOG5[ui]: Configuration successful
2017.02.21 09:31:38 LOG5[0]: Service [hif] accepted connection from 127.0.0.1:34749
2017.02.21 09:31:38 LOG6[0]: s_connect: connecting 127.0.0.1:33343
2017.02.21 09:31:38 LOG6[0]: s_connect: connected 127.0.0.1:33343
2017.02.21 09:31:38 LOG5[0]: Service [hif] connected remote server from 127.0.0.1:34750
2017.02.21 09:31:38 LOG6[0]: SNI: sending servername: localhost
2017.02.21 09:31:38 LOG6[0]: Peer certificate not required
2017.02.21 09:31:38 LOG3[0]: SSL_connect: Peer suddenly disconnected
2017.02.21 09:31:38 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Server
Accepts SSL connections on port 33343, connects to a non-secure service.
stunnel stunnel.conf.1
2017.02.21 09:31:25 LOG5[ui]: stunnel 5.40 on powerpc-ibm-aix6.1.0.0 platform
2017.02.21 09:31:25 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j 26 Sep 2016
2017.02.21 09:31:25 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2017.02.21 09:31:25 LOG5[ui]: Reading configuration from file /bmo/stunnel/bin/stunnel.conf.1
2017.02.21 09:31:25 LOG5[ui]: UTF-8 byte order mark detected
2017.02.21 09:31:25 LOG5[ui]: FIPS mode disabled
2017.02.21 09:31:25 LOG6[ui]: Initializing service [hif]
2017.02.21 09:31:25 LOG6[ui]: Loading certificate from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:25 LOG6[ui]: Certificate loaded from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:25 LOG6[ui]: Loading private key from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:25 LOG4[ui]: Insecure file permissions on /bmo/stunnel/stunnel.pem
2017.02.21 09:31:25 LOG6[ui]: Private key loaded from file: /bmo/stunnel/stunnel.pem
2017.02.21 09:31:25 LOG5[ui]: Configuration successful
2017.02.21 09:31:38 LOG5[0]: Service [hif] accepted connection from 127.0.0.1:34750
2017.02.21 09:31:38 LOG6[0]: Peer certificate not required
INTERNAL ERROR: Bad magic at OpenSSL, line 0
(this is an abend – core file gets created).
log file exactly matches the standard output.
Any idea what’s going wrong here?
dbx of the core file:
tbs@netcbccadvwvr01 /bmo/hif/stunnel-5.40/src>dbx /bmo/stunnel/bin/stunnel core
Type 'help' for help.
[using memory image in core]
reading symbolic information ...
IOT/Abort trap in abort at 0xd01af1f8 ($t3)
0xd01af1f8 (abort+0xf8) 80410014 lwz r2,0x14(r1)
(dbx) where
abort() at 0xd01af1f8
fatal_debug(txt = "Bad magic", file = "OpenSSL", line = 0), line 359 in "log.c"
get_alloc_list_ptr(ptr = 0x2007e1c8, file = "OpenSSL", line = 0), line 399 in "str.c"
str_detach_debug(ptr = 0x2007e1c8, file = "OpenSSL", line = 0), line 348 in "str.c"
str_free_debug(ptr = 0x2007e1c8, file = "OpenSSL", line = 0), line 383 in "str.c"
free_function(ptr = 0x2007e1c8), line 191 in "tls.c"
mem.CRYPTO_free() at 0xd97dd8d8
bn_lib.bn_expand2@AF37_5() at 0xd97e8da4
bn_mont.BN_mod_mul_montgomery() at 0xd981e150
ecp_mont.ec_GFp_mont_field_mul() at 0xd9837a18
ecp_smpl.ec_GFp_simple_point_get_affine_coordinates() at 0xd9839890
ec_lib.EC_POINT_get_affine_coordinates_GFp() at 0xd9a81dfc
ecp_oct.ec_GFp_simple_point2oct() at 0xd9acc0d4
ec_oct.EC_POINT_point2oct() at 0xd9acb754
ssl3_send_server_key_exchange() at 0xd99e7c28
ssl3_accept() at 0xd99e9950
SSL_accept() at 0xd99c0b98
ssl23_get_client_hello() at 0xd9a003f4
ssl23_accept() at 0xd9a00c5c
SSL_accept() at 0xd99c0b98
ssl_start(c = 0x20084cb8), line 431 in "client.c"
client_try(c = 0x20084cb8), line 273 in "client.c"
client_run(c = 0x20084cb8), line 181 in "client.c"
client_main(c = 0x20084cb8), line 140 in "client.c"
client_thread(arg = 0x20084cb8), line 99 in "client.c"
(dbx) thread
thread state-k wchan state-u k-tid mode held scope function
$t1 run running 26279997 u no sys __fd_poll
$t2 run running 45088879 u no sys _p_nsleep
>$t3 run running 19070997 k no sys abort
(dbx) list free_function
186
187 #if OPENSSL_VERSION_NUMBER<0x10100000L
188 NOEXPORT void free_function(void *ptr) {
189 /* CRYPTO_set_mem_ex_functions() needs a function rather than a macro */
190 /* unfortunately, OpenSSL provides no file:line information here */
191 str_free_debug(ptr, "OpenSSL", 0);
192 }
193 #endif
194
195 /* end of tls.c */
Should I be concerned that it looks like it is executing "free_function" from within an if statement "if OPENSSL_VERSION_NUMBER<0x1010000L but my openssl version is
2017.02.21 09:31:35 LOG5[ui]: Compiled/running with OpenSSL 1.0.2j 26 Sep 2016
Troubleshooting so far:
- I had the same problem with earlier versions of openssl.
- I’ve tried this with 5.37 as well (based on Brian McGinity’s post from a few days ago), but get the same error.
Jacob