[stunnel-users] OpenSSL Vulnerabilities

Cal Webster cwebster at ec.rr.com
Wed Apr 8 01:07:30 CEST 2009


On Tue, 2009-04-07 at 11:11 -0700, Rodrigo Gallardo wrote:
> On Tue, Apr 07, 2009 at 01:19:17PM -0400, Cal Webster wrote:
> > Will there be a security update of stunnel to address vulnerabilities
> > outlined in CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789? 
> > 
> > Alternatively, will stunnel use updated OpenSSL libraries on the host?
> > 
> > It appears that this is true on Fedora RPM packages.
> 
> This is true in any *nix system.

Well, it *should* be true of any *modern* Unix/Linux system, provided
the OpenSSL libraries are dynamically linked. Some applications are
statically linked so they would not reference new libraries in that
case. I can't afford to assume much where I work. We have OS's as far
back as AT&T Unix System IV.

> > However, I don't know how to determine whether the same dependency works
> > with Win32 dll's.
> > 
> 
> This *should* work, as that is pretty much the whole point of shared
> libraries. I have no actual knowledge of windows DLLs, though, so
> there might be some obscure reason why it does not. I would recommend
> you trace (somehow) exactly what on-disk DLLs stunnel is loading and
> make sure your update replaces those.

I finally figured it out on my own. The following is for the benefit of
anyone else following this thread.

The OpenSSL libraries that Win32 Stunnel 4.26 uses are placed in the
install directory, C:\Program Files\stunnel by default. The file
properties do not contain any version information like most DLL's.
However, I was able to determine the version from the stunnel log.

A look in the stunnel log (if it's configured) will show something like
this:

2009.03.10 15:40:43 LOG5[1240:1236]: stunnel 4.26 on x86-pc-mingw32-gnu
with OpenSSL 0.9.8i 15 Sep 2008

To update the OpenSSL libraries you must download and install two
programs:

"Microsoft Visual C++ 2008 Redistributables" - vcredist_x86.exe
http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&displaylang=en

"Win32 OpenSSL v0.9.8k Light" - Win32OpenSSL_Light-0_9_8k.exe
http://www.slproweb.com/products/Win32OpenSSL.html

After installing OpenSSL Light you need to copy the two DLL's
libeay32.dll and libssl32.dll from C:\OpenSSL, where the installer puts
them, into the stunnel install directory to replace the originals. At
this point you can uninstall OpenSSL unless you've got something else
you need it for. If you don't replace the older versions in the stunnel
install dir the new libraries will not be used.

Do not uninstall the Visual C++ Redistributables, though. The new
OpenSSL libraries need MSVCR90.dll that it provides.

After a restart and starting the stunnel service you can check the log
again to see that it's using the new libraries. You should see an entry
like this:

2009.04.07 19:03:01 LOG5[700:476]: stunnel 4.26 on x86-pc-mingw32-gnu
with OpenSSL 0.9.8k 25 Mar 2009

Cheers!

Cal






More information about the stunnel-users mailing list