[stunnel-users] Stunnel compilation issue on Mac OS X 10.5 powerpc

Cedric Lor cedric.lor at gmail.com
Wed Nov 23 22:46:02 CET 2011


Many thanks Mike. 
 
You were right. There is something wrong with my manual install of openssl 1.0.0e. I just recompiled stunnel 4.47 from sources, using the openssl libraries provided by fink and it went like a charm. 
 
However, I'm now running into another issue. I'm trying to configure stunnel with sni. I read the man page, the how to, the previous mailing list messages and googled as much as I could but can't seem to find an answer. 
 
When I configure stunnel to tunnelize http (i.e. [https] service), everything works fine. 
When I configure stunnel with sni to tunnelize several virtual hosts (i.e. [virtual] + [sni1] + [sni2]), it crashes on a segmentation fault when testing the connection to the virtual host with openssl or with a brower. 
When I configure only the virtual service without any sni virtual hosts (i.e. [virtual] only without any defined sni), everything runs fine. 
 
I'm running into the exact same issue with stunnel 4.46 installed from fink - SNI won't work which is very sad. 
 
I have the feeling that this is related to the OpenSSL distributed by Fink and I'm currently checking with the maintainer whether the distributed pre-compiled OpenSSL was compiled with --enable-tls

Do you think that this might be related to something wrong in fink's openssl or the fink openssl libraries against which I have build stunnel? 
 
I'm currently checking with the maintainer of the ssl package on Fink whether it has been built with the --enable-tlsext option, but it seems that it has been (I've been trying to run an OpenSSL server with -tls option and connect with an OpenSSL client with -tls option and it connects correctly). 

Here is the console output of stunnel in foreground debug mode: 

2011.11.23 20:21:38 LOG7[26580:2689165344]: Clients allowed=125
2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=3 allocated (non-blocking mode)
2011.11.23 20:21:38 LOG7[26580:2689165344]: signal_pipe: FD=4 allocated (non-blocking mode)
2011.11.23 20:21:38 LOG5[26580:2689165344]: stunnel 4.47 on powerpc-apple-darwin9.8.0 platform
2011.11.23 20:21:38 LOG5[26580:2689165344]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011
2011.11.23 20:21:38 LOG5[26580:2689165344]: Threading:PTHREAD SSL:ENGINE Auth:none Sockets:SELECT,IPv4
2011.11.23 20:21:38 LOG5[26580:2689165344]: Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
2011.11.23 20:21:38 LOG7[26580:2689165344]: Snagged 64 random bytes from /Users/cedriclor/.rnd
2011.11.23 20:21:38 LOG7[26580:2689165344]: Wrote 1024 new random bytes to /Users/cedriclor/.rnd
2011.11.23 20:21:38 LOG7[26580:2689165344]: PRNG seeded successfully
2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service virtual
2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key
2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1
2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01000004
2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized
2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service sni1
2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key
2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1
2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01010004
2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized
2011.11.23 20:21:38 LOG6[26580:2689165344]: Initializing SSL context for service sni2
2011.11.23 20:21:38 LOG4[26580:2689165344]: Insecure file permissions on /sw/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Certificate loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Key file: /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: Private key loaded
2011.11.23 20:21:38 LOG7[26580:2689165344]: Using DH parameters from /usr/local/etc/stunnel/stunnel.pem
2011.11.23 20:21:38 LOG7[26580:2689165344]: DH initialized with 2048-bit key
2011.11.23 20:21:38 LOG7[26580:2689165344]: ECDH initialized with curve prime256v1
2011.11.23 20:21:38 LOG7[26580:2689165344]: SSL options set: 0x01010004
2011.11.23 20:21:38 LOG6[26580:2689165344]: SSL context initialized
2011.11.23 20:21:38 LOG5[26580:2689165344]: Configuration successful
2011.11.23 20:21:38 LOG7[26580:2689165344]: accept socket: FD=6 allocated (non-blocking mode)
2011.11.23 20:21:38 LOG7[26580:2689165344]: Option SO_REUSEADDR set on accept socket
2011.11.23 20:21:38 LOG7[26580:2689165344]: Service virtual bound to 127.0.0.1:8081
2011.11.23 20:21:38 LOG7[26580:2689165344]: Service virtual opened FD=6
2011.11.23 20:21:39 LOG7[26580:2689165344]: Created pid file /stunnel.pid
2011.11.23 20:21:50 LOG7[26580:2689165344]: local socket: FD=7 allocated (non-blocking mode)
2011.11.23 20:21:50 LOG7[26580:2689165344]: Service virtual accepted FD=7 from 127.0.0.1:50132
Segmentation fault


Here is my stunnel.conf:

chroot = /sw/var/lib/stunnel

pid = /stunnel.pid

debug = 7
foreground = yes

cert = /usr/local/etc/stunnel/stunnel.pem
key = /usr/local/etc/stunnel/stunnel.pem

[virtual]
accept = 127.0.0.1:8081
cert = /usr/local/etc/stunnel/stunnel.pem
connect = mydefaulthost.mydomain.com:80

[sni1]
sni = virtual:myfirstsecuredvirtualhost.mydomain.com:8081
cert = /usr/local/etc/stunnel/stunnel.pem
connect = myfirstvirtualhost.mydomain.com:80

[sni2]
sni = virtual:myfirstsecuredvirtualhost.mydomain.com:8081
cert = /usr/local/etc/stunnel/stunnel.pem
connect = mysecondvirtualhost.mydomain.com:80


And here is the output of an openssl test:

macosx-ppc:~ cedriclor$ openssl s_client -connect myfirstsecuredvirtualhost.mydomain.com:8081
CONNECTED(00000003)
2689165412:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 211 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

The same with the option -tls1:

macosx-ppc:~ cedriclor$ openssl s_client -connect myfirstsecuredvirtualhost.mydomain.com:8081 -tls1
CONNECTED(00000003)
2689165412:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1322079696
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---


Regards, 

C├ędric 



On Nov 23, 2011, at 2:44 PM, Michal Trojnara wrote:

> Cedric Lor wrote:
>> I've been trying to compile stunner (4.47) on a power pc Mac OS X Leopard (OS X 10.5) platform after a manual update to openssl v.1.0.0.e
> [cut]
>> libtool: link: gcc -pthread -fstack-protector -g -O2 -Wall -Wextra -Wno-long-long -pedantic -o stunnel stunnel-str.o stunnel-file.o stunnel-client.o stunnel-log.o stunnel-options.o stunnel-protocol.o stunnel-network.o stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o stunnel-verify.o stunnel-sthreads.o stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o  -L/usr/local/ssl/lib64 -L/usr/local/ssl/lib -lssl -lcrypto -lz -ldl -lutil -lpthread -lwrap -pthread
>> Undefined symbols:
>> "_EC_KEY_new_by_curve_name", referenced from:
>>     _context_init in stunnel-ctx.o
> 
> There is something wrong with your manual installation of OpenSSL 1.0.0e on your machine.  The linker finds your old library instead of the new one.  Make sure the library files are properly installed in /usr/local/ssl/lib.  You could also rename the old library files for the time of building stunnel.
> 
> Mike
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4184 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111123/0fb8384d/attachment.bin>


More information about the stunnel-users mailing list