[stunnel-users] getting better, now "verify=0" causes Bus Error. (Re: I am having problems with the 4.5x-series also: Pan connects, nothing else happens.)

SciFi sci-fi at hush.ai
Thu Jan 12 04:35:16 CET 2012



Hi,

Thank you very much for taking time to help.

I rebuilt stunnel-4.52b2, changing my ./configure to "--with-ssl=/usr" so to use Apple's version.

Then I made a new .conf file with your minimal lines:
---start---
foreground = yes
pid = 
debug = 7
client = yes

[nntp_gn]
accept	=	12000
connect	=	news.giganews.com:563

[nntp_aw]
accept	=	12001
connect	=	ssl.astraweb.com:563

[nntp_gm]
accept	=	12002
connect	=	80.91.229.10:563
---end---

That much worked.  :)

But I am still highly skeptical whether we are _really_ secure along the pipe.  So I added the "verify = 0" line (placed just under the "client = yes" line shown above), and now we get a Bus Error whenever we make Pan go into session with Astraweb (in this case trying to fetch a simple text post).

I did a backtrace:

# gdb stunnel
GNU gdb 6.3.50-20050815 (Apple version gdb-1705) (Tue Jul  5 07:28:08 UTC 2011)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-apple-darwin"...Reading symbols for shared libraries ...... done

(gdb) set args /usr/local/etc/stunnel/stunnel2.conf
(gdb) run
Starting program: /usr/local/bin/stunnel /usr/local/etc/stunnel/stunnel2.conf
Reading symbols for shared libraries .+++++. done
2012.01.11 20:48:52 LOG7[25326:2697274688]: Clients allowed=500
2012.01.11 20:48:52 LOG5[25326:2697274688]: stunnel 4.52 on x86_64-apple-darwin10.8.0 platform
2012.01.11 20:48:52 LOG5[25326:2697274688]: Compiled with OpenSSL 1.1.0-dev xx XXX xxxx
2012.01.11 20:48:52 LOG5[25326:2697274688]: Running  with OpenSSL 0.9.8r 8 Feb 2011
2012.01.11 20:48:52 LOG5[25326:2697274688]: Update OpenSSL shared libraries or rebuild stunnel
2012.01.11 20:48:52 LOG5[25326:2697274688]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:SELECT,IPv6
2012.01.11 20:48:52 LOG5[25326:2697274688]: Reading configuration from file /usr/local/etc/stunnel/stunnel2.conf
2012.01.11 20:48:52 LOG7[25326:2697274688]: Compression not enabled
2012.01.11 20:48:52 LOG7[25326:2697274688]: PRNG seeded successfully
2012.01.11 20:48:52 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gn
2012.01.11 20:48:52 LOG7[25326:2697274688]: SSL options set: 0x00000004
2012.01.11 20:48:52 LOG6[25326:2697274688]: SSL context initialized
2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_aw
2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004
2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized
2012.01.11 20:48:53 LOG6[25326:2697274688]: Initializing SSL context for service nntp_gm
2012.01.11 20:48:53 LOG7[25326:2697274688]: SSL options set: 0x00000004
2012.01.11 20:48:53 LOG6[25326:2697274688]: SSL context initialized
2012.01.11 20:48:53 LOG5[25326:2697274688]: Configuration successful
2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gn bound FD=11 to 0.0.0.0:12000
2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_aw bound FD=12 to 0.0.0.0:12001
2012.01.11 20:48:53 LOG7[25326:2697274688]: Service nntp_gm bound FD=13 to 0.0.0.0:12002
2012.01.11 20:48:53 LOG7[25326:2697274688]: No pid file being created
2012.01.11 20:49:06 LOG7[25326:2697274688]: Service nntp_aw accepted FD=14 from 127.0.0.1:58969
2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw started
2012.01.11 20:49:06 LOG7[25326:2952859648]: Waiting for a libwrap process
2012.01.11 20:49:06 LOG7[25326:2952859648]: Acquired libwrap process #0
2012.01.11 20:49:06 LOG7[25326:2952859648]: Releasing libwrap process #0
2012.01.11 20:49:06 LOG7[25326:2952859648]: Released libwrap process #0
2012.01.11 20:49:06 LOG7[25326:2952859648]: Service nntp_aw permitted by libwrap from 127.0.0.1:58969
2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw accepted connection from 127.0.0.1:58969
2012.01.11 20:49:06 LOG6[25326:2952859648]: connect_blocking: connecting 216.151.153.14:563
2012.01.11 20:49:06 LOG7[25326:2952859648]: connect_blocking: s_poll_wait 216.151.153.14:563: waiting 10 seconds
2012.01.11 20:49:06 LOG5[25326:2952859648]: connect_blocking: connected 216.151.153.14:563
2012.01.11 20:49:06 LOG5[25326:2952859648]: Service nntp_aw connected remote server from 192.168.1.65:58970
2012.01.11 20:49:06 LOG7[25326:2952859648]: Remote FD=15 initialized
2012.01.11 20:49:06 LOG7[25326:2952859648]: SNI: host name: ssl.astraweb.com

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000020
[Switching to process 25326 thread 0x1403]
0x94b0b2d6 in X509_get_subject_name ()
(gdb) bt
#0  0x94b0b2d6 in X509_get_subject_name ()
#1  0x0000f213 in verify_callback ()
#2  0x94ac68ce in X509_verify_cert_orig ()
#3  0x94a487af in X509_verify_cert ()
#4  0x946159fb in ssl_verify_cert_chain ()
#5  0x9460624c in ssl3_get_server_certificate ()
#6  0x94608748 in ssl3_connect ()
#7  0x00002ed7 in init_ssl ()
#8  0x000040a3 in client_try ()
#9  0x00005206 in client_run ()
#10 0x00005490 in client_main ()
#11 0x000054c3 in client_thread ()
#12 0x9a193259 in _pthread_start ()
#13 0x9a1930de in thread_start ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y

# _

I'm sorry, that's about as deep as I know to go.  ;)
But I should be able to do more tests with detailed instructions if needed.

For now, I will comment-out the "verify" line, and use this build with your basic .conf file even tho it makes me remain highly paranoid.  ;(

(I have further questions about your reply; I'll postpone them once I know I can use the 4.5-series properly, then go forward from there.)

Thank you(-all) again.


-- 





More information about the stunnel-users mailing list