[stunnel-users] Fwd: Comments/questions to Debian patches

Michal Trojnara Michal.Trojnara at mirt.net
Fri Apr 24 15:59:21 CEST 2015

Hash: SHA1

Hi Peter,

>> 10-no-zlib-compression.patch
>> I'm completely confused by this patch.  According to my tests it
>> only makes stunnel reporting different errors when a user tries
>> to enable compression on Debian.  Why would anyone need this
>> patch?
> Well, the problem is that stunnel unconditionally adds zlib to the
> compression stack, no matter what compression algorithm the user
> has actually chosen.  Right now, OpenSSL does not provide any
> other compression methods, just "zlib" and "rle", but if the user
> has her own OpenSSL version with a custom compression algorithm
> built in or added as some sort of extension, trying to use it would
> fail because stunnel would first try to add "zlib" - and that's not
> present on Debian.
> This patch's purpose is mainly the ssl.c change, the
> "de-mandatorizing" of COMP_zlib().  The change to the configuration
> parser is more of a convenience - display an informative error
> message to the user about the Debian-specific reason that her
> choice of zlib would not work. That's the main reason why I haven't
> forwarded this particular patch to you yet - I do believe it to be
> a Debian-specific thing, and I do think that it's useful for
> Debian.

So the solution that might be merged upstream would be to somehow
detect if the OpenSSL library was modified to remove zlib support, and
to remove the dependency in this case.  Am I right?

>> 12-restore-pidfile-default.patch
>> I strongly disagree with this approach, as it breaks
>> configuration file compatibility with the upstream.  Debian
>> should instead rewrite stunnel.conf when upgrading from stunnel
>> 4.xx.
> I agree with your strong disagreement with this patch.  I was kind
> of uncomfortable adding it in the first place, but the point was to
> not break compatibility and, well, yes, to avoid rewriting the
> configuration file in a possibly buggy automated manner :/
> My intention has always been to only keep this patch for one
> Debian release cycle, adding a warning during the system startup so
> that people might actually see it.  Now that Debian 8 (Jessie) is
> scheduled to be released this weekend (here's hoping!), I will
> remove the patch in the next upload of stunnel that will target
> Debian unstable/testing. However, with all due respect (and I do
> really respect your opinion on this and pretty much all other
> stunnel- or security-related matters :), the stunnel version in
> Jessie will have the patch.

I see your point.  The problem is that users may expect 5.x behavior
when stunnel 5.x is installed, and not the backported 4.x behavior.

Backporting 4.x behavior is probably fine as long as it is clearly
documented on the manual page.

> Right, these will be dropped in my upcoming update to stunnel-5.16
> after Jessie is released.

Just be aware of the critical security vulnerability that allows
certificate-based access control to be completely bypassed when the
"redirect" option is used.  Versions 5.00 to 5.12 are vulnerable.

Other important bugfixes include a fix for truncated connections in
stunnel 5.09, a fix for handling multiple connect/redirect
destinations in stunnel 5.14, and memory leak fixes in stunnel 5.15.

Adopting stunnel 5.16 might be easier than backporting those bugfixes.

> Thanks a lot, and once again, apologies for my silence :(

I hope our communication will get better in the future.

Best regards,
Version: GnuPG v1


More information about the stunnel-users mailing list