[stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used

• Previous message (by thread): [stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used
• Next message (by thread): [stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jose,

Your patch does allow stunnel to build, but also breaks OCSP completely.
The enclosed patch allows stunnel to build while preserving as much of
the OCSP functionality as it is possible with the old OpenSSL.

Please also test stunnel 5.23b2:
https://www.stunnel.org/downloads.html

Mike

On 06.08.2015 00:13, Jose Alf. wrote:
> Eugene,
> 
> I was about to report that too. I think that the earliest version
> that should be supported is 0.9.8. It will be supported by the
> OpenSSL team until year end. I found the problem is due to two
> functions used in verify.c that appear only in openssl 1.0.0
> (OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req). I compiled
> successfuly agains 0.9.8zg with the following patch:
> 
> --- stunnel-5.22/src/verify.c   Thu Jul 30 05:08:46 2015 +++
> stunnel-5.22.new/src/verify.c       Wed Aug 05 16:32:41 2015 @@
> -722,12 +722,16 @@ sslerror("OCSP: OCSP_sendreq_new"); goto
> cleanup; } + +   #if OPENSSL_VERSION_NUMBER >= 0x1000000fL 
> if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) { 
> sslerror("OCSP: OCSP_REQ_CTX_add1_header"); goto cleanup; } 
> if(!OCSP_REQ_CTX_set1_req(req_ctx, req)) goto cleanup; +   #endif 
> + while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) { 
> s_poll_init(c->fds); s_poll_add(c->fds, c->fd,
> BIO_should_read(bio), BIO_should_write(bio));
> 
> 
> 
> 
> On Wednesday, August 5, 2015 4:14 PM, Eugene Rudoy 
> <gene.devel at gmail.com> wrote:
> 
> 
> Hi all,
> 
> on the one hand the "welcome to the stunnel-users mailing
> list"-mail explicitly states "Never report problems with an old
> version of stunnel and OpenSSL. Upgrade to the latest versions
> first". On the other hand common.h contains
> 
> #if OPENSSL_VERSION_NUMBER<0x0090700fL #error OpenSSL 0.9.7 or
> later is required #endif /* OpenSSL older than 0.9.7 */
> 
> So it looks like OpenSSL versions >= 0.9.7 are still supported,
> that's the reason I'm reporting the following bug and ignoring the 
> welcome-mail.
> 
> 
> Since version 5.22 stunnel doesn't compile when OpenSSL 0.9.8 is
> used (the only OpenSSL version < 1.0.0 I've tested with, 0.9.7 is
> probably also affected):
> 
> /home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
>
> 
- -DHAVE_CONFIG_H -I.
> -I/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/include
>
> 
- -DLIBDIR='"/usr/lib/stunnel"' -DCONFDIR='"/etc/stunnel"'  -march=24kc
> -mtune=24kc -msoft-float -Os -pipe -Wa,--trap -D_LARGEFILE_SOURCE 
> -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -pthread -Wall
> -Wextra -Wpedantic -Wformat=2 -Wconversion -Wno-long-long 
> -Wno-deprecated-declarations -D_FORTIFY_SOURCE=2
> -ffunction-sections -fdata-sections -MT stunnel-verify.o -MD -MP
> -MF .deps/stunnel-verify.Tpo -c -o stunnel-verify.o `test -f
> 'verify.c' || echo './'`verify.c verify.c: In function
> 'ocsp_get_response': verify.c:725:5: warning: implicit declaration
> of function 'OCSP_REQ_CTX_add1_header'
> [-Wimplicit-function-declaration] 
> if(!OCSP_REQ_CTX_add1_header(req_ctx, "Host", host)) { ^ 
> verify.c:729:5: warning: implicit declaration of function 
> 'OCSP_REQ_CTX_set1_req' [-Wimplicit-function-declaration] 
> if(!OCSP_REQ_CTX_set1_req(req_ctx, req)) ^ ... libtool: link: 
> /home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/bin/mips-linux-uclibc-gcc
>
> 
- -march=24kc -mtune=24kc -msoft-float -Os -pipe -Wa,--trap
> -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 
> -pthread -Wall -Wextra -Wpedantic -Wformat=2 -Wconversion 
> -Wno-long-long -Wno-deprecated-declarations -D_FORTIFY_SOURCE=2 
> -ffunction-sections -fdata-sections -Wl,-z -Wl,relro -Wl,-z
> -Wl,now -Wl,-z -Wl,noexecstack -Wl,--gc-sections -o stunnel
> stunnel-tls.o stunnel-str.o stunnel-file.o stunnel-client.o
> stunnel-log.o stunnel-options.o stunnel-protocol.o
> stunnel-network.o stunnel-resolver.o stunnel-ssl.o stunnel-ctx.o
> stunnel-verify.o stunnel-sthreads.o stunnel-fd.o stunnel-dhparam.o
> stunnel-cron.o stunnel-stunnel.o stunnel-pty.o stunnel-libwrap.o
> stunnel-ui_unix.o 
> -L/home/freetz/freetz-trunk-dev/toolchain/build/mips_gcc-4.8.5_uClibc-0.9.33.2-nptl_kernel-3.10/mips-linux-uclibc/usr/lib
>
> 
- -lssl -lcrypto -lz -ldl -lutil -pthread
> libtool: link: ( cd ".libs" && rm -f "libstunnel.la" && ln -s 
> "../libstunnel.la" "libstunnel.la" ) stunnel-verify.o: In function
> `ocsp_request': verify.c:(.text.ocsp_request+0x200): undefined
> reference to `OCSP_REQ_CTX_add1_header' 
> verify.c:(.text.ocsp_request+0x21c): undefined reference to 
> `OCSP_REQ_CTX_set1_req' collect2: error: ld returned 1 exit status
> 
> Both OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_set1_req are
> available since OpenSSL 1.0.0. I've fixed the _compile_ issue for
> me by partially reverting the changes from 5.22 (s. attached
> patch). I'm however not sure if by doing so I'm introducing anew
> one of the bugs mentioned in the 5.22-changelog as "Fixed a number
> of OCSP bugs".
> 
> @Michał: could you please take a look into the issue and fix it in
> a proper way in case my fix is wrong? Thanks a lot!
> 
> Best regards, Gene _______________________________________________ 
> stunnel-users mailing list stunnel-users at stunnel.org
> <mailto:stunnel-users at stunnel.org> 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> 
> 
> 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVwxR8AAoJEC78f/DUFuAUyzcP+wVW2YuXBCnYHxbIJeLZYP8S
2xKJ5bYlmCkNfJnva4DfGt2nNX2uuecSzPuXEdsKViByjHDWpZZzLQDdySr8iYh3
XowV/eCTDTUYwDNje8rIZTg62yJ4ffOun5uSZ989GjH1Jd1F+nDz6qZI+2h5yMuq
3n8aVwNfgD/XJrVV1pqNMiMvRbl+gFVhf+3uZr4+k7HWPqhHYpQyTF/QpNczS4yY
3x8g5UGomubIvjGyik5fzMW34+FmTqJrzrjU0YSCKgQmGXhhlVv4jwdjZtHkEXmS
qtA1B2+oNiCR99GCai60C6LIasFailv9cBy3JG0CL+uLFaOH0aLyXDb/UWuoq29q
1Mh/mfcfkJb9RUZUwqIfjzX85m6a6wH54Qk1ULBMWyoC11lOdKkHsKdbMcD9o5io
bfsTzPmRnhls29coT/GLuAHBFOV5kKbPIVMF2CbQpkf/nzurkYGGC0mQGqc6qEsm
JHK/pGEoxn6rQC679OcXVrGP07s8Lq98Z8rzTuxF2UsohcNDOqKK7EptP1W5Q5jV
pRnPD3g12DoKGMjUHqnyPvtIPlZc4tX2dJO87AvIK+m/K+jC5KIEnejBMGoT1f3B
OGCkOYd2zd5mfhBfY38EEibFzPoev1zTzTfLAkW2mzzKGWL/1tUUuja7MwPJK2h2
pjl+JwPZaDD9tZYxpeqF
=xaQl
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ocsp-host.patch
Type: text/x-patch
Size: 987 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20150806/60fb780c/attachment.bin>

• Previous message (by thread): [stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used
• Next message (by thread): [stunnel-users] since version 5.22 stunnel doesn't compile when OpenSSL version < 1.0.0 is used
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]