[stunnel-users] stunnel-users Digest, Vol 171, Issue 16

Johann Hörmann support at hans-hoermann.de
Thu Oct 25 13:47:05 CEST 2018


Am 25.10.18 um 12:00 schrieb stunnel-users-request at stunnel.org:
> Send stunnel-users mailing list submissions to
> 	stunnel-users at stunnel.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> or, via email, send a message with subject or body 'help' to
> 	stunnel-users-request at stunnel.org
> 
> You can reach the person managing the list at
> 	stunnel-users-owner at stunnel.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of stunnel-users digest..."
> 
> 
> Today's Topics:
> 
>    1. stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian
>       jessie (Johann Hörmann)
>    2. Re: stunnel 5.06 not yet linked against OpenSSL 1.0.1t on
>       debian jessie (Eric Eberhard)
>    3. stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian
>       jessie (Jakob Hirsch)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 24 Oct 2018 17:29:18 +0200
> From: Johann Hörmann <support at hans-hoermann.de>
> To: stunnel-users at stunnel.org
> Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL
> 	1.0.1t on debian jessie
> Message-ID: <f9fb3d42-c0f2-dffd-e0b1-249d8e068081 at hans-hoermann.de>
> Content-Type: text/plain; charset=utf-8
> 
> Hi,
> 
> that's the log on a debian jessie, starting stunnel:
> 
> 2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform
> 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015
> 2018.10.24 ..: Running  with OpenSSL 1.0.1t  3 May 2016
> 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel
> 
> All debian packages are upgraded:
> $ sudo apt-get update
> ...
> $ sudo apt-get upgrade
> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> $
> 
> $ dpkg -l|egrep 'openssl|stunnel'
> ...
> ii  openssl                        1.0.1t-1+deb8u9
> ...
> ii  stunnel4                       3:5.06-2+deb8u1
> $
> 
> Guess the log tells the current stunnel-package is not linked against
> openssl 1.0.1t lib yet.
> 
> No pinning is active:
> $ ls -l /etc/apt/preferences
> -rw-r--r-- 1 root root 0 Jun  4  2010 /etc/apt/preferences
> $
> 
> Is that - stunnel not being linked against the current openssl-lib - a
> serious problem?
> Will there soon be a stunnel-package being linked against openssl 1.0.1t?
> 
> 
> Thanks in Advance
> --
> Hans
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 24 Oct 2018 15:02:08 -0700
> From: "Eric Eberhard" <flash at vicsmba.com>
> To: 'Johann Hörmann' <support at hans-hoermann.de>,
> 	<stunnel-users at stunnel.org>
> Subject: Re: [stunnel-users] stunnel 5.06 not yet linked against
> 	OpenSSL 1.0.1t on debian jessie
> Message-ID: <03bb01d46be5$40d264c0$c2772e40$@vicsmba.com>
> Content-Type: text/plain;	charset="utf-8"
> 
> Static linking is much easier, especially when put in a non-standard place, such as /usr/local/customer-name/lib -- this means if somebody does an update of say openssl alone you won't have this problem.  You can also do it non-static as long as it is in a non-standard place and be pretty safe.
> 
> My versions have stunnel 5.44 and openssl 1.0.2 -- works fine.  It is static and keeps on ticking.
> 
> Eric
> 
> -----Original Message-----
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Johann Hörmann
> Sent: Wednesday, October 24, 2018 8:29 AM
> To: stunnel-users at stunnel.org
> Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL 1.0.1t on debian jessie
> 
> Hi,
> 
> that's the log on a debian jessie, starting stunnel:
> 
> 2018.10.24 ..: stunnel 5.06 on x86_64-pc-linux-gnu platform
> 2018.10.24 ..: Compiled with OpenSSL 1.0.1k 8 Jan 2015
> 2018.10.24 ..: Running  with OpenSSL 1.0.1t  3 May 2016
> 2018.10.24 ..: Update OpenSSL shared libraries or rebuild stunnel
> 
> All debian packages are upgraded:
> $ sudo apt-get update
> ...
> $ sudo apt-get upgrade
> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
> $
> 
> $ dpkg -l|egrep 'openssl|stunnel'
> ...
> ii  openssl                        1.0.1t-1+deb8u9
> ...
> ii  stunnel4                       3:5.06-2+deb8u1
> $
> 
> Guess the log tells the current stunnel-package is not linked against openssl 1.0.1t lib yet.
> 
> No pinning is active:
> $ ls -l /etc/apt/preferences
> -rw-r--r-- 1 root root 0 Jun  4  2010 /etc/apt/preferences $
> 
> Is that - stunnel not being linked against the current openssl-lib - a serious problem?
> Will there soon be a stunnel-package being linked against openssl 1.0.1t?
> 
> 
> Thanks in Advance
> --
> Hans
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 25 Oct 2018 10:58:48 +0200
> From: Jakob Hirsch <jh at plonk.de>
> To: stunnel-users at stunnel.org
> Subject: [stunnel-users] stunnel 5.06 not yet linked against OpenSSL
> 	1.0.1t on debian jessie
> Message-ID: <a518f51f-180d-b1a3-96e1-c3f976dd1e42 at Message-ID.plonk.de>
> Content-Type: text/plain; charset=utf-8
> 
> Hi,
> 
> On 2018-10-24 17:29, Johann Hörmann wrote:
>> Is that - stunnel not being linked against the current openssl-lib - a
>> serious problem?
> 
> It is usually not necessary to rebuild all packages using a specific lib
> just because it got updated.
> 
>> Will there soon be a stunnel-package being linked against openssl 1.0.1t?
> 
> The debian people are doing that, so that would be something to ask
> them, specifically the package maintainers (see
> https://packages.debian.org/jessie/stunnel4). But since jessie support
> ended last June and LTS won't rebuild , I would not hold my breath.
> 
> Why do you care about this in the first place? You are using a stunnel
> version that is 4 years old and got last patched more than 3 years ago.
> If it's of any importance to you, you should really upgrade to stretch
> (optionally with bpo) or at least use jessie-backports.
> 
> 
> Regards
> Jakob
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
> 
> ------------------------------
> 
> End of stunnel-users Digest, Vol 171, Issue 16
> **********************************************
> 
Thanks a lot for your valuable advices, Eric and Jakob!

Being just a dumb user, i supposed the distribution should stay 'in
harmony': Ok now i know for oldstable this can be solved by backports or
compiling stunnel with a static openssl-lib.

Upgrading to stretch is not yet a choice because i am using stunnel with
'verify=3' which results in checking the self-signed client-certs at the
server:

Can't tell why but my cacert file was generated with a CAFile value of
FALSE, which worked until jessie but at stretch the request results in a
reject by the openssl-lib because of the FALSE-value.

So first i have to renew and deploy all my customers certs - about 80 -
with a stretch-conform cacert performing with CAFile=true.


Hans
-- 
https://hoermann-solutions.com



More information about the stunnel-users mailing list