[stunnel-users] Stunnel 5.57b2 OpenSSL 1.1.1g
Olaf Brandt
olaf at brandt.berlin
Tue May 19 08:11:27 CEST 2020
Hi,
I have an issue with stunnel since OpenSSL was updated to 1.1.1g.
Stunnel has been build from scratch after the update and gives those errors:
[ ] Clients allowed=500
[.] stunnel 5.57 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.1.1g 21 Apr 2020
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [dns_local]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] No certificate or private key specified
[!] error queue: crypto/x509/by_file.c:205: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
[!] error queue: crypto/pem/pem_info.c:196: error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib
[!] error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
[!] error queue: crypto/asn1/tasn_dec.c:1118: error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header
[!] SSL_CTX_load_verify_locations: crypto/asn1/asn1_lib.c:91: error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
[!] Service [dns_local]: Failed to initialize TLS context
[ ] Deallocating section defaults
[ ] Deallocating section [dns_local]
[ ] Deallocating section defaults
Config:
chroot=/var/lib/stunnel
pid=/var/run/stunnel.pid
debug = debug
[dns_local]
sslVersion = TLSv1.3
client = yes
accept = localhost:1053
connect = 185.95.218.42:853
checkHost = dns.digitale-gesellschaft.ch
verifyPeer = yes
CAfile = /etc/stunnel/cf.crt
[dns_local_fallback]
sslVersion = TLSv1.3
client = yes
accept = localhost:1054
connect = 185.95.218.43:853
checkHost = dns.digitale-gesellschaft.ch
verifyPeer = yes
CAfile = /etc/stunnel/cf43.crt
OpenSSL check of the cert files seems OK:
openssl x509 -text -noout -in /etc/stunnel/cf.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:16:19:87:62:ac:be:ec:92:7b:6e:75:b8:a3:2e:ba:ea:28
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: May 17 21:00:22 2020 GMT
Not After : Aug 15 21:00:22 2020 GMT
Subject: CN = dns.digitale-gesellschaft.ch
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c0:01:03:42:24:5b:07:7e:46:06:fc:e0:21:56:
93:c4:6a:3c:88:c8:df:be:91:d6:d8:7a:b7:fc:3f:
8c:f1:b9:74:ec:c1:3b:2b:02:fe:27:93:1e:d6:d3:
a1:95:31:ed:c7:06:26:28:74:60:7e:70:53:39:4b:
e5:43:c2:81:dc:50:f3:d7:9e:0b:87:5b:2c:e8:a8:
eb:71:bc:7b:04:92:d5:be:66:ba:0e:d8:9f:27:28:
77:9f:7c:68:2f:2f:64:2d:8a:86:f7:cf:c6:3a:c1:
1b:d4:e9:95:d6:c0:f3:77:f3:cd:79:16:40:86:ce:
d5:dc:be:b2:c6:5b:7c:fe:e3:68:8d:25:61:41:a8:
99:b3:f4:62:60:19:bf:96:32:46:ef:e4:6a:c2:3d:
00:f6:44:b9:63:94:50:0e:fb:a0:e1:88:eb:79:cf:
b7:a5:d1:29:0c:d6:bf:ee:ad:1b:9b:8e:7c:94:4f:
f8:5a:0e:a7:5e:62:e7:67:61:9e:83:cb:a0:f7:56:
f6:bc:ec:df:4d:60:6a:fe:08:fa:1c:ae:17:05:54:
0f:b0:f8:1f:6c:78:ca:a0:99:ec:4b:06:b3:79:97:
88:d1:7e:c8:93:cf:15:6b:9d:ea:d2:ef:88:da:1b:
e8:2b:dd:0d:6e:f2:7e:f3:75:60:03:6a:87:64:79:
e6:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
9C:E3:0E:F4:F1:60:60:EC:21:7D:D8:D6:5F:0E:7B:FF:90:DB:68:01
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
Timestamp : May 17 22:00:22.318 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:3D:7F:5A:57:E3:CE:42:A0:2A:16:FD:59:
AE:7A:11:19:AE:BE:BE:AA:5A:4A:B0:1E:66:8E:D6:21:
A8:35:F8:CB:02:21:00:DB:06:63:54:26:03:76:28:CD:
05:BF:08:8B:1B:95:2B:D2:A1:B3:AC:63:6A:DD:84:E7:
84:3A:70:A6:54:31:2B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : May 17 22:00:22.412 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:EA:BC:2D:B6:B1:71:0B:CE:75:A7:15:
86:D2:C0:05:49:08:38:CC:B9:EF:DA:1F:23:53:1A:5F:
BD:31:19:A5:0A:02:20:21:2F:94:08:61:D0:A8:CA:3F:
71:D3:54:4D:E3:56:50:91:51:A6:01:16:77:9E:AE:31:
2E:43:E1:68:C0:CE:F2
Signature Algorithm: sha256WithRSAEncryption
9b:b8:24:f8:30:fc:77:5d:67:91:40:c7:bf:58:cf:64:67:7f:
87:33:8e:04:19:93:98:bb:35:cb:4e:b3:78:c0:04:5c:48:f4:
74:38:f2:57:02:38:3b:84:19:aa:9b:39:08:1d:f9:62:f4:c7:
af:e4:17:40:02:99:7a:c5:24:fc:ee:b1:d5:95:b0:a2:58:f0:
db:44:0f:50:3c:92:81:e8:8f:81:4d:e1:eb:e4:86:5d:d0:c8:
31:d2:30:07:7f:56:48:65:bd:a0:01:38:19:81:e4:80:38:21:
1f:ae:13:96:54:cd:9f:b1:cb:b2:47:00:f0:8b:d4:0d:61:29:
99:cb:71:ee:f6:53:ab:27:45:33:7b:0c:f4:e4:85:58:a7:8e:
58:8e:88:04:0d:e8:03:18:41:e6:8f:b5:c1:c1:9d:da:57:0a:
85:d7:19:05:4f:f9:8f:8c:b5:60:3f:67:f0:d8:fd:10:98:ad:
de:25:88:7b:67:0f:bd:e1:7c:21:fb:35:8c:b2:26:78:de:b1:
54:a4:e9:9f:e0:48:d6:1a:0e:60:a6:f6:21:8c:b3:df:21:a1:
0c:16:d4:ab:93:3a:5d:94:22:34:40:5b:7e:ef:ea:f8:a1:15:
d6:8d:69:aa:40:fe:ae:6f:79:dd:49:49:1a:88:0f:15:61:19:
00:f8:41:6c
openssl x509 -text -noout -in /etc/stunnel/cf43.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:2b:84:39:5e:99:3d:2d:85:52:63:3a:d2:fa:bc:2e:60:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Mar 16 22:01:15 2020 GMT
Not After : Jun 14 22:01:15 2020 GMT
Subject: CN = dns.digitale-gesellschaft.ch
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:0e:73:84:9c:89:7c:f8:2a:db:79:5f:78:ac:
39:a8:c5:25:b4:86:5b:9e:1c:3c:14:a6:17:ae:67:
f1:02:17:0b:dc:36:ea:a1:9c:57:91:5b:5a:91:6b:
df:7b:4c:74:7e:6c:e2:eb:5f:a5:95:02:25:43:c1:
3e:f0:67:5d:80:27:6f:37:72:0e:1f:b7:c3:13:e2:
3a:a5:13:b6:41:d0:01:aa:d0:7f:68:d4:5e:10:95:
ee:17:bb:8d:8b:77:a3:7e:c8:9e:7a:8a:35:8a:09:
00:82:80:67:70:34:ac:f5:bc:24:4a:b9:c4:df:1f:
1e:e4:48:66:a8:76:60:d8:a3:d5:64:3b:9d:7e:7b:
18:99:f7:31:a5:28:4e:a4:47:24:25:af:18:32:d5:
f9:98:67:21:f7:49:23:c2:72:00:73:e5:25:ca:af:
a5:ae:df:00:62:d8:f2:5e:1e:8a:26:5a:63:5b:22:
e1:eb:2d:b4:e9:57:de:16:8c:a0:72:db:ff:82:46:
b8:d8:55:ad:55:84:e5:65:b5:86:8b:47:00:ea:85:
0d:74:c6:9d:9f:95:e4:3a:19:fe:3d:8f:5f:4b:f8:
ed:a5:93:3f:ea:31:fd:41:74:7e:6b:ae:bf:98:9a:
70:85:d8:9f:51:85:fc:5e:11:eb:b9:60:6a:c3:bf:
81:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DE:64:78:2F:E4:81:84:C3:C9:3F:5C:01:DB:D0:42:E2:0D:CB:48:B8
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:dns.digitale-gesellschaft.ch, DNS:dns1.digitale-gesellschaft.ch, DNS:dns2.digitale-gesellschaft.ch
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
Timestamp : Mar 16 23:01:15.249 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:04:32:96:55:70:AB:40:41:3B:E2:6C:E3:
8E:78:1E:82:F7:84:57:6A:76:2C:11:2B:24:A6:BB:72:
59:F1:F9:8A:02:20:67:12:DB:64:C1:D8:15:5D:3F:ED:
8B:8F:01:68:B8:A1:D2:B0:20:2B:32:54:11:14:82:72:
06:B8:E6:1C:1C:69
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
Timestamp : Mar 16 23:01:15.303 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:1B:C7:5B:F2:A9:04:12:6A:62:E8:33:F9:
BD:08:39:1D:0F:F3:39:8D:F2:F8:37:E3:C8:05:CC:1B:
E7:31:F7:83:02:20:12:47:02:D3:E3:93:48:9A:F3:5A:
B9:F4:12:85:87:0F:D4:F2:B7:79:F5:8C:DD:77:D4:5E:
BE:D0:95:27:83:9C
Signature Algorithm: sha256WithRSAEncryption
82:30:ea:0a:6f:45:53:e7:f8:a0:80:69:47:a4:7d:ee:6a:78:
a3:34:00:f1:bb:0d:c8:3a:1f:37:8e:25:f9:9d:cc:a5:e0:15:
03:a5:da:2a:28:af:89:97:f9:d6:20:61:ae:1e:16:80:f4:1a:
2c:08:ac:74:f3:80:2f:ae:17:f7:f4:b4:1c:b7:f1:59:f9:73:
fd:12:cb:e3:48:36:bd:fe:99:38:69:44:7f:3b:dc:38:98:54:
75:f5:00:d0:de:93:eb:5a:4d:5e:65:d0:99:9e:64:75:8f:cd:
e4:6f:1e:22:d5:8f:cb:4d:78:ef:0e:70:38:b7:f0:af:4d:30:
7b:9a:ea:1d:6c:b7:cb:18:2b:de:5a:18:d2:4b:bb:e6:79:b2:
45:8b:01:dc:d1:15:45:cc:cc:f0:5d:a6:98:10:90:72:d2:da:
ef:7a:3c:1c:af:42:f0:7f:85:5b:49:53:e8:b3:51:11:e4:93:
fc:b3:8a:dc:bc:5c:40:8d:bb:36:be:36:87:09:de:23:19:29:
1d:f3:7e:70:5b:43:43:ad:6e:a4:b4:55:ac:9e:f5:10:05:31:
a7:a5:00:66:8a:e7:67:4e:02:2a:2d:40:d4:2c:e8:f1:bb:35:
8d:b7:cf:52:b0:71:04:72:d0:ab:fb:e6:f6:c7:45:33:db:88:
d5:90:f0:32
Any suggestions?
Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2224 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20200519/f1216ab9/attachment.key>
More information about the stunnel-users
mailing list