Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 31756 - stunnel 4.04 has wrong blinding patch
Summary: stunnel 4.04 has wrong blinding patch
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High major
Assignee: Daniel Ahlberg (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-10-22 10:43 UTC by Neil Katin
Modified: 2003-10-28 06:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Neil Katin 2003-10-22 10:43:03 UTC 
Stunnel does not work in client mode.  This is a known problem (to the
stunnel team) and was fixed in April 2003.

The root cause of the problem is that a patch in March to fix a blinding
bug in openssl broke client connections that do not have a client certificate

The most current patch is available at:

http://www.stunnel.org/patches/patches/blinding-4.x_bri.patch

This bug is closely related to bug # 23213, which is about stunnel version 3.

Reproducible: Always
Steps to Reproduce:
1. Copy this text to a file "stunnel.test"

# Some debugging stuff
debug = 7
foreground = yes
#output = stunnel.log

# Use it for client mode
client = yes
pid =

# Service-level configuration

[test]
accept  = localhost:3333
connect = www.amazon.com:443


2. run "/usr/sbin/stunnel stunnel.test"
3. run "telnet localhost 3333"


Actual Results:  

The telnet failed.  The stunnel window printed out:

2003.10.22 10:33:11 LOG3[9830:16386]: Unable to get access to the SSL private ke
y.
2003.10.22 10:33:11 LOG3[9830:16386]: SSL_get_privatekey: Peer suddenly disconne
cted

Expected Results:  

It should connect to the https amazon server.

Gentoo Base System version 1.4.3.10p1
Portage 2.0.49-r13-2 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.20-gentoo-
r5)
=================================================================
System uname: 2.4.20-gentoo-r5 i686 VIA Ezra
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=i586 -m3dnow -O2 -pipe -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi
g /usr/kde/3/share/config /var/chroot/named/etc /var/chroot/apache2/etc /var/bin
d"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-march=i586 -m3dnow -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs sandbox ccache fixpackages noclean"
GENTOO_MIRRORS="http://gentoo.oregonstate.edu http://distro.ibiblio.org/pub/Linu
x/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 oss apm arts avi crypt cups encode foomaticdb gif imlib jpeg libg++ lib
www mad mikmod motif mpeg ncurses nls oggvorbis opengl pdflib png quicktime sdl
spell svga truetype xml2 xmms xv zlib gdbm berkdb slang readline java mysql gpm
tcpd pam perl python -X -gtk -gnome -kde -qt -alsa apache2 ssl"
Comment 1 Neil Katin 2003-10-22 10:46:58 UTC 
I left out the proposed fix:  update the patch
in net-misc/stunnel/files/stunnel-4.04-blinding.patch
to have the current patch (as obtained from the
stunnel web site).

Also, this bug will naturally "be fixed" when openssl
0.9.7b (or later) is unmasked and stunnel is emerged
again (due to a compile-time dependency check in
the stunnel patch).
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2003-10-28 06:56:47 UTC 
I've updated the openssl dependency to >=openssl-0.9.6j which should make
the blinding patches obselete. Please re-emerge stunnel and re-open this
bug if there still are problems.