PDA

View Full Version : sles 11sp1 lbopenssl patch in error, stunnel stops working



hackerd
20-Aug-2012, 08:06
I am using stunnel as an encryption tool for telnet sessions. access via windows stunnel clients (various versions of stunnel)
is checked by checking for a client certificate (verify=3)

On 18th of July Suse did an patch for libopenssl which upgraded libopenssl0_9_8 (0.9.8j-0.38.1) to libopenssl0_9_8 (0.9.8j-0.44.1)

After this update stunnel 4.36-0.6.1 stopped working, no more tunnels could be opended
Reverting to the previous libopenssl version 0.38.1 cured the error.

I posted the error on the suse support page ( report error ) but until now there was no patch for stunnel or libopenssl

/etc/mcstunnel.config:
client = no
pid = /var/run/stunnel.pid
debug = 7
chroot = /var/lib/stunnel
setuid = stunnel
setgid = nogroup
output = /var/run/stunnel.log
libwrap=yes
verify = 3
CApath = /certs
cert = /etc/stunnel/stunnel.pem
[telnet]
accept = 11111
connect = telnetserver:23

Automatic reply
30-Aug-2012, 13:30
hackerd,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your issue been resolved? If not, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your SUSE Forums Team
http://forums.suse.com

hackerd
31-Aug-2012, 08:10
My problem is still open, I posted this here because Suse did make no attempt to correct their error.
I do not know if this is the correct thread, but I hoped for some corrective action.

I have a maintainance contract with Suse for 25 servers, but only for the download of patches.
I think they will look at the error only if I have a support contract which costs a lot more.
I can help myself but it is tedious to manually block patches.

I have this error since 18th of july when suse introduced an erroneous libopenssl patch.
I posted the error on the suse support page ( report error ), but it is indicated there,
that they will not be able to report back a reaction. I still wait for a stunnel or libopenssl
patch over the suse patch notification.

I can circumvent it by prohibiting installation of the libopenssl update, but that is tedious,
because it means manual intervention at any installation of patches.

If they make an erroneous patch and I report it back to them I expect to have an error
correction ready after 45 days. But I think they put my error report in the trash bin.

ab
31-Aug-2012, 12:49
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUSE received your report and is in the process of releasing the patch
created. For what it is worth you should be able to open a Service
Request (SR) with the company and have it refunded if you are reporting
a previously-unresolved bug so that may be a better route in the future.
For now, Bug# 777894 is probably what you're after and there is a patch
for stunnel that appears to fix things. Its md5 checksum is
36c00f6d21d8e7e80825f2f27b9962f3 and it is available in a pre-release,
beta, non-officially-tested, unsupported state for you to try in a TEST
environment from the following URL:
ftp://ftp.novell.com/outgoing/stunnel-4.36-0.6.1.4625.0.PTF.777894.x86_64.rpm

If this does not work for you feel free to post back here and I can
check into it, but it may be that this patch requires other patches to
be in place as well to work... I don't know much about it other than
what I found in the bug.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQQKSrAAoJEF+XTK08PnB5KlgP/1nucTzlOPFzRkKS6yLqZbs8
R9ca34Cyn02HSXapdN4iRnPkKMUbVCQaY4vFImT5/s7e4ZsRIFBSZBymdp5MG5dN
MGVF4kVIL1vaptzgV5Vo0l82OAmNBHFoYNVor5JwIwTT29fuJk M7dc/m3PHeH6uS
+/wY6z+TeLZtOLmK+F9bLkV+EgRIAQPNE4MEYOYKnYasPwl0U5rv 1VcFu8XkoI8D
Ui+F0enOEBiPcGrHHNZY1JzjWTNCcZgeuVbd/UxFZawjZ628GsmCZoYvEskprr7T
/2pusVDWQHhacHXyVUsglY7AR0X4bK8Qr35vQX9jdSgtDp7MC5W/b0YPiDeuiCay
bWrtaOkg7cHzh+nsuHR+rnSA5Acvp7RiRJwmyL39kqYXAiPsFj 9jQIP2nOrfvn4Z
/89Zv1Ri9fq3/MGJOCSabS8So9GG+5xXk9j8UFPzoAKNyxh+ts+x/AwcBRK46oWk
bLF9yXdQFypYn4LDRuK2Bq6+8MttqzDOOWbOXKKCIVSe9biVE4 NwVmp01fRAonJ9
K0AxytjC6PFgXKUsp4RAM5UfGAoLqvzknGn9KYSsGgAhpR/xXkBSfrhBRJwOCQa2
6wt68tu0NqMcUEKnRmd+Zwf3uikNz5Gg4Kivovw4aTq1pCdm2t/J7ujo8BIAl8Tn
dw8gziy0RWNZrRHzQs0k
=0DjF
-----END PGP SIGNATURE-----

hackerd
06-Sep-2012, 08:18
On 20120901 suse released a recommended update for stunnel 6726 ( stunnel-4.36-0.10.1.x86_64.rpm )
This solves the problem for sles 11 SP2 and we can again apply the current libopenssl patches.

ab
06-Sep-2012, 12:17
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Great! Thank-you for posting this confirming update.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQSIZVAAoJEF+XTK08PnB5SIAQAJWB0C2i/jV0LnZhiZ1GAWSn
YkA2965fC4wT/onE5mTNIz3TUkztom5jGKOC+qL5cCmy60hDqJDh6uTwTp0bT+v q
6zKxf6DuJJsLVGLJPqq3QdrN2WXY7RxSLK+G3XO6GQkPwi+Bpo p6hPKkui51ArLn
zOHHzEhmWFByGND628LnlNI24OQkl3tKWpKkw/T37Y9H0chJAEZHXmAbwHptf80m
U6piF9PNarX9oHiQt4spxZiXztFRjbsK983ufo9RvPjIEzF1Ut 7krCSzUTnjxB03
eoiA+pze1bOJktoPHbgA+UAV3UIlQcJYQ3vQI66MZDnBMbW6y+ TmORzuu6j10mEx
BL1n1IVJAXpEk3C1xAJCDWj+DkbhrKDikBoH6/wIOoIE0yR0flWv55iEK0r662IP
U0V8uvM6NJHkcvmoGslPaXG8d+Uk1JO8qY3NSeVykx3Bv5cQxJ 3EkcqyzRth1XRT
fbRXMBW/0FRxPzdYlhqZlThYpOMdG6ZQqqNupvfc6PccQDVx4dCdt0Ao6M Nphhbz
mGVQsRJohUWQZOtt/txcw6PATrLBgfHrwnmR+4b6b5Vdrl97K+Bxwb6Pml1ME/Ph
RXMJTU3PE8mAQG6POHfajiP2zFGnX0Pb+zWgEzdIEVPVpoyXY5 HZ7RjUv5Ltxfnz
tpXSrhZwTiu/PK6zW+dR
=bXdw
-----END PGP SIGNATURE-----