[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: [stunnel-users] Segmentation fault on the stunnel 5.57 running on RHEL7
From: paulrbk () gmail ! com
Date: 2020-12-11 2:35:23
Message-ID: 20201211023523.1900.75972 () linode ! mirt ! net
[Download RAW message or body]
Hi All
we have a segmentation fault on the stunnel 5.57 running on RHEL7
Dec 10 16:54:32 prod001 kernel: stunnel[1572]: segfault at 278 ip 00007f3fdca229c2 sp \
00007f3fd9011a28 error 6 in libssl.so.1.0.2k[7f3fdc9da000+67000]
$ uname -a
Linux prod001 3.10.0-1160.2.1.el7.x86_64 #1 SMP Mon Sep 21 21:00:09 EDT 2020 x86_64 \
x86_64 x86_64 GNU/Linux
$ rpm -qa|grep openssl
openssl-devel-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-1.0.2k-19.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
below is the configuration
===================================
pid = /home/admin/run/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
#debug = 2
debug = 7
output = /home/admin/log/stunnel.log
########################################################
###
### INSTANCE 1: program1
###
### Tunnel for remote connection (Server_aaS)
###
[program1-remote-to-local]
cert = /home/admin/config/certs/prod001.crt
key = /home/admin/config/certs/prod001.key
accept = 192.168.1.33:7011
connect = 192.168.1.33:7001
### Tunnel for local connection
###
[program1-local-to-local]
client = yes
CAfile = /home/admin/config/certs/prod001.crt
accept = 127.0.0.1:7011
connect = 192.168.1.33:7011
### Tunnel to connect remote Tunnel
### SERVER-02 192.168.1.34:7021
###
[program1-01-to-02]
client = yes
CAfile = /home/admin/config/certs/prod002.crt
accept = 192.168.1.33:7021
connect = 192.168.1.34:7021
==========================================
$ ./stunnel -help
Initializing inetd mode configuration
stunnel 5.57 on x86_64-pc-linux-gnu platform
Compiled/running with OpenSSL 1.0.2k-fips 26 Jan 2017
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options:
chroot = directory to chroot stunnel process
compression = compression type
EGD = path to Entropy Gathering Daemon socket
engine = auto|engine_id
engineCtrl = cmd[:arg]
engineDefault = TASK_LIST
fips = yes|no FIPS 140-2 mode
foreground = yes|quiet|no foreground mode (don't fork, log to stderr)
log = append|overwrite log file
output = file to append log messages
pid = pid file
RNDbytes = bytes to read from random seed files
RNDfile = path to file with random seed data
RNDoverwrite = yes|no overwrite seed datafiles with new random data
syslog = yes|no send logging messages to syslog
Service-level options:
accept = [host:]port accept connections on specified host:port
CApath = CA certificate directory for 'verify' option
CAfile = CA certificate file for 'verify' option
cert = certificate chain
checkEmail = peer certificate email address
checkHost = peer certificate host name pattern
checkIP = peer certificate IP address
ciphers = permitted ciphers for TLS 1.2 or older
client = yes|no client mode (remote service uses TLS)
config = command[:parameter] to execute
connect = [host:]port to connect
CRLpath = CRL directory
CRLfile = CRL file
curves = ECDH curve names
debug = [facility].level (e.g. daemon.info)
delay = yes|no delay DNS lookup for 'connect' option
engineId = ID of engine to read the key from
engineNum = number of engine to read the key from
exec = file execute local inetd-type program
execArgs = arguments for 'exec' (including $0)
failover = rr|prio failover strategy
ident = username for IDENT (RFC 1413) checking
include = directory with configuration file snippets
key = certificate private key
local = IP address to be used as source for remote connections
logId = connection identifier type
OCSP = OCSP responder URL
OCSPaia = yes|no check the AIA responders from certificates
OCSPflag = OCSP responder flags
OCSPnonce = yes|no send and verify the OCSP nonce extension
options = TLS option to set/reset
protocol = protocol to negotiate before TLS initialization
currently supported: cifs, connect, imap,
nntp, pgsql, pop3, proxy, smtp, socks
protocolAuthentication = authentication type for protocol negotiations
protocolDomain = domain for protocol negotiations
protocolHost = host:port for protocol negotiations
protocolPassword = password for protocol negotiations
protocolUsername = username for protocol negotiations
PSKidentity = identity for PSK authentication
PSKsecrets = secrets for PSK authentication
pty = yes|no allocate pseudo terminal for 'exec' option
redirect = [host:]port to redirect on authentication failures
renegotiation = yes|no support renegotiation
requireCert = yes|no require client certificate
reset = yes|no send TCP RST on error
retry = yes|no retry connect+exec section
service = service name
setgid = groupname for setgid()
setuid = username for setuid()
sessionCacheSize = session cache size
sessionCacheTimeout = session cache timeout (in seconds)
sessiond = [host:]port use sessiond at host:port
sni = master_service:host_name for an SNI virtual service
socket = a|l|r:option=value[:value]
set an option on accept/local/remote socket
sslVersion = all|SSLv2|SSLv3|TLSv1|TLSv1.1|TLSv1.2 TLS method
stack = thread stack size (in bytes)
ticketKeySecret = secret key for encryption/decryption TLSv1.3 tickets
ticketMacSecret = key for HMAC operations on TLSv1.3 tickets
TIMEOUTbusy = seconds to wait for expected data
TIMEOUTclose = seconds to wait for close_notify
TIMEOUTconnect = seconds to connect remote host
TIMEOUTidle = seconds to keep an idle connection
transparent = none|source|destination|both transparent proxy mode
verify = level of peer certificate verification
verifyChain = yes|no verify certificate chain
verifyPeer = yes|no verify peer certificate
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic