stunnel update breaks programs using stunnel (openSUSE 11.4)

Hi all.

I received stunnel 4.40-0.6.1 as an update from “zypper up” (openSUSE 11.4).
After a reboot, stunnel does not work anymore for the programs that need it.
Symptom: the program (emacs+mew) hangs for ever, telling me
“Creating an SSL/TLS connection…”
/var/log/messages does not contain a clue and restarting stunnel via
“rcstunnel restart” looks fine:
Jul 30 16:59:53 stunnel: LOG5[10765:47657191417152]: Received signal 15; terminating
Jul 30 16:59:56 stunnel: LOG5[13927:46939205494080]: stunnel 4.40 on x86_64-unknown-linux-gnu platform
Jul 30 16:59:56 stunnel: LOG5[13927:46939205494080]: Compiled/running with OpenSSL 1.0.0c 2 Dec 2010
Jul 30 16:59:56 stunnel: LOG5[13927:46939205494080]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Jul 30 16:59:56 stunnel: LOG5[13927:46939205494080]: Reading configuration from file /etc/stunnel/stunnel.conf
Jul 30 16:59:56 stunnel: LOG5[13927:46939205494080]: Configuration successful

Small detail:
The configuration file specifies pid = /var/run/stunnel.pid
but there is no such file although stunnel is running.

Does the new stunnel version require changes to the configuation?
Is stunnel in this new version working for others?

Sven

I see the following changes in the changes file, if that helps:

Mon Jul 25 06:42:40 UTC 2011 - [email]xxxxx@suse.com[/email]
 
- update package to 4.40
* New features:
  - Hardcoded 2048-bit DH parameters are used as a fallback if DH
    parameters are not provided in stunnel.pem.
  - Default "ciphers" value updated to prefer ECDH:
    "ALL:!SSLv2:!aNULL:!EXP:!LOW:-MEDIUM:RC4:+HIGH".
  - Default ECDH curve updated to "prime256v1".
  - Removed support for temporary RSA keys (used in obsolete
    export ciphers).
- refresh stunnel-listenqueue-option.patch

Thanks for the information. But I could not find what could cause my problem.

Another oddity: why does
> zypper search stunnel
does not list the patch?
To confirm I issued:
> rpm -q stunnel
stunnel-4.40-0.6.1.x86_64

I added the debug line in /etc/stunnel/stunnel.conf
Then I get the following in /var/log/messages/:
Aug 1 13:41:03 stunnel: LOG7[9686:47094789645632]: Created pid file /var/run/stunnel.pid
But there is no such file! (Probably due to chroot; but then the log message is wrong.)

Here is the full sequence of log messages which end up in /var/log/messages:
Aug 1 13:44:43 . stunnel: LOG5[10095:47410086708544]: stunnel 4.40 on x86_64-unknown-linux-gnu platform
Aug 1 13:44:43 . stunnel: LOG5[10095:47410086708544]: Compiled/running with OpenSSL 1.0.0c 2 Dec 2010
Aug 1 13:44:43 . stunnel: LOG5[10095:47410086708544]: Threading:PTHREAD SSL:ENGINE Auth:LIBWRAP Sockets:POLL,IPv6
Aug 1 13:44:43 . stunnel: LOG5[10095:47410086708544]: Reading configuration from file /etc/stunnel/stunnel.conf
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Snagged 64 random bytes from /root/.rnd
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Wrote 1024 new random bytes to /root/.rnd
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: PRNG seeded successfully
Aug 1 13:44:43 . stunnel: LOG6[10095:47410086708544]: Initializing SSL context for service ssmtp
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Certificate: /etc/stunnel/stunnel.pem
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Certificate loaded
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Key file: /etc/stunnel/stunnel.pem
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Private key loaded
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Could not load DH parameters from /etc/stunnel/stunnel.pem
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Using hardcoded DH parameters
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: DH initialized with 2048-bit key
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: ECDH initialized with curve prime256v1
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: SSL options set: 0x00080004
Aug 1 13:44:43 . stunnel: LOG6[10095:47410086708544]: SSL context initialized
Aug 1 13:44:43 . stunnel: LOG5[10095:47410086708544]: Configuration successful
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=5 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=6 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=6 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=7 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=7 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=8 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=8 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=9 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=9 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: libwrap_init: FD=10 allocated (blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: accept socket: FD=11 allocated (non-blocking mode)
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Option SO_REUSEADDR set on accept socket
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Service ssmtp bound to 0.0.0.0:465
Aug 1 13:44:43 . stunnel: LOG7[10095:47410086708544]: Service ssmtp opened FD=11
Aug 1 13:44:43 . stunnel: LOG3[10095:47410086708544]: /tmp/stunnel.log: No such file or directory (2)
Aug 1 13:44:43 . stunnel: LOG3[10095:47410086708544]: Unable to open output file: /tmp/stunnel.log
Aug 1 13:44:43 . stunnel: LOG7[10101:47410086708544]: Created pid file /var/run/stunnel.pid

/tmp/stunnel.log is not a normal place to send the log output. You must have edited stunnel.conf in the past to do so. Why not comment that out and let it default to sending the log to syslog?

You are right. I commented that “output” line out now but my stunnel problem remains after a “rcstunnel restart” command.

Just to isolate the problem:
I downgraded to 4.38 and everything worked fine again.
So it’s definitely a regression in 4.40, at least from a naive user’s perspectice.

Check that you are not actually using IPv6 for localhost connections or even LAN connections, unless your programs are ready for them. Also if you do use IPv6, you may need to edit hosts.{allow,deny} to accommodate the new IPv6 syntax. I had to get up to speed quickly with IPv6 address syntax when trying to use ssh from my Android and it bumped into libwrap.

I see no IPv6 addresses in my “hosts” files or similar.

The problem is solved now.
It turned out that the mail application (mew under Emacs) was incompatible with stunnel 4.39 and above.
Fortunately, this problem has been fixed in mew 6.4rc1 so that I can use the latest stunnel rpm again.