-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.9.0
-
stunnel-5.71-2.el8_10
-
Yes
-
Moderate
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
24
-
26
-
1
-
False
-
-
No
-
Red Hat Enterprise Linux
-
Crypto24Q3
-
-
Pass
-
Not Needed
-
Automated
-
Release Note Not Required
-
None
What were you trying to do that didn't work?
stunnel-5.71-2.el8.x86_64 fails to start when trusted CA certificates are supplied in extended BEGIN/END TRUSTED CERTIFICATE file format, while the same configuration used to work on stunnel-5.56-5.el8_3.x86_64
Please provide the package NVR for which bug is seen:
stunnel-5.71-2.el8.x86_64
Steps to reproduce
1) stunnel configuration contains CAfile set to a trusted certificate bundle certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, i.e. to /etc/pki/tls/certs/ca-bundle.trust.crt
/etc/stunnel.conf:
[pop3] protocol = pop3 client = yes accept = 127.0.0.1:20110 connect = 127.0.0.1:110 checkHost = 127.0.0.1 requireCert=yes verifyChain=yes CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt
2) stunnel.service fails to start with the following error message:
stunnel[xxx]: [!] No trusted certificates found stunnel[xxx]: [!] Service [XXX]: Failed to initialize TLS context stunnel[xxx]: [!] Configuration failed
Expected results
stunnel has this breaking change (stop of support for certificates/bundles BEGIN/END TRUSTED CERTIFICATE format) covered in its documentation / changelog
Actual results
stunnel fails to start and the change is not covered in the documentation / changelog
- links to
-
RHBA-2024:137101 stunnel bug fix update