Bug 1275613

Summary: misleading ssl protocol version in logs
Product: Red Hat Enterprise Linux 7 Reporter: Filip Krska <fkrska>
Component: stunnelAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Stanislav Zidek <szidek>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: avagarwa, cww, hkario, qe-baseos-security, sdordevi
Target Milestone: rcKeywords: EasyFix, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: stunnel-4.56-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1275611 Environment:
Last Closed: 2016-11-04 01:33:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1296594, 1313485    

Description Filip Krska 2015-10-27 10:43:05 UTC 
log records of stunnel-4.56-4.el7.x86_64 are less misleading than those of stunnel-4.29-4.el6 but still not specific (TLSv1/SSLv3 ciphersuite is logged in every case) enough as i.e. those of stunnel-5.16-1.fc22 are:

# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_1
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -ssl3
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_2
# grep Negotiated /var/log/secure
Oct 21 08:09:13 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)
Oct 21 08:11:46 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)
Oct 21 08:11:50 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)


+++ This bug was initially created as a clone of Bug #1275611 +++

Description of problem:

stunnel reports always SSLv3 in the log

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

no matter which ssl/tls protocol version is negotiated

Version-Release number of selected component (if applicable):

stunnel-4.29-4.el6

How reproducible:

Always

Steps to Reproduce:
1. setup stunnel according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Using_stunnel

2. on client issue:

# openssl s_client -ignore_critical -CAfile ca.pem -cert cert.pem -connect <stunnel_server>:<port> -cipher DES-CBC3-SHA -tls1_1
3. on server check logs:

# grep Negotiated /var/log/secure

Actual results:

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

Expected results:

something like 

Oct 21 13:42:31 fedora stunnel: LOG6[3]: Negotiated TLSv1.1 ciphersuite DES-CBC3-SHA (112-bit encryption)

Additional info:

As proof of concept I tried approach from stunnel-5.16-1.fc22:

diff -up stunnel-4.29/src/client.c.version stunnel-4.29/src/client.c
--- stunnel-4.29/src/client.c.version	2015-10-23 16:06:10.158954174 +0200
+++ stunnel-4.29/src/client.c	2015-10-23 16:07:39.115898872 +0200
@@ -724,6 +724,7 @@ static void print_cipher(CLI *c) { /* pr
     SSL_CIPHER *cipher;
     char buf[STRLEN], *i, *j;
 
+    s_log(LOG_INFO, "Negotiated version: %s", SSL_get_version(c->ssl));
     cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
     SSL_CIPHER_description(cipher, buf, STRLEN);
     i=j=buf;

and apparently the value of SSL_get_version(c->ssl) matches expected information:

# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_1
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -ssl3
# grep Negotiated /var/log/secure
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: TLSv1.1
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: SSLv3
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Comment 5 errata-xmlrpc 2016-11-04 01:33:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2243.html