Bug 1275611 - misleading ssl protocol version in logs [NEEDINFO]
misleading ssl protocol version in logs
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: stunnel (Show other bugs)
6.7
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
Stefan Kremen
: EasyFix, Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-27 06:35 EDT by Filip Krska
Modified: 2016-05-10 20:40 EDT (History)
3 users (show)

See Also:
Fixed In Version: stunnel-4.29-5.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1275613 (view as bug list)
Environment:
Last Closed: 2016-05-10 20:40:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
fkrska: needinfo? (avagarwa)


Attachments (Terms of Use)

  None (edit)
Description Filip Krska 2015-10-27 06:35:55 EDT
Description of problem:

stunnel reports always SSLv3 in the log

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

no matter which ssl/tls protocol version is negotiated

Version-Release number of selected component (if applicable):

stunnel-4.29-4.el6

How reproducible:

Always

Steps to Reproduce:
1. setup stunnel according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Using_stunnel

2. on client issue:

# openssl s_client -ignore_critical -CAfile ca.pem -cert cert.pem -connect <stunnel_server>:<port> -cipher DES-CBC3-SHA -tls1_1
3. on server check logs:

# grep Negotiated /var/log/secure

Actual results:

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

Expected results:

something like 

Oct 21 13:42:31 fedora stunnel: LOG6[3]: Negotiated TLSv1.1 ciphersuite DES-CBC3-SHA (112-bit encryption)

Additional info:

As proof of concept I tried approach from stunnel-5.16-1.fc22:

diff -up stunnel-4.29/src/client.c.version stunnel-4.29/src/client.c
--- stunnel-4.29/src/client.c.version	2015-10-23 16:06:10.158954174 +0200
+++ stunnel-4.29/src/client.c	2015-10-23 16:07:39.115898872 +0200
@@ -724,6 +724,7 @@ static void print_cipher(CLI *c) { /* pr
     SSL_CIPHER *cipher;
     char buf[STRLEN], *i, *j;
 
+    s_log(LOG_INFO, "Negotiated version: %s", SSL_get_version(c->ssl));
     cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
     SSL_CIPHER_description(cipher, buf, STRLEN);
     i=j=buf;

and apparently the value of SSL_get_version(c->ssl) matches expected information:

# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_1
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -ssl3
# grep Negotiated /var/log/secure
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: TLSv1.1
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: SSLv3
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Comment 1 Tomas Mraz 2015-11-12 10:02:33 EST
Yes, the negotiated cipher contains lowest protocol version that this cipher can be used with. The patch would be needed to display the actual protocol version used.
Comment 7 errata-xmlrpc 2016-05-10 20:40:58 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0922.html

Note You need to log in before you can comment on or make changes to this bug.