RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1275613 - misleading ssl protocol version in logs
Summary: misleading ssl protocol version in logs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: stunnel
Version: 7.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Stanislav Zidek
URL:
Whiteboard:
Depends On:
Blocks: 1203710 1296594 1313485
TreeView+ depends on / blocked
 
Reported: 2015-10-27 10:43 UTC by Filip Krska
Modified: 2019-11-14 07:05 UTC (History)
5 users (show)

Fixed In Version: stunnel-4.56-5.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1275611
Environment:
Last Closed: 2016-11-04 01:33:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2243 0 normal SHIPPED_LIVE stunnel bug fix update 2016-11-03 13:29:30 UTC

Description Filip Krska 2015-10-27 10:43:05 UTC 
log records of stunnel-4.56-4.el7.x86_64 are less misleading than those of stunnel-4.29-4.el6 but still not specific (TLSv1/SSLv3 ciphersuite is logged in every case) enough as i.e. those of stunnel-5.16-1.fc22 are:

# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_1
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -ssl3
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_2
# grep Negotiated /var/log/secure
Oct 21 08:09:13 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)
Oct 21 08:11:46 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)
Oct 21 08:11:50 rhel7 stunnel: LOG6[28382:140512571107072]: Negotiated TLSv1/SSLv3 ciphersuite: DES-CBC3-SHA (128-bit encryption)


+++ This bug was initially created as a clone of Bug #1275611 +++

Description of problem:

stunnel reports always SSLv3 in the log

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

no matter which ssl/tls protocol version is negotiated

Version-Release number of selected component (if applicable):

stunnel-4.29-4.el6

How reproducible:

Always

Steps to Reproduce:
1. setup stunnel according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Security_Guide/index.html#sec-Using_stunnel

2. on client issue:

# openssl s_client -ignore_critical -CAfile ca.pem -cert cert.pem -connect <stunnel_server>:<port> -cipher DES-CBC3-SHA -tls1_1
3. on server check logs:

# grep Negotiated /var/log/secure

Actual results:

2015.09.18 16:05:01 LOG6[18447:3077883696]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

Expected results:

something like 

Oct 21 13:42:31 fedora stunnel: LOG6[3]: Negotiated TLSv1.1 ciphersuite DES-CBC3-SHA (112-bit encryption)

Additional info:

As proof of concept I tried approach from stunnel-5.16-1.fc22:

diff -up stunnel-4.29/src/client.c.version stunnel-4.29/src/client.c
--- stunnel-4.29/src/client.c.version	2015-10-23 16:06:10.158954174 +0200
+++ stunnel-4.29/src/client.c	2015-10-23 16:07:39.115898872 +0200
@@ -724,6 +724,7 @@ static void print_cipher(CLI *c) { /* pr
     SSL_CIPHER *cipher;
     char buf[STRLEN], *i, *j;
 
+    s_log(LOG_INFO, "Negotiated version: %s", SSL_get_version(c->ssl));
     cipher=(SSL_CIPHER *)SSL_get_current_cipher(c->ssl);
     SSL_CIPHER_description(cipher, buf, STRLEN);
     i=j=buf;

and apparently the value of SSL_get_version(c->ssl) matches expected information:

# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -tls1_1
# openssl s_client -ignore_critical -CAfile ca-bundle.crt -cert stunnel.pem -connect localhost:16086 -cipher DES-CBC3-SHA -ssl3
# grep Negotiated /var/log/secure
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: TLSv1.1
Oct 23 16:28:58 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated version: SSLv3
Oct 23 16:31:12 rhel62 stunnel: LOG6[4435:140600780912384]: Negotiated ciphers: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
Comment 5 errata-xmlrpc 2016-11-04 01:33:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2243.html
Note You need to log in before you can comment on or make changes to this bug.