stunnel before version 5.57 does not correctly verify the client certificate when options `redirect` and `verifyChain` are used. `redirect` redirects TLS client connections to another address when there is a certificate-based authentication failure and `verifyChain` is used to verify the client certificate starting from the root CA (specified in CAfile or CApath). When these options are used together, the stunnel server does not correctly validate the client certificate, allowing a client with a certificate not signed by the right CA to access the service without being redirected to the specified `redirect` address. Upstream 5.57 release patch: https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9
"redirect" option was added in stunnel upstream version 5.00, according to https://www.stunnel.org/NEWS.html .
Statement: This issue did not affect the versions of stunnel as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for the "redirect" option.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0620 https://access.redhat.com/errata/RHSA-2021:0620
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0618 https://access.redhat.com/errata/RHSA-2021:0618
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0619 https://access.redhat.com/errata/RHSA-2021:0619
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20230