Bug 11000

Summary: stunnel service will not start without "fips = no" in conf file
Product: Mageia Reporter: Bit Twister <bittwister2>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: bittwister2, cooker, dan, davidwhodgins, eeeemail, guillomovitch, mageia, sysadmin-bugs, tmb
Version: 4Keywords: Triaged, validated_update
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: advisory MGA4-64-OK
Source RPM: stunnel-4.56-2.mga4.src.rpm CVE:
Status comment:

Description Bit Twister 2013-08-14 15:41:56 CEST 
Description of problem:

stunnel service will not start without "fips = no" in /etc/stunnel/stunnel.conf file

Version-Release number of selected component (if applicable):


How reproducible: Always


Steps to Reproduce:
Clean install of Mageia-4-alpha1-LiveDVD-KDE4-x86_64-DVD.iso. Default runlevel: 3
Package Group Selection screen has all package groups selected except
Other Graphical Desktops. non-free and tainted media are enabled.
Followed with:
remove-unused-packages
urpmi --downloader wget --auto --auto-update
urpme --auto-orphans and reboot. 
 
1. make these changes to /etc/stunnel/stunnel.conf

fips = no       <==== add this line above

; Example SSL server mode services

[pop3s]
accept  = 999   <==== change
connect = 119   <==== change

;[imaps]        <==== change
;accept  = 993   <==== change
;connect = 143   <==== change

;[ssmtp]        <==== change
;accept  = 465   <==== change
;connect = 25   <==== change

2. systemctl restart stunnel.service
   should work
3. remove fips = no
4. systemctl restart stunnel.service
   should fail

Workaround: add fips = no


Reproducible: 

Steps to Reproduce:
David Walser 2013-08-15 04:10:52 CEST

CC: (none) => guillomovitch, mageia

Manuel Hiebel 2013-08-17 16:49:29 CEST

Keywords: (none) => Triaged
CC: (none) => dan

Bit Twister 2014-01-18 16:34:17 CET

CC: (none) => junknospam

Johnny A. Solbu 2014-01-18 18:11:09 CET

CC: (none) => cooker

Comment 1 Dave Hodgins 2014-02-01 07:08:51 CET 
Thanks Bit Twister.

Bug confirmed with an upgrade from m3 to m4 final.
The workaround, of adding "fips = no" fixes the problem.

CC: (none) => davidwhodgins

Dave Hodgins 2014-02-01 07:09:07 CET

Version: Cauldron => 4

Comment 2 Manuel Hiebel 2014-04-23 16:45:13 CEST 
*** Bug 13124 has been marked as a duplicate of this bug. ***

CC: (none) => eeeemail

Comment 3 Guillaume Rousse 2014-04-29 20:59:36 CEST 
I just submitted stunnel-4.56-3.3.mga4 in updates_testing, with FIPS mode support disabled at build time.
Comment 4 Bit Twister 2015-07-01 10:17:31 CEST 
Verified workaround is not required in release 5.
Samuel Verschelde 2015-07-01 12:34:32 CEST

Summary: 4_a1: stunnel service will not start without "fips = no" in conf file => stunnel service will not start without "fips = no" in conf file

Comment 5 Samuel Verschelde 2015-07-01 12:35:23 CEST 
(In reply to Guillaume Rousse from comment #3)
> I just submitted stunnel-4.56-3.3.mga4 in updates_testing, with FIPS mode
> support disabled at build time.

Was that meant to be assigned to QA as an update? It looks like it never was.
Comment 6 Guillaume Rousse 2015-07-09 19:42:17 CEST 
Indeed, it was an error of mine.

Suggested advisory:
The stunnel package (stunnel-4.56-2) shipped in Mageia 4 was build to use FIPS compliance mode by defaut, requesting a specific feature unavailable in the openssl package. As a consequence, this execution mode had to be explicitely disabled in configuration for stunnel to work.

A new package release (stunnel-4.56-3.3), available in updates_testing, fixes this issue by explicitly disabling support for this non-working FIPS compliance mode.

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 7 Dave Hodgins 2015-07-10 05:05:43 CEST 
Advisory committed to svn and validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA4-64-OK advisory
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2015-07-10 10:28:05 CEST 
unvalidating as there is no stunnel-4.56-3.3 (actually no stunnel package at all) in 4 core updates_testing

Keywords: validated_update => (none)
CC: (none) => tmb

Samuel Verschelde 2015-07-10 11:14:16 CEST

Whiteboard: MGA4-64-OK advisory => advisory feedback

Comment 9 Dave Hodgins 2015-07-12 20:26:46 CEST 
$ rpm -qa|grep stunnel
stunnel-4.56-3.3.mga4

It's not in my local repo now though, so it must have been removed.

Guillaume, Any idea what's going on with stunnel?
Comment 10 Dave Hodgins 2015-07-15 01:53:38 CEST 
Guillaume ping
Comment 11 Guillaume Rousse 2015-07-18 13:18:48 CEST 
I just submitted stunnel-4.56-3.3.mga4 again.
Comment 12 Dan Fandrich 2015-07-18 23:12:16 CEST 
I tested stunnel-4.56-3.3.mga4.i586 with popa3d, and it works once the fips=no line is completely removed from the popa3d config file. I'll fix that in Cauldron as it's not shipped in mga4 or mga5.
Comment 13 Dan Fandrich 2015-07-18 23:29:53 CEST 
I just realized I made a wrong assumption about the stunnel version in Cauldron, but I'll make sure popa3d is still working there separately.
Comment 14 Dave Hodgins 2015-08-05 17:07:43 CEST 
Any change to make to the advisory before I validate it again?
http://svnweb.mageia.org/advisories/11000.adv?view=markup

Whiteboard: advisory feedback => advisory feedback MGA4-64-OK

Comment 15 Dan Fandrich 2015-08-05 22:38:03 CEST 
I fixed a couple of typos but it looks fine now.
Dave Hodgins 2015-08-06 17:58:16 CEST

Keywords: (none) => validated_update
Whiteboard: advisory feedback MGA4-64-OK => advisory MGA4-64-OK

Comment 16 Mageia Robot 2015-08-07 21:21:00 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0079.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED