28195 – stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)

Bug 28195 - stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)

Summary: stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-01-22 18:59 CET by David Walser
Modified:	2021-06-23 19:15 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	stunnel-5.56-2.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-01-22 18:59:16 CET

SUSE has issued an advisory today (January 22):
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008236.html

The issue is fixed upstream in 5.57.

Mageia 7 is likely also affected.

Comment 1 Lewis Smith 2021-01-22 20:55:04 CET

This SRPM has had various committers, so having to assign this bug to everybody & anybody.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Lécureuil 2021-01-22 23:04:05 CET

fixed in cauldron

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => mageia

David Walser 2021-01-22 23:04:50 CET

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED
Version: Cauldron => 7

Comment 3 David Walser 2021-01-26 05:48:52 CET

openSUSE has issued an advisory for this today (January 25):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Q7XK4JAT2VTRMB2I2BVA3DY34276OGEH/

David Walser 2021-02-23 19:40:39 CET

Summary: stunnel new security issue fixed upstream in 5.57 => stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230

Comment 4 David Walser 2021-02-23 19:41:05 CET

RedHat has issued an advisory on February 22:
https://access.redhat.com/errata/RHSA-2021:0618

Summary: stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230 => stunnel new security issue fixed upstream in 5.57 (CVE-2021-20230)
Severity: normal => critical

Comment 5 Nicolas Lécureuil 2021-03-11 22:02:21 CET

already in testing:

src:
    - stunnel-5.57-1.mga7

Assignee: pkg-bugs => qa-bugs

Comment 6 David Walser 2021-03-14 15:51:54 CET

Advisory:
========================

Updated stunnel package fixes security vulnerability:

Client certificate not correctly verified when redirect and verifyChain options
are used (CVE-2021-20230).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20230
https://access.redhat.com/errata/RHSA-2021:0618

Comment 7 PC LX 2021-03-15 12:30:41 CET

Installed without issues but could not get it to work due to "unknown CA" verification issues.


Tested with a tunnel to example.com:443. Also tested with other common domains and always results in the same issue.


[example.com-https]
client = yes
accept = 127.0.0.1:8080
connect = example.com:443
verifyChain = yes
CApath = /etc/pki/tls/
# Also tested with: CApath = /etc/ssl/certs/
checkHost = example.com
OCSPaia = yes


Log relevant excerpt:
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: s_connect: connected 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] connected remote server from 2001:818:e808:8300:2c66:2dff:fec3:b143:43356
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting remote socket options (FD=10)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on remote socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) initialized
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: SNI: sending servername: example.com
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: Peer certificate required
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): before SSL initialization
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Initializing application specific data for session authenticated
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: CERT: Pre-verification error: self signed certificate in certificate chain
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: Rejected by CERT at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS alert (write): fatal: unknown CA
mar 15 11:20:37 marte stunnel[30158]: LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1245: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket



System: Mageia 7, x86_64, Intel CPU.



$ uname -a
Linux marte 5.10.20-desktop-2.mga7 #1 SMP Fri Mar 5 20:47:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q stunnel
stunnel-5.57-1.mga7
$ journalctl -b0 -u stunnel
<SNIP>
mar 15 11:20:23 marte systemd[1]: Started SSL tunnel for network daemons.
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: "/etc/stunnel/conf.d/." is not a file
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: "/etc/stunnel/conf.d/.." is not a file
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: Reading configuration from file /etc/stunnel/conf.d/tunnel.conf
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: UTF-8 byte order mark not detected
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: FIPS mode disabled
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Compression disabled
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: No PRNG seeding was required
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: Initializing service [example.com-https]
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: OpenSSL security level is used: 2
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: TLS options: 0x02000004 (+0x00000000, -0x00000000)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: No certificate or private key specified
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: DH initialization skipped: client section
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: ECDH initialization
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: ECDH initialized with curves prime256v1
mar 15 11:20:23 marte stunnel[30156]: LOG5[ui]: Configuration successful
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Deallocating deployed section defaults
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Binding service [example.com-https]
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Listening file descriptor created (FD=9)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Setting accept socket options (FD=9)
mar 15 11:20:23 marte stunnel[30156]: LOG7[ui]: Option SO_REUSEADDR set on accept socket
mar 15 11:20:23 marte stunnel[30156]: LOG6[ui]: Service [example.com-https] (FD=9) bound to 127.0.0.1:8080
mar 15 11:20:23 marte stunnel[30158]: LOG7[main]: Created pid file /run/stunnel/stunnel.pid
mar 15 11:20:23 marte stunnel[30158]: LOG7[cron]: Cron thread initialized
mar 15 11:20:23 marte stunnel[30158]: LOG6[cron]: Executing cron jobs
mar 15 11:20:23 marte stunnel[30158]: LOG6[cron]: Cron jobs completed in 0 seconds
mar 15 11:20:23 marte stunnel[30158]: LOG7[cron]: Waiting 86400 seconds
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: Found 1 ready file descriptor(s)
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: FD=4 events=0x2001 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: FD=9 events=0x2001 revents=0x1
mar 15 11:20:37 marte stunnel[30158]: LOG7[main]: Service [example.com-https] accepted (FD=3) from 127.0.0.1:36070
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Service [example.com-https] started
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting local socket options (FD=3)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on local socket
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] accepted connection from 127.0.0.1:36070
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: failover: priority, starting at entry #0
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: s_connect: connecting 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: s_connect: s_poll_wait 2606:2800:220:1:248:1893:25c8:1946:443: waiting 10 seconds
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: FD=6 events=0x2001 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: FD=10 events=0x2005 revents=0x0
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: s_connect: connected 2606:2800:220:1:248:1893:25c8:1946:443
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Service [example.com-https] connected remote server from 2001:818:e808:8300:2c66:2dff:fec3:b143:43356
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Setting remote socket options (FD=10)
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Option TCP_NODELAY set on remote socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) initialized
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: SNI: sending servername: example.com
mar 15 11:20:37 marte stunnel[30158]: LOG6[0]: Peer certificate required
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): before SSL initialization
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Initializing application specific data for session authenticated
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Verification started at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: CERT: Pre-verification error: self signed certificate in certificate chain
mar 15 11:20:37 marte stunnel[30158]: LOG4[0]: Rejected by CERT at depth=2: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: TLS alert (write): fatal: unknown CA
mar 15 11:20:37 marte stunnel[30158]: LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1245: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
mar 15 11:20:37 marte stunnel[30158]: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Deallocating application specific data for session connect address
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Remote descriptor (FD=10) closed
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Local descriptor (FD=3) closed
mar 15 11:20:37 marte stunnel[30158]: LOG7[0]: Service [example.com-https] finished (0 left)

CC: (none) => mageia

Comment 8 Herman Viaene 2021-05-10 15:01:04 CEST

Started looking for info and found https://www.stunnel.org/howto.html
Read thru it and this is over my head. There are quite a few examples of config files there. Someone with more knowledge than me might find it usefull. E.g. the example.com there uses port 8443, why???

CC: (none) => herman.viaene

Comment 9 PC LX 2021-05-11 12:12:18 CEST

Tried again to make stunnel work but still with little success.


In client mode I can make it work. 

Client mode config example:
===============================
[example.com]
client = yes
accept  = 8080
connect = example.com:443
===============================

But in server mode it always gives me some SSL errors.

Server mode config example:
===============================
[example.com]
client = no
accept  = 8080
connect = example.com:80
===============================

Relevant output of "journalctl -b0 -u stunnel.service"
===============================
mai 11 11:02:19 marte stunnel[25407]: [ ] Initializing service [example.com]
mai 11 11:02:19 marte stunnel[25407]: [ ] OpenSSL security level is used: 2
mai 11 11:02:19 marte stunnel[25407]: [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
mai 11 11:02:19 marte stunnel[25407]: [ ] TLS options: 0x02004004 (+0x00004000, -0x00000000)
mai 11 11:02:19 marte stunnel[25407]: [ ] Loading certificate from file: /etc/pki/tls/certs/stunnel.pem
mai 11 11:02:19 marte stunnel[25407]: [ ] Certificate loaded from file: /etc/pki/tls/certs/stunnel.pem
mai 11 11:02:19 marte stunnel[25407]: [ ] Loading private key from file: /etc/pki/tls/certs/stunnel.pem
mai 11 11:02:19 marte stunnel[25407]: [:] Insecure file permissions on /etc/pki/tls/certs/stunnel.pem
mai 11 11:02:19 marte stunnel[25407]: [!] error queue: ssl/ssl_rsa.c:550: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
mai 11 11:02:19 marte stunnel[25407]: [!] SSL_CTX_use_PrivateKey_file: crypto/pem/pem_lib.c:686: error:0906D06C:PEM routines:PEM_read_bio:no start line
mai 11 11:02:19 marte stunnel[25407]: [!] Service [example.com]: Failed to initialize TLS context
===============================

The certificate seems valid. At least openssl does not complain about it.

Certificate output:
===============================
$ openssl x509 -noout -text -in /etc/pki/tls/certs/stunnel.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e3:36:b3:bc:ea:42:1f:1d
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = PT, ST = Some-State, O = PMC, CN = marte.local
        Validity
            Not Before: May 11 09:48:26 2021 GMT
            Not After : May 11 09:48:26 2022 GMT
        Subject: C = PT, ST = Some-State, O = PMC, CN = marte.local
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    <SNIP>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                <SNIP>
            X509v3 Authority Key Identifier: 
                keyid:<SNIP>

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
            <SNIP>
===============================

Comment 10 Thomas Backlund 2021-05-11 12:54:13 CEST

(In reply to PC LX from comment #9)

> mai 11 11:02:19 marte stunnel[25407]: [ ] Loading private key from file:
> /etc/pki/tls/certs/stunnel.pem
> mai 11 11:02:19 marte stunnel[25407]: [:] Insecure file permissions on
> /etc/pki/tls/certs/stunnel.pem

This causes the rest to fail:

Basically there is probably some 644 permission on /etc/pki/tls/certs/stunnel.pem wich is not ok.

it should probably be 600 (or 640 at the most), meaning ro world readable as its supposed to be a "private key"

Comment 11 Thomas Backlund 2021-05-11 12:54:59 CEST

... *no* world readable...

Comment 12 David Walser 2021-05-11 14:11:13 CEST

No, that's the public key directory.  The private key goes in /etc/pki/tls/private.  Something is misconfigured if it's looking for the private key in the public key directory.

Comment 13 Thomas Backlund 2021-05-11 18:42:35 CEST

true,... I just reacted on the "Insecure file permissions" bit

Comment 14 PC LX 2021-05-11 20:18:55 CEST

Tried the above suggestions but the issue still remains.

============================
$ LANGUAGE=C stat /etc/pki/tls/certs/stunnel.pem
  File: /etc/pki/tls/certs/stunnel.pem
  Size: 1958            Blocks: 8          IO Block: 4096   regular file
Device: 1bh/27d Inode: 3334584     Links: 1
Access: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2021-05-11 19:10:59.558718892 +0100
Modify: 2021-05-11 11:07:35.247364106 +0100
Change: 2021-05-11 19:10:45.116396391 +0100
 Birth: 2021-03-15 10:30:07.558456778 +0000
============================

Relevant output of "journalctl -b0 -u stunnel.service"
============================
mai 11 19:10:59 marte stunnel[3743]: [ ] OpenSSL security level is used: 2
mai 11 19:10:59 marte stunnel[3743]: [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
mai 11 19:10:59 marte stunnel[3743]: [ ] TLS options: 0x02004004 (+0x00004000, -0x00000000)
mai 11 19:10:59 marte stunnel[3743]: [ ] Loading certificate from file: /etc/pki/tls/certs/stunnel.pem
mai 11 19:10:59 marte stunnel[3743]: [ ] Certificate loaded from file: /etc/pki/tls/certs/stunnel.pem
mai 11 19:10:59 marte stunnel[3743]: [ ] Loading private key from file: /etc/pki/tls/certs/stunnel.pem
mai 11 19:10:59 marte stunnel[3743]: [!] error queue: ssl/ssl_rsa.c:550: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
mai 11 19:10:59 marte stunnel[3743]: [!] SSL_CTX_use_PrivateKey_file: crypto/pem/pem_lib.c:686: error:0906D06C:PEM routines:PEM_read_bio:no start line
mai 11 19:10:59 marte stunnel[3743]: [!] Service [example.com]: Failed to initialize TLS context
mai 11 19:10:59 marte stunnel[3743]: [!] Configuration failed
============================

All the manual and examples seem to ask for the certificate, not the private key, but, just in case, I also tried using the private key. Still a failure.
============================
mai 11 19:14:43 marte stunnel[4057]: [ ] OpenSSL security level is used: 2
mai 11 19:14:43 marte stunnel[4057]: [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
mai 11 19:14:43 marte stunnel[4057]: [ ] TLS options: 0x02004004 (+0x00004000, -0x00000000)
mai 11 19:14:43 marte stunnel[4057]: [ ] Loading certificate from file: /etc/pki/tls/private/stunnel.pem
mai 11 19:14:43 marte stunnel[4057]: [!] error queue: ssl/ssl_rsa.c:616: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib
mai 11 19:14:43 marte stunnel[4057]: [!] SSL_CTX_use_certificate_chain_file: crypto/pem/pem_lib.c:686: error:0906D06C:PEM routines:PEM_read_bio:no start line
mai 11 19:14:43 marte stunnel[4057]: [!] Service [example.com]: Failed to initialize TLS context
============================

Comment 15 David Walser 2021-05-30 21:15:41 CEST

openSUSE has issued an advisory for this on March 14:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XVLGFTQ3NKK4IRG4YXB6DPOVNR7D5IAU/

Comment 16 Brian Rockwell 2021-06-12 16:54:19 CEST

I tried setting up as a server.

same error

 error queue: ssl/ssl_rsa.c:616: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib

Looks like there is a consensus this is an issue out in the Internet as well.

CC: (none) => brtians1

Comment 17 David Walser 2021-06-21 22:16:22 CEST

Are these issues regressions?

Comment 18 Dave Hodgins 2021-06-23 03:12:34 CEST

It was broken by either a rootcerts update or gnutls update and not noticed
during testing of those updates.

I just retested it, and now it is working. Not sure what's changed since then,
but ok on mga7 x86-64. I'll test shortly on mga8.

CC: (none) => davidwhodgins

Comment 19 Dave Hodgins 2021-06-23 03:15:51 CEST

For my test, I commented out default servers and added
[nntps]
client=yes
connect=news.eternal-september.org:563
cert=/etc/pki/tls/certs/stunnel.pem
accept=564
TIMEOUTconnect=60

I have leafnode configured to fetch the usenet messages, and opera 12.16
configured to fetch message from leafnode.

Comment 20 Dave Hodgins 2021-06-23 03:20:07 CEST

Also, here's the journal output showing stunnel now working ...
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: stunnel 5.57 on x86_64-mageia-linux-gnu platform
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: Compiled/running with OpenSSL 1.1.0l  10 Sep 2019
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: UTF-8 byte order mark not detected
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: FIPS mode disabled
Jun 22 21:06:56 stunnel[11171]: LOG4[ui]: Service [nntps] needs authentication to prevent MITM attacks
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: Configuration successful
Jun 22 21:06:56 stunnel[11171]: LOG5[ui]: Binding service [nntps] to :::564: Address already in use (98)
Jun 22 21:09:04 stunnel[11173]: LOG5[0]: Service [nntps] accepted connection from 127.0.0.1:49130
Jun 22 21:09:04 stunnel[11173]: LOG5[0]: s_connect: connected 2a01:4f8:191:31c5::2:563
Jun 22 21:09:04 stunnel[11173]: LOG5[0]: Service [nntps] connected remote server from 2607:f2c0:e776:50::1000:36530
Jun 22 21:09:23 stunnel[11173]: LOG5[0]: Connection closed: 2132 byte(s) sent to TLS, 971954 byte(s) sent to socket

Comment 21 David Walser 2021-06-23 03:24:26 CEST

I remember Zombie complaining about an expired CA cert in rootcerts causing an issue with his VPN client.  There's been a rootcerts update since then, which I presume removed the problematic certificate.  Maybe that was the problem here.

Comment 22 Dave Hodgins 2021-06-23 03:35:03 CEST

Quite possible.
Realized this is a mga7 update just after confirming it's working on mga8 too.
Validating the update.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update

Thomas Backlund 2021-06-23 16:38:32 CEST

Keywords: (none) => advisory

Comment 23 Mageia Robot 2021-06-23 19:15:06 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0284.html

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.