View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000720 | Other Unix Port | Bug | public | 2020-09-01 09:35 | 2021-04-09 19:24 |
Reporter | Steven Levine | Assigned To | psmedley | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | OS2/eCS | OS | OS/2 or eComstation | OS Version | 1.x 2.x or 4.5 |
Summary | 0000720: stunnel 5.56 has problems with entropy | ||||
Description | Running [d:\tmp]stunnel version [ ] Clients allowed=4882 [.] stunnel 5.56 on i386-pc-os2-emx built by Paul Smedley on Aug 19 2020 [.] Compiled/running with OpenSSL 1.1.1g 21 Apr 2020 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI stunnel works as expected until the initial connection is terminated and an new connection is attempted. If the delay between termination and initiation is sufficiently long, the new connection attempt will fail with: 2020.08.29 12:53:14 LOG5[1]: Service [vnc] accepted connection from 127.0.0.1:51731 2020.08.29 12:53:14 LOG5[1]: s_connect: connected 173.60.91.116:15900 2020.08.29 12:53:14 LOG5[1]: Service [vnc] connected remote server from 192.168.10.2:51732 2020.08.29 12:53:14 LOG3[1]: error queue: ssl/statem/statem_clnt.c:1149: error:141E7044:SSL routines:tls_construct_client_hello:internal error 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:589: error:2406B072:random number generator:RAND_DRBG_generate:in error state 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:589: error:2406B072:random number generator:RAND_DRBG_generate:in error state 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:342: error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy 2020.08.29 12:53:14 LOG3[1]: error queue: crypto/rand/drbg_lib.c:634: error:2406B076:random number generator:RAND_DRBG_generate:reseed error 2020.08.29 12:53:14 LOG3[1]: SSL_connect: crypto/rand/drbg_lib.c:446: error:2406E06E:random number generator:RAND_DRBG_reseed:error retrieving entropy 2020.08.29 12:53:14 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket Restarting stunnel allow the connection to be set up correctly. This might not be an entropy problem specifically. It may just be a reinitializtion problem when starting a new connection. I will need an stunnel/openssl debug build to say more. | ||||
Tags | No tags attached. | ||||
|
I suspect this is related to entropy in openssl 1.1.1g. openssl 1.0.2t had rand_os2.c (http://svn.netlabs.org/repos/ports/openssl/trunk/crypto/rand/rand_os2.c) With 1.1.1g we're running the unix code, which seemed to be working ok but I guess it isn't. I'll look into adapting rand_os2 into 1.1.1g |
|
Confirmed to be an openssl 1.1.1 bug: openssl rand 10 537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342: 537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342: 537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589: 537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342: 537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342: 537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589: 537102080:error:2406C06E:random number generator:RAND_DRBG_instantiate:error retrieving entropy:crypto/rand/drbg_lib.c:342: 537102080:error:2406B072:random number generator:RAND_DRBG_generate:in error state:crypto/rand/drbg_lib.c:589: I've now tweaked crypto/rand/rand_unix.c and get: openssl rand 10: f÷®×µXÒ (with the output changing each time it's run). Will send a link to a new stunnel shortly |
|
Please test with http://smedley.id.au/tmp/stunnel-5.56-os2-20200902.zip |
|
The 20200902 build seems to have resolved the issue. I wonder if there is any benefit to figuring out what needs to be done to stabilize the unix code. I have to suspect that something is not getting reinitialized between the first and subsequent connection. It's also possible that we have an uninitialized variable and it is just by luck that the first connection works. |
|
I'm leaning towards the latter (luck/uninitialised variable). As mentioned 'openssl rand 10' failed with the same error as stunnel with the original code. I'll share an updated openssl diff when I get a moment. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-09-01 09:35 | Steven Levine | New Issue | |
2020-09-01 19:24 | psmedley | Note Added: 0003529 | |
2020-09-02 09:12 | psmedley | Note Added: 0003530 | |
2020-09-02 09:15 | psmedley | Assigned To | => psmedley |
2020-09-02 09:15 | psmedley | Status | new => feedback |
2020-09-02 09:15 | psmedley | Note Added: 0003531 | |
2020-09-04 14:55 | Steven Levine | Note Added: 0003533 | |
2020-09-04 14:55 | Steven Levine | Status | feedback => assigned |
2020-09-04 15:30 | psmedley | Note Added: 0003534 | |
2020-09-04 18:28 | psmedley | Status | assigned => resolved |
2020-09-04 18:28 | psmedley | Resolution | open => fixed |
2021-04-09 19:24 | psmedley | Status | resolved => closed |