stunnel source option (-S) not supported

Bug #345918 reported by Roman Fiedler on 2009-03-20
Affects Status Importance Assigned to Milestone
stunnel4 (Debian)
stunnel4 (Ubuntu)

Bug Description

Binary package hint: stunnel4

The -S (source) option is mentioned in the man pages of stunnel4, but is not available on the command line. The -S option exists in stunnel from the standard stunnel package on hardy, but was removed or renamed in stunnel4.

Tested on hardy

It seems that /usr/bin/stunnel is just a compatibility perl-script, that does not know about the -S option, probably because it cannot map it to any option in stunnel4.

Since -S 0 can be used to suppress reading of any other certificate files for validation of remote server/client certs, it would be interesting to know, how the CA-validation process has changed from version 3 to 4.

If the new default is to read only certificates from the specified file/path, then everything is ok.

If new version does include default CA-files, I'm not sure about the consequences. Could it find the default CA-list installed on some machines, so that other clients that use e.g. thawte-signed key/cert to connect while I expected that only client certificates signed by my company's root-CA are accepted? What about latest attacks on md5-signed root CAs?

I found a workaround for the perl file to ignore the -S option, so that calls from old scripts still work, but I haven't looked at the security consequences for cert-checks.

Brian Murray (brian-murray) wrote :

This is actually documented in the README:

The wrapper script /usr/bin/stunnel3 understands stunnel3 command line
syntax and calls stunnel4 with appropriate options. It appears to
support every stunnel3 option *except* -S (which controls the defaults
used for certificate sources).

To simplify migration, /usr/bin/stunnel is a symlink to the wrapper
script. A future version will make the link point to stunnel4.

Changed in stunnel4 (Ubuntu):
importance: Undecided → Low
Brian Murray (brian-murray) wrote :

Additionally, this (-S) is not mentioned in the manual anymore.

Changed in stunnel4 (Ubuntu):
status: New → Triaged
Brian Murray (brian-murray) wrote :

In the debian/changelog we can see some information about this options removal from the man page:

stunnel4 (3:4.20-5) unstable; urgency=low

  * debian/stunnel3.8:
    - Remove references to unsupported -S and -V options in manpage, and
    include an explicit list of tunable parameters for -O and their
    default values (Closes: #440718).
    - Rewrite -P argument description. It must be a file to be created, or
    empty (Closes: #398012).

 -- Luis Rodrigo Gallardo Cruz <email address hidden> Thu, 27 Sep 2007 11:54:53 -0500

Brian Murray (brian-murray) wrote :

If you are interested in getting this option added please work with Debian on this issue as we synchronize this package with them. You can find more information about working with Debian at Thanks!

summary: - stunnel source option (-S) not working
+ stunnel source option (-S) not supported
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers