Univention Bugzilla – Bug 45882
/etc/stunnel/univention_saml.conf:16: "options = NO_SSLv2": Illegal TLS option
Last modified: 2018-03-14 14:38:34 CET
The upgrade to UCS 4.3 failed because stunnel could not be started. Fehler traten auf beim Bearbeiten von: stunnel4 univention-saml E: Sub-process /usr/bin/dpkg returned an error code (1) Error: Failed to execute "apt-get -o DPkg::Options::=--force-confold -o DPkg::Options::=--force-overwrite -o DPkg::Options::=--force-overwrite-dir --trivial-only=no --assume-yes --quiet=1 -u dist-upgrade" exitcode of univention-updater: 1 Job for stunnel4.service failed because the control process exited with error code. See "systemctl status stunnel4.service" and "journalctl -xe" for details. invoke-rc.d: initscript stunnel4, action "restart" failed. ● stunnel4.service - LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons) Loaded: loaded (/etc/init.d/stunnel4; generated; vendor preset: enabled) Active: failed (Result: exit-code) since Mon 2017-12-18 11:29:32 CET; 21ms ago Docs: man:systemd-sysv-generator(8) Process: 3082 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=1/FAILURE) CPU: 33ms Dez 18 11:29:32 master120 stunnel4[3082]: [ ] errno: (*__errno_location ()) Dez 18 11:29:32 master120 stunnel4[3082]: [.] Reading configuration from file /etc/stunnel/univention_saml.conf Dez 18 11:29:32 master120 stunnel4[3082]: [.] UTF-8 byte order mark not detected Dez 18 11:29:32 master120 stunnel4[3082]: [!] /etc/stunnel/univention_saml.conf:16: "options = NO_SSLv2": Illegal TLS option Dez 18 11:29:32 master120 systemd[1]: stunnel4.service: Control process exited, code=exited status=1 Dez 18 11:29:32 master120 systemd[1]: Failed to start LSB: Start or stop stunnel 4.x (TLS tunnel for network daemons). Dez 18 11:29:32 master120 systemd[1]: stunnel4.service: Unit entered failed state. Dez 18 11:29:32 master120 systemd[1]: stunnel4.service: Failed with result 'exit-code'. Dez 18 11:29:32 master120 stunnel4[3082]: failed Dez 18 11:29:32 master120 stunnel4[3082]: You should check that you have specified the pid= in you configuration file dpkg: Fehler beim Bearbeiten des Paketes stunnel4 (--configure): Unterprozess installiertes post-installation-Skript gab den Fehlerwert 1 zurück dpkg: Abhängigkeitsprobleme verhindern Konfiguration von univention-saml: univention-saml hängt ab von stunnel4 (>= 3:5.18-1); aber: Paket stunnel4 ist noch nicht konfiguriert. dpkg: Fehler beim Bearbeiten des Paketes univention-saml (--configure): Abhängigkeitsprobleme - verbleibt unkonfiguriert Fehler traten auf beim Bearbeiten von: stunnel4 univention-saml Removing the line and dpkg --configure -a worked around the problem: /etc/stunnel/univention_saml.conf:16: "options = NO_SSLv2": Illegal TLS option
disabled options = NO_SSLv2 for now in univention-saml/conffiles/etc/stunnel/univention_saml.conf please enabled options if this is fixed
(In reply to Felix Botner from comment #1) > disabled options = NO_SSLv2 for now in > univention-saml/conffiles/etc/stunnel/univention_saml.conf > > please enabled options if this is fixed this is not enough, univention-saml depens on stunnel stunnel postinst is started before univention-saml and has still the old, now broken config added a workaround in univention-saml.preinst, mv old /etc/stunnel/univention_saml.conf out of the way please remove this workaround once we know how to really fix this
According to: https://www.stunnel.org/static/stunnel.html NO_SSLv2 is a default option. So no need to set it. But I'm not sure why NO_SSLv3 works which is supposed to be a default as well.
(In reply to Jürn Brodersen from comment #3) > According to: https://www.stunnel.org/static/stunnel.html > NO_SSLv2 is a default option. So no need to set it. But I'm not sure why > NO_SSLv3 works which is supposed to be a default as well. stunnel uses openssl. In openssl-1.1.0 sslv2 support is completely removed including the NO_SSLv2 option. https://www.openssl.org/news/openssl-1.1.0-notes.html Debian disables sslv3 in openssl in the build options but the NO_SSLv3 options still works.
Note: The available tls versions can be checked with ''' nmap --script ssl-enum-ciphers -p 11212 localhost '''
df30e86e: restart stunnel4 to load new configuration
changelog?
(In reply to Felix Botner from comment #7) > changelog? Sorry f2a7a9d4: changelog
OK
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".