stunnel service does not start anymore after libopenssl0_9_8-0.9.8j-0.44.1 has been installed patching SLES11SP1

  • 7010536
  • 30-Jul-2012
  • 18-May-2013

Environment

NetIQ Access Manager 3.1.5
NetIQ Access Manager 3.2.1
SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2

Situation

  • SSLVPN stunnel service / binary does not start:

    • after applying latest SLES11SP1 patches through the official update channel.
    • on a fresh SLES11SP2 installation
    • after applying libopenssl0_9_8-0.9.8j-0.44.1 tunnel service will not load properly.

  • Starting SSLVPN returns the following:

    SSL VPN Service has been stopped.
    Starting SSL VPN Service ......
    stunnel: pthread_mutex_lock.c:62: __pthread_mutex_lock: Assertion `mutex->__data.__owner == 0' failed.
    SOCKD is running
    SOCKD is registered
    STUNNEL is not running
    OPENVPN is running

Resolution

  • a new version compiled to OpenSSL 0.9.8j:

    stunnel 4.20 on i686-suse-linux with OpenSSL 0.9.8j-fips 07 Jan 2009

    Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4


    has been included with "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201"

  • For NetIQ Access Manager 3.2.1
    • download and install: "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201"

  • For Novell Access Manager 3.1.5

    • download "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201"
    • copy the patch to your workstation
    • Unpack the AM_32_SP1_IR1a.zip archive: "unzip AM_32_SP1_IR1a.zip"
    • Change into the new directory: "cd AM_32_SP1_IR1a"
    • The AM_32_SP1_IR1a_201.patch is a zip file which can be extracted
      (AM_32_SP1_IR1a_201.patch: Zip archive data, at least v2.0 to extract)
      run: "unzip AM_32_SP1_IR1a_201.patch"
    • The new stunnel version can be found in the subdirectory : "Linux/opt/novell/sslvpn/bin"
    • Create a backup of the existing stunnel binary at your sslvpn server:
      "cp /opt/novell/sslvpn/bin/stunnel /opt/novell/sslvpn/bin/stunnel.old"
    • Copy the new stunnel binary over to your SSLVPN server
    • restart your SSLVPN server
Note: Novell Access Manager Service Pack 5 should have included the fix as well but it in fact the fix did not make it into SP5. The statemen in the SP5 readme is wrong

Cause

  • stunnel version shipped with Novell Access Manager 3.1.5 and NetIQ Access Manager 3.2.1

    stunnel 4.20 on i686-suse-linux with OpenSSL 0.9.8a 11 Oct 2005
    Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4


    has not been compiled to run with libopenssl0_9_8-0.9.8j-0.44.1