pfSense » pfSense Packages

Pfsense 2.1.1beta, installed Stunnel, but any attempt to add either a first tunnel or a first cert consistently causes a fatal PHP error in stunnel.inc. The fatal error is generated because stunnel.inc executes soon after entry these lines:

  if(isset($_GET['id'])) {
    $config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']=
      base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_chain']);
    $config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']=
      base64_decode($config['installedpackages']['stunnelcerts']['config'][$_GET['id']]['cert_key']);
  }

The "+" ("add new entry") buttons in both tabs link to URL like this: https://ROUTER_IP/pkg_edit.php?xml=stunnel_certs.xml&id=0 , so id is set on call, and its value is zero.

The cause seems to be one or both of:

1. $config['installedpackages']['stunnelcerts'] doesn't seem to exist as an array at this point, but presumably it should exist by this point. (If by design the $config referred to isn't created on install, then the code is wrongly assuming it has been). print_r($config['installedpackages']['stunnelcerts']) gives an empty response. As a result, base64_decode() is being passed an unset element in a non-existent subarray, and this creates the visible error. Presumably something should have initialised the array (when stunnel installed?) or else stunnel.inc itself should test existence and initialise the expected $config items upon being called, if unset, but neither of these happens
2. The significance of being called with id=0 is unclear. This could be internal shorthand for a generic "create new entry", or mean "create a new entry with index=0" (because the first item has index=0). But in either case, the above code seems to expect that $_GET['id'] should point to a valid existing tunnel/cert entry with index = 0, already in $config when stunnel.inc is called. As described no such entry is created when the package installs, nor prior to the above code executing. However, subsequent code in stunnel.inc does seem to test for "no tunnels/certs defined", however, so stunnel.inc's logical flow here isn't clear to me. Perhaps I don't understand it very well.

This issue or one very similar was described in the forum some time ago, but the user was dismissed with "stunnel has worked for ages and nothing's changed" (https://forum.pfsense.org/index.php?topic=62052 May 2013). It looks like there is some kind of bug, as expected $config is relied on, but wasn't created at pkg install, nor created at pkg use/setup, nor is the subarray's unset status in $config[] trapped in the package code before it's relied upon. Can it be checked? Thanks.