-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On a test environment, I successfully had stunnel securing MySQL
traffic between 2 systems using a verify level of 3. However, with
the production system and what I would call an identical setup
(albeit with new certificates), I get the following errors (see log
below.) The version I'm running of stunnel is 4.11. I saw the "bad
rsa signature" message in the server's output, so I regenerated the
private key file to be sure I'd used the right one. Everything seems
to be in order, but it will not work. Any ideas?
Client:
2006.05.30 09:20:21 LOG5[21951:1]: stunnel 4.11 on i686-pc-linux-gnu
UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003
2006.05.30 09:20:21 LOG5[21951:1]: 499 clients allowed
2006.05.30 09:20:25 LOG5[21951:2]: stunnel_mysql connected from
127.0.0.1:32853
2006.05.30 09:20:25 LOG3[21951:2]: SSL_connect: 14094410: error:
14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2006.05.30 09:20:25 LOG5[21951:2]: stack_info: size=65536,
current=15296 (23%), maximum=15296 (23%)
Server:
2006.05.30 09:19:42 LOG7[19964:3086334176]: RAND_status claims
sufficient entropy for the PRNG
2006.05.30 09:19:42 LOG6[19964:3086334176]: PRNG seeded successfully
2006.05.30 09:19:42 LOG7[19964:3086334176]: Certificate: /usr/KRB5/
openssl/ssl/private/server.key
2006.05.30 09:19:42 LOG7[19964:3086334176]: Key file: /usr/KRB5/
openssl/ssl/private/server.key
2006.05.30 09:19:42 LOG7[19964:3086334176]: Verify directory set to /
usr/KRB5/openssl/ssl/certs
2006.05.30 09:19:42 LOG5[19964:3086334176]: Peer certificate
location /usr/KRB5/openssl/ssl/certs
2006.05.30 09:19:42 LOG7[19964:3086334176]: SSL context initialized
for service stunnel_mysqld
2006.05.30 09:19:42 LOG5[19964:3086334176]: stunnel 4.15 on i686-pc-
linux-gnu with OpenSSL 0.9.7a Feb 19 2003
2006.05.30 09:19:42 LOG5[19964:3086334176]: Threading:PTHREAD
SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP
2006.05.30 09:19:42 LOG6[19964:3086334176]: file ulimit = 1022 (can
be changed with 'ulimit -n')
2006.05.30 09:19:42 LOG6[19964:3086334176]: poll() used - no
FD_SETSIZE limit for file descriptors
2006.05.30 09:19:42 LOG5[19964:3086334176]: 499 clients allowed
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 4 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 5 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 6 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: SO_REUSEADDR option set
on accept socket
2006.05.30 09:19:42 LOG7[19964:3086334176]: stunnel_mysqld bound to
0.0.0.0:606
2006.05.30 09:19:42 LOG7[19964:3086334176]: Created pid file /usr/
local/var/stunnel/stunnel.pid
2006.05.30 09:20:40 LOG7[19964:3086334176]: stunnel_mysqld accepted
FD=7 from xxx.xxx.xxx.xxx:32854
2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld started
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 7 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 8 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 9 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: Connection from
xxx.xxx.xxx.xxx:32854 permitted by libwrap
2006.05.30 09:20:40 LOG5[19964:3086330800]: stunnel_mysqld connected
from xxx.xxx.xxx.xxx:32854
2006.05.30 09:20:40 LOG7[19964:3086334176]: Cleaning up the signal pipe
2006.05.30 09:20:40 LOG6[19964:3086334176]: Child process 19967
finished with code 0
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=2, ...
(Root CA)
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=1, ... (CA)
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=0, ...
(client)
2006.05.30 09:20:40 LOG3[19964:3086330800]: error stack: 1408807A :
error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature
2006.05.30 09:20:40 LOG3[19964:3086330800]: SSL_accept: 4077068:
error:04077068:rsa routines:RSA_verify:bad signature
2006.05.30 09:20:40 LOG5[19964:3086330800]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld finished
(0 left)
Thanks.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)
iQA/AwUBRHx+bI0HAxBKv2yIEQIJ1wCcCVJ+9ZqXdxWGTBAS8y7ldUv+J4UAn1al
ZYIA5gmw38iwsYuE7tG9esAk
=ljGb
-----END PGP SIGNATURE-----