Hello,
I am trying to set up a stunnel between two machines running LynxOS,
which is a POSIX derivative.
I've compiled OpenSSL 0.9.8e, and stunnel 4.20:
stunnel 4.20 on i386-unknown-lynxos with OpenSSL 0.9.8e 23 Feb 2007
Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
[...]
I use the following config files:
////// server side
debug=7
foreground=yes
pid=
CAfile=valid_certs
key=privkey.pem
cert=cert.pem
verify=1
[SSLTunnel]
accept=1235
connect=1234
////// end server side
////// client side
debug=7
foreground=yes
pid=
CAfile=valid_certs
key=privkey.pem
cert=cert.pem
verify=1
client=yes
[SSLTunnel]
accept=4234
connect=173.16.1.10:1235
////// end client side
(It's run from different directories so the PEM files are different)
After running both stunnels, I connect to the client side and see a
beginning
of handshake; however, it then breaks down: from afar, it looks like the
client
doesn't take the server certificate:
///// server trace
2007.04.25 15:33:22 LOG7[58:0]: Snagged 64 random bytes from
/home/st07815/.rnd
2007.04.25 15:33:22 LOG7[58:0]: Wrote 1024 new random bytes to
/home/st07815/.rnd
2007.04.25 15:33:22 LOG7[58:0]: RAND_status claims sufficient entropy
for the PRNG
2007.04.25 15:33:22 LOG7[58:0]: PRNG seeded successfully
2007.04.25 15:33:22 LOG7[58:0]: Certificate: cert.pem
2007.04.25 15:33:22 LOG7[58:0]: Certificate loaded
2007.04.25 15:33:22 LOG7[58:0]: Key file: privkey.pem
2007.04.25 15:33:22 LOG7[58:0]: Private key loaded
2007.04.25 15:33:22 LOG7[58:0]: Loaded verify certificates from valid_certs
2007.04.25 15:33:22 LOG7[58:0]: Loaded valid_certs revocation lookup file
2007.04.25 15:33:22 LOG7[58:0]: SSL context initialized for service
SSLTunnel
2007.04.25 15:33:22 LOG5[58:0]: stunnel 4.20 on i386-unknown-lynxos with
OpenSSL 0.9.8e 23 Feb 2007
2007.04.25 15:33:22 LOG5[58:0]: Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
2007.04.25 15:33:22 LOG6[58:0]: file ulimit = 64 (can be changed with
'ulimit -n')
2007.04.25 15:33:22 LOG6[58:0]: poll() used - no FD_SETSIZE limit for
file descriptors
2007.04.25 15:33:22 LOG5[58:0]: 29 clients allowed
2007.04.25 15:33:22 LOG7[58:0]: FD 3 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: FD 4 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: FD 5 in non-blocking mode
2007.04.25 15:33:22 LOG7[58:0]: SO_REUSEADDR option set on accept socket
2007.04.25 15:33:22 LOG7[58:0]: SSLTunnel bound to 0.0.0.0:1235
2007.04.25 15:33:22 LOG7[58:0]: No pid file being created
(end of init, waiting for connection)
2007.04.25 15:34:17 LOG7[58:0]: SSLTunnel accepted FD=6 from 173.16.1.7:1092
2007.04.25 15:34:17 LOG7[68:0]: SSLTunnel started
2007.04.25 15:34:17 LOG7[68:0]: FD 6 in non-blocking mode
2007.04.25 15:34:17 LOG5[68:0]: SSLTunnel accepted connection from
173.16.1.7:1092
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): before/accept
initialization
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 read client
hello A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write server
hello A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write
certificate A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 write
certificate request A
2007.04.25 15:34:17 LOG7[68:0]: SSL state (accept): SSLv3 flush data
2007.04.25 15:34:19 LOG3[68:0]: SSL_accept: Peer suddenly disconnected
2007.04.25 15:34:19 LOG5[68:0]: Connection reset: 0 bytes sent to SSL, 0
bytes sent to socket
2007.04.25 15:34:19 LOG7[58:0]: Cleaning up the signal pipe
2007.04.25 15:34:19 LOG7[58:0]: Process 68 finished with code 0 (0 left)
///// end server trace
///// client trace
2007.04.25 15:33:59 LOG7[12:0]: Snagged 64 random bytes from
/home/st07815/.rnd
2007.04.25 15:33:59 LOG7[12:0]: Wrote 1024 new random bytes to
/home/st07815/.rnd
2007.04.25 15:33:59 LOG7[12:0]: RAND_status claims sufficient entropy
for the PRNG
2007.04.25 15:33:59 LOG7[12:0]: PRNG seeded successfully
2007.04.25 15:33:59 LOG7[12:0]: Certificate: cert.pem
2007.04.25 15:33:59 LOG7[12:0]: Certificate loaded
2007.04.25 15:33:59 LOG7[12:0]: Key file: privkey.pem
2007.04.25 15:33:59 LOG7[12:0]: Private key loaded
2007.04.25 15:33:59 LOG7[12:0]: Loaded verify certificates from valid_certs
2007.04.25 15:33:59 LOG7[12:0]: Loaded valid_certs revocation lookup file
2007.04.25 15:33:59 LOG7[12:0]: SSL context initialized for service
SSLTunnel
2007.04.25 15:33:59 LOG5[12:0]: stunnel 4.20 on i386-unknown-lynxos with
OpenSSL 0.9.8e 23 Feb 2007
2007.04.25 15:33:59 LOG5[12:0]: Threading:FORK SSL:ENGINE Sockets:POLL,IPv4
2007.04.25 15:33:59 LOG6[12:0]: file ulimit = 64 (can be changed with
'ulimit -n')
2007.04.25 15:33:59 LOG6[12:0]: poll() used - no FD_SETSIZE limit for
file descriptors
2007.04.25 15:33:59 LOG5[12:0]: 29 clients allowed
2007.04.25 15:33:59 LOG7[12:0]: FD 3 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: FD 4 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: FD 5 in non-blocking mode
2007.04.25 15:33:59 LOG7[12:0]: SO_REUSEADDR option set on accept socket
2007.04.25 15:33:59 LOG7[12:0]: SSLTunnel bound to 0.0.0.0:4234
2007.04.25 15:33:59 LOG7[12:0]: No pid file being created
(end of init, waiting for connection)
2007.04.25 15:34:27 LOG7[12:0]: SSLTunnel accepted FD=6 from
152.14.101.54:64752
2007.04.25 15:34:27 LOG7[27:0]: SSLTunnel started
2007.04.25 15:34:27 LOG7[27:0]: FD 6 in non-blocking mode
2007.04.25 15:34:27 LOG5[27:0]: SSLTunnel accepted connection from
152.14.101.54:64752
2007.04.25 15:34:27 LOG7[27:0]: FD 5 in non-blocking mode
2007.04.25 15:34:27 LOG7[27:0]: SSLTunnel connecting 173.16.1.10:1235
2007.04.25 15:34:27 LOG7[27:0]: connect_wait: waiting 10 seconds
2007.04.25 15:34:27 LOG7[27:0]: connect_wait: connected
2007.04.25 15:34:27 LOG5[27:0]: SSLTunnel connected remote server from
173.16.1.7:1092
2007.04.25 15:34:27 LOG7[27:0]: Remote FD=5 initialized
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): before/connect
initialization
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): SSLv3 write client
hello A
2007.04.25 15:34:27 LOG7[27:0]: SSL state (connect): SSLv3 read server
hello A
2007.04.25 15:34:28 LOG7[12:0]: Cleaning up the signal pipe
2007.04.25 15:34:28 LOG7[12:0]: Process 27 terminated on signal 11 (0 left)
///// end client trace
Now the strange thing is that this very same setup works on Solaris, so
I have
something wrong with the port of either OpenSSL or stunnel on LynxOS.
If someone could give me a hint as to where to start poking, I'd greatly
appreciate it.
TIA,
Y.