Don,
Are you sure your cert bundle has certificates for all certificate authorities in the chain (root and intermediate)?
-----Original Message----- From: don-stunnel-zyx@isis.cs3-inc.com (Don Cohen) Sender: stunnel-users-bounces@stunnel.org Date: Fri, 4 Mar 2011 00:58:12 To: stunnel-users@stunnel.org Subject: [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
stuff in [brackets] is replaced to protect the innocent
stunnel.conf: ================ debug=5 output=/root/stunnel.log cert=/etc/pki/tls/certs/[certfile] CAfile=/etc/pki/tls/certs/[bundle].crt key=/etc/pki/tls/private/[private-key].key [debug] accept=801 client=yes connect=[...].com:443 ================
I then connect to localhost:801 and stunnel.log contains: ================ 2011.02.28 19:18:45 LOG5[20520:3086252944]: debug connected from 127.0.0.1:38472 2011.02.28 19:18:46 LOG3[20520:3086252944]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 2011.02.28 19:18:46 LOG5[20520:3086252944]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket ================
I don't see anything wrong with the cert or private key - the following demo shows that at least openssl is happy with them: ================ echo "hello there" | openssl rsautl -certin -inkey /etc/pki/tls/certs/[certfile] -encrypt |openssl rsautl -inkey /etc/pki/tls/private/[private-key].key -decrypt hello there
I've captured the packets sent between stunnel and the server and wireshark shows (at ssl level) client SSLv3 Client Hello server SSLv3 Server Hello, Certificate, Certificate Request, Server Hello Done client SSLv3 Certificate, Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message server SSLv3 Alert (Level: Fatal, Description: Bad Certificate) followed by TCP resets
So the server is complaining about my certificate. This is certainly not what I would have guessed the message in the log meant. It looks like an error from stunnel. So is it an error from stunnel or is it stunnel reporting a complaint from the server? And if the latter, what exactly did the server send? The entire message starting with error? or starting with 14094412? or what?
Could this mean that the server doesn't understand the certificate (cause it's a 2K certificate instead of 1K?) or could it mean that the server doesn't like it for some other reason? _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users