Mike,
I've created a self-signed certificate on my Windows test box using OpenSSL 0.9.7j (the version from Shining Light). I created the key file with the following command:
"openssl genrsa 1024 > \host.key
Here is the command I used to create the self-signed cert:
"openssl req -new -x509 -nodes -sha1 -days 9999 -key \host.key > \host.cert"
I then copied the key/cert to the appropriate file in the stunnel directory.
I then copied the cert to the Solaris server and included it with all other client certs.
Here is the Windows configuration file:
; ;CLIENT-ONLY stunnel configuration file ; client = yes cert = C:\Program Files\stunnel\stunnel.pem-client-certificate CAfile = C:\Program Files\stunnel\stunnel.pem-server-certificate ;chroot = /var/run/stunnel ;pid = /usr/local/var/run/stunnel/stunnel.pid ;setuid = stunnel ;setgid = stunnel verify = 3 ;foreground = yes debug = 7 output = C:\Program Files\stunnel\stunnel.log [5140] accept = 127.0.0.1:514 connect = 172.17.99.143:5140
Here is the Solaris configuration file:
; ;SERVER-ONLY stunnel configuration file ; cert = /usr/local/etc/stunnel/stunnel.pem-server-certificate CAfile = /usr/local/etc/stunnel/stunnel.pem-all-client-certificates ;chroot = /var/run/stunnel ;pid = /var/run/stunnel/run/stunnel.pid ;setuid = stunnel ;setgid = stunnel verify = 3 ;foreground = yes debug = 7 output=/stunnel.log [5140] accept = 172.17.99.143:5140 connect = 127.0.0.1:514
The following happens on the Windows box when I first launch stunnel:
2006.06.30 09:51:31 LOG5[516:360]: stunnel 4.15 on x86-pc-mingw32-gnu with OpenSSL 0.9.7i 14 Oct 2005 2006.06.30 09:51:31 LOG5[516:360]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6 2006.06.30 09:51:31 LOG5[516:392]: No limit detected for the number of clients 2006.06.30 09:51:31 LOG7[516:392]: FD 1904 in non-blocking mode 2006.06.30 09:51:31 LOG7[516:392]: SO_REUSEADDR option set on accept socket 2006.06.30 09:51:31 LOG7[516:392]: 5140 bound to 127.0.0.1:514
Nothing happens on the Solaris box.
When I start EventReporter, the following happens, in a continuous loop (until I stop EventReporter):
2006.06.30 10:16:26 LOG7[296:700]: 5140 accepted FD=156 from 127.0.0.1:1154 2006.06.30 10:16:26 LOG7[296:700]: Creating a new thread 2006.06.30 10:16:26 LOG7[296:700]: New thread created 2006.06.30 10:16:27 LOG7[296:1204]: 5140 started 2006.06.30 10:16:27 LOG7[296:1204]: FD 156 in non-blocking mode 2006.06.30 10:16:27 LOG5[296:1204]: 5140 connected from 127.0.0.1:1154 2006.06.30 10:16:27 LOG7[296:1204]: FD 188 in non-blocking mode 2006.06.30 10:16:27 LOG7[296:1204]: 5140 connecting 172.17.99.143:5140 2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: waiting 10 seconds 2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: connected 2006.06.30 10:16:27 LOG7[296:1204]: Remote FD=188 initialized 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): before/connect initialization 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client hello A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server hello A 2006.06.30 10:16:27 LOG5[296:1204]: VERIFY OK: depth=0, /C=CA/ST=ONTARIO/L=TORONTO/O=BANK OF MONTREAL/OU=LMG-DTS/CN=jdb2u10 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server certificate A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server certificate request A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read server done A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client certificate A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write client key exchange A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write certificate verify A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write change cipher spec A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write finished A 2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 flush data 2006.06.30 10:16:27 LOG3[296:1204]: SSL_connect: Peer suddenly disconnected 2006.06.30 10:16:27 LOG5[296:1204]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.30 10:16:27 LOG7[296:1204]: 5140 finished (0 left)
On the Solaris box, here is the matching entry, also in a continuous loop:
2006.06.30 10:16:47 LOG7[1214:1]: 5140 accepted FD=2 from 172.17.99.150:1155 2006.06.30 10:16:47 LOG7[1214:800]: 5140 started 2006.06.30 10:16:47 LOG7[1214:800]: FD 2 in non-blocking mode 2006.06.30 10:16:47 LOG5[1214:800]: 5140 connected from 172.17.99.150:1155 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): before/accept initialization 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 read client hello A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write server hello A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write certificate A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write certificate request A 2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 flush data 2006.06.30 10:16:48 LOG4[1214:800]: VERIFY ERROR: depth=0, error=self signed certificate: /C=CA/ST=ONTARIO/L=TORONTO/O=BMO/OU=LMG-DTS/CN=jdb1winxp 2006.06.30 10:16:48 LOG7[1214:800]: SSL alert (write): fatal: bad certificate 2006.06.30 10:16:48 LOG3[1214:800]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2006.06.30 10:16:48 LOG5[1214:800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.06.30 10:16:48 LOG7[1214:800]: 5140 finished (1 left)
It appears the server cert is ok, but "something" is wrong with the client (Windows box) cert.
Any chance you could post the command used in the "make install" to kick off the creation of the self-signed cert on Unix? I grep'd for it, but couldn't find it.
Regards,
John Boxall
-
Boxall, John