-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On a test environment, I successfully had stunnel securing MySQL traffic between 2 systems using a verify level of 3. However, with the production system and what I would call an identical setup (albeit with new certificates), I get the following errors (see log below.) The version I'm running of stunnel is 4.11. I saw the "bad rsa signature" message in the server's output, so I regenerated the private key file to be sure I'd used the right one. Everything seems to be in order, but it will not work. Any ideas?
Client: 2006.05.30 09:20:21 LOG5[21951:1]: stunnel 4.11 on i686-pc-linux-gnu UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.05.30 09:20:21 LOG5[21951:1]: 499 clients allowed 2006.05.30 09:20:25 LOG5[21951:2]: stunnel_mysql connected from 127.0.0.1:32853 2006.05.30 09:20:25 LOG3[21951:2]: SSL_connect: 14094410: error: 14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure 2006.05.30 09:20:25 LOG5[21951:2]: stack_info: size=65536, current=15296 (23%), maximum=15296 (23%)
Server: 2006.05.30 09:19:42 LOG7[19964:3086334176]: RAND_status claims sufficient entropy for the PRNG 2006.05.30 09:19:42 LOG6[19964:3086334176]: PRNG seeded successfully 2006.05.30 09:19:42 LOG7[19964:3086334176]: Certificate: /usr/KRB5/ openssl/ssl/private/server.key 2006.05.30 09:19:42 LOG7[19964:3086334176]: Key file: /usr/KRB5/ openssl/ssl/private/server.key 2006.05.30 09:19:42 LOG7[19964:3086334176]: Verify directory set to / usr/KRB5/openssl/ssl/certs 2006.05.30 09:19:42 LOG5[19964:3086334176]: Peer certificate location /usr/KRB5/openssl/ssl/certs 2006.05.30 09:19:42 LOG7[19964:3086334176]: SSL context initialized for service stunnel_mysqld 2006.05.30 09:19:42 LOG5[19964:3086334176]: stunnel 4.15 on i686-pc- linux-gnu with OpenSSL 0.9.7a Feb 19 2003 2006.05.30 09:19:42 LOG5[19964:3086334176]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP 2006.05.30 09:19:42 LOG6[19964:3086334176]: file ulimit = 1022 (can be changed with 'ulimit -n') 2006.05.30 09:19:42 LOG6[19964:3086334176]: poll() used - no FD_SETSIZE limit for file descriptors 2006.05.30 09:19:42 LOG5[19964:3086334176]: 499 clients allowed 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 4 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 5 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 6 in non-blocking mode 2006.05.30 09:19:42 LOG7[19964:3086334176]: SO_REUSEADDR option set on accept socket 2006.05.30 09:19:42 LOG7[19964:3086334176]: stunnel_mysqld bound to 0.0.0.0:606 2006.05.30 09:19:42 LOG7[19964:3086334176]: Created pid file /usr/ local/var/stunnel/stunnel.pid 2006.05.30 09:20:40 LOG7[19964:3086334176]: stunnel_mysqld accepted FD=7 from xxx.xxx.xxx.xxx:32854 2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld started 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 7 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 8 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 9 in non-blocking mode 2006.05.30 09:20:40 LOG7[19964:3086330800]: Connection from xxx.xxx.xxx.xxx:32854 permitted by libwrap 2006.05.30 09:20:40 LOG5[19964:3086330800]: stunnel_mysqld connected from xxx.xxx.xxx.xxx:32854 2006.05.30 09:20:40 LOG7[19964:3086334176]: Cleaning up the signal pipe 2006.05.30 09:20:40 LOG6[19964:3086334176]: Child process 19967 finished with code 0 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=2, ... (Root CA) 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=1, ... (CA) 2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=0, ... (client) 2006.05.30 09:20:40 LOG3[19964:3086330800]: error stack: 1408807A : error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature 2006.05.30 09:20:40 LOG3[19964:3086330800]: SSL_accept: 4077068: error:04077068:rsa routines:RSA_verify:bad signature 2006.05.30 09:20:40 LOG5[19964:3086330800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld finished (0 left)
Thanks.
-
Trent Townsend