Hi:
I decided to spend the money and get a commercial certificate from Thawte. It was not a bad price. I have installed in the Sun host and while it works perfectly for Apache but I can not get the file to work for stunnel. The idea is to allow mobile users to access their mail without annoying certificate warnings.
This is what happens:
# /usr/local/bin/stunnel & [1] 13704 # Enter PEM pass phrase: 2010.02.14 05:32:46 LOG7[13704:1]: Snagged 64 random bytes from /export/home/kgreene/.rnd 2010.02.14 05:32:46 LOG7[13704:1]: Wrote 1024 new random bytes to /export/home/kgreene/.rnd 2010.02.14 05:32:46 LOG7[13704:1]: RAND_status claims sufficient entropy for the PRNG 2010.02.14 05:32:46 LOG7[13704:1]: PRNG seeded successfully 2010.02.14 05:32:46 LOG7[13704:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2010.02.14 05:32:46 LOG7[13704:1]: Certificate loaded 2010.02.14 05:32:46 LOG7[13704:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2010.02.14 05:32:46 LOG3[13704:1]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2010.02.14 05:32:46 LOG3[13704:1]: error stack: 906A068 : error:0906A068:PEM routines:PEM_do_header:bad password read 2010.02.14 05:32:46 LOG3[13704:1]: SSL_CTX_use_RSAPrivateKey_file: 906406D: error:0906406D:PEM routines:PEM_def_callback:problems getting password
[1]+ Exit 1 /usr/local/bin/stunnel
#
It never pauses to let me enter the PEM pass phase. As in instructed in the man pages, I created the pem file by merging the private key and the certificate from Thawte.
This is the version statement:
# /usr/local/bin/stunnel -version stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8l 5 Nov 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = 5 pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /usr/local/etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
-------------------------------
Any ideas would be great. Thanks.
Kevin
Hi Kevin,
I think there is ambiguous information about this. The man page states that the private key should be unencrypted However, the changelog states that the support for pass phrases was fixed in v4.20
I'll do some testing see what I can find. Or maybe someone can shed some light on the issue.
Best regards
----------------- Leandro Avila
----- Original Message ---- From: editor editor@cellmail.com To: stunnel-users@mirt.net Sent: Sat, February 13, 2010 11:44:48 PM Subject: [stunnel-users] Small challenge with version 4.26 and a commercial certificate
Hi:
I decided to spend the money and get a commercial certificate from Thawte. It was not a bad price. I have installed in the Sun host and while it works perfectly for Apache but I can not get the file to work for stunnel. The idea is to allow mobile users to access their mail without annoying certificate warnings.
This is what happens:
# /usr/local/bin/stunnel & [1] 13704 # Enter PEM pass phrase: 2010.02.14 05:32:46 LOG7[13704:1]: Snagged 64 random bytes from /export/home/kgreene/.rnd 2010.02.14 05:32:46 LOG7[13704:1]: Wrote 1024 new random bytes to /export/home/kgreene/.rnd 2010.02.14 05:32:46 LOG7[13704:1]: RAND_status claims sufficient entropy for the PRNG 2010.02.14 05:32:46 LOG7[13704:1]: PRNG seeded successfully 2010.02.14 05:32:46 LOG7[13704:1]: Certificate: /usr/local/etc/stunnel/stunnel.pem 2010.02.14 05:32:46 LOG7[13704:1]: Certificate loaded 2010.02.14 05:32:46 LOG7[13704:1]: Key file: /usr/local/etc/stunnel/stunnel.pem 2010.02.14 05:32:46 LOG3[13704:1]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2010.02.14 05:32:46 LOG3[13704:1]: error stack: 906A068 : error:0906A068:PEM routines:PEM_do_header:bad password read 2010.02.14 05:32:46 LOG3[13704:1]: SSL_CTX_use_RSAPrivateKey_file: 906406D: error:0906406D:PEM routines:PEM_def_callback:problems getting password
[1]+ Exit 1 /usr/local/bin/stunnel
#
It never pauses to let me enter the PEM pass phase. As in instructed in the man pages, I created the pem file by merging the private key and the certificate from Thawte.
This is the version statement:
# /usr/local/bin/stunnel -version stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8l 5 Nov 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Global options debug = 5 pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH key = /usr/local/etc/stunnel/stunnel.pem session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
-------------------------------
Any ideas would be great. Thanks.
Kevin
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Leandro Avila wrote:
I think there is ambiguous information about this. The man page states that the private key should be unencrypted However, the changelog states that the support for pass phrases was fixed in v4.20
Good point. This is true for most configurations (not for Windows service). I'll update the manual.
editor wrote:
# /usr/local/bin/stunnel & [1] 13704 # Enter PEM pass phrase:
This does not sound like a good idea to run interactive process (a passphrase is needed to decrypt your encrypted private key!) in background (with ampersand)...
Mike
-
editor -
Leandro Avila -
Michal Trojnara