Hello everyone,
My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this... I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good.
I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs?
Any help would be appreciated... all relevant info included below.
All requested info for posts to the group are found below
Here is my stunnel.conf
verify = 3 CAfile = /etc/stunnel/certs.pem cert = /etc/stunnel/stunnel.pem setuid = nobody setgid = nobody pid = /tmp/stunnel.pid debug = 7 output = /var/log/stunnel.log client = no [mysqls] accept = 3309 connect = 3306
Some output from the stunnel.log at high debug level
2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from /dev/urandom 2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient entropy for the PRNG 2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully 2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from /etc/stunnel/certs.pem 2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on accept socket 2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to 0.0.0.0:3309 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode 2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file /tmp/stunnel.pid
stunnel -V 2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory (2)
Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options
uname -a Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux
gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.6/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)
openssl version OpenSSL 0.9.7a Feb 19 2003
On Mon, 13 Nov 2006, Rami Michael wrote:
My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this... I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good.
I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs?
What you want is to use the CApath = directory to verify your client certificates.
Check the Global Options section of the manpage.
If you use the CApath option rather than the CAfile, you can avoid this problem. The certificates in the CApath directory have to be renamed to the hashcode.0 (on linked to hashcode.0). There is a comment about the need to c_rehash CApath in the configuration file, but I have not had any trouble just adding new certificates to the directory and having them recognized for both Linux and Windows systems.
Carter
Rami Michael wrote:
Hello everyone,
My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this... I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good.
I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs?
Any help would be appreciated... all relevant info included below.
All requested info for posts to the group are found below
Here is my stunnel.conf
verify = 3 CAfile = /etc/stunnel/certs.pem cert = /etc/stunnel/stunnel.pem setuid = nobody setgid = nobody pid = /tmp/stunnel.pid debug = 7 output = /var/log/stunnel.log client = no [mysqls] accept = 3309 connect = 3306
Some output from the stunnel.log at high debug level
2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from /dev/urandom 2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient entropy for the PRNG 2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully 2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from /etc/stunnel/certs.pem 2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on accept socket 2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to 0.0.0.0:3309 http://0.0.0.0:3309/ 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode 2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file /tmp/stunnel.pid
stunnel -V 2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory (2)
Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options
uname -a Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux
gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux /3.4.6/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)
openssl version OpenSSL 0.9.7a Feb 19 2003
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Thanks for the help guys... but its still acting a little weird
So i tried using CApath and it seems to be working... i tried to generate a new key on the remote box restarted stunnel there and was not able to connect.
After copying the remote cert over to the local box, doing the hash, and adding it to the CApath, stunnel then recognized the new cert without a restart of stunnel.
However, i tried removing the cert from the CApath directory on the sensor side and it seems as though stunnel caches that cert it had read in until its restarted. After restarting stunnel, it realizes the cert is no longer in the directory and would then deny connections from the remote box. Until the restart, it allowed connecting from the remote box even though the cert file had been deleted from the CApath.
Is that normal behavior?
Also, another question... i tried commenting out the CAfile portion on my stunnel server and then none of my remote clients could connect. It said there the remote client was error was a self signed certificate or something like that.
the part that gets me is this...
Whats is the purpose of the value in the CAfile is none of the certificates generated on the remote clients use that cert authority? i don't get how having a ranodm value in there is actually validating anything. I can stick any valid cert in there and it works for any remote client.
As always, thanks for the help.
On 11/14/06, Carter Browne cbrowne@cbcs-usa.com wrote:
If you use the CApath option rather than the CAfile, you can avoid this problem. The certificates in the CApath directory have to be renamed to the hashcode.0 (on linked to hashcode.0). There is a comment about the need to c_rehash CApath in the configuration file, but I have not had any trouble just adding new certificates to the directory and having them recognized for both Linux and Windows systems.
Carter
Rami Michael wrote:
Hello everyone,
My stunnel setup is working fine, got mysql being hit from a couple of boxes but my question is this... I have stunnel setup so i copy the cert created from the remote client over to the local server so remote connections are authenticated. Now that works fine and dandy, the issue is, if i am adding a new remote client, i add the cert from the client to my certs.pem locally but i need to restart the stunnel process before stunnel will "read in" the new cert. I know this does not sound like a big deal, but if i have 20 machines connected through stunnel to this local box and i need to restart stunnel whenever i need to add a new box or take off an old one, i don't think its good.
I use stunnel for mysql so i got these guys doing inserts and a broken connection would really mess things up for me... i think maybe there is a flag i can set? or maybe send the process some type of command to reload the certs?
Any help would be appreciated... all relevant info included below.
All requested info for posts to the group are found below
Here is my stunnel.conf
verify = 3 CAfile = /etc/stunnel/certs.pem cert = /etc/stunnel/stunnel.pem setuid = nobody setgid = nobody pid = /tmp/stunnel.pid debug = 7 output = /var/log/stunnel.log client = no [mysqls] accept = 3309 connect = 3306
Some output from the stunnel.log at high debug level
2006.11.13 23:03:10 LOG5[32244:3086689984]: stunnel 4.05 on i686-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2006.11.13 23:03:10 LOG7[32244:3086689984]: Snagged 64 random bytes from /dev/urandom 2006.11.13 23:03:10 LOG7[32244:3086689984]: RAND_status claims sufficient entropy for the PRNG 2006.11.13 23:03:10 LOG6[32244:3086689984]: PRNG seeded successfully 2006.11.13 23:03:10 LOG7[32244:3086689984]: Certificate: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Key file: /etc/stunnel/stunnel.pem 2006.11.13 23:03:10 LOG7[32244:3086689984]: Loaded verify certificates from /etc/stunnel/certs.pem 2006.11.13 23:03:10 LOG5[32244:3086689984]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 4 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: SO_REUSEADDR option set on accept socket 2006.11.13 23:03:10 LOG7[32244:3086689984]: mysqls bound to 0.0.0.0:3309 < http://0.0.0.0:3309/%3E 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 5 in non-blocking mode 2006.11.13 23:03:10 LOG7[32244:3086689984]: FD 6 in non-blocking mode 2006.11.13 23:03:10 LOG7[32245:3086689984]: Created pid file /tmp/stunnel.pid
stunnel -V 2006.11.13 23:03:14 LOG3[32248:3086505664]: -V: No such file or directory (2)
Syntax: stunnel [filename] | -fd [n] | -help | -version | -sockets filename - use specified config file instead of /etc/stunnel/stunnel.conf -fd n - read the config file from specified file descriptor -help - get config file help -version - display version and defaults -sockets - display default socket options
uname -a Linux ramison 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux
gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux /3.4.6/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.6 20060404 (Red Hat 3.4.6-3)
openssl version OpenSSL 0.9.7a Feb 19 2003
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Wednesday 15 November 2006 06:19, Rami Michael wrote:
Thanks for the help guys... but its still acting a little weird
[cut]
However, i tried removing the cert from the CApath directory on the sensor side and it seems as though stunnel caches that cert it had read in until its restarted.
Stunnel is acting perfectly fine.
Deleting certificates is just not the correct way to revoke them.
http://stunnel.mirt.net/pipermail/stunnel-users/2004-October/000101.html http://stunnel.mirt.net/pipermail/stunnel-users/2005-January/000290.html
Best regards, Mike
Thanks I will look into this right away!
On 11/15/06, Michal Trojnara Michal.Trojnara@mobi-com.net wrote:
On Wednesday 15 November 2006 06:19, Rami Michael wrote:
Thanks for the help guys... but its still acting a little weird
[cut]
However, i tried removing the cert from the CApath directory on the
sensor
side and it seems as though stunnel caches that cert it had read in
until
its restarted.
Stunnel is acting perfectly fine.
Deleting certificates is just not the correct way to revoke them.
http://stunnel.mirt.net/pipermail/stunnel-users/2004-October/000101.html http://stunnel.mirt.net/pipermail/stunnel-users/2005-January/000290.html
Best regards, Mike
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
hello mike,
#1. I added a crlpath in my stunnel.conf and it was picked up on the next start of stunnel as i can see from this log output
2006.11.21 17:49:46 LOG7[18581:3086255808]: Certificate: /etc/stunnel/stunnel.pem 2006.11.21 17:49:46 LOG7[18581:3086255808]: Key file: /etc/stunnel/stunnel.pem 2006.11.21 17:49:46 LOG7[18581:3086255808]: Verify directory set to /etc/stunnel/certificates 2006.11.21 17:49:46 LOG7[18581:3086255808]: CRL directory set to /etc/stunnel/certificates-revoke
#2. i did not have any certs in my capath or crlpath
#3. When i tried to connect from a remote machine, it was denied because it was a self signed cert, as it should.
#4. So then i copied the correctly name *.0 cert file to my CApath and tried connecting again from a remote box This time it connected just fine, as it should
#5 then i moved the cert from the capath to the crlpath When i tried to connect from the remote sensor, it was still able to connect and was able to connect until i restarted stunnel on the local server.
#6. After restarting stunnel on the local server i was not able to connect from the remote client, but i was given the same error as I was on step #3, its not as if the cert was rejected, it just said "bad certificate, self signed cert"
On 11/15/06, Michal Trojnara Michal.Trojnara@mobi-com.net wrote:
On Wednesday 15 November 2006 06:19, Rami Michael wrote:
Thanks for the help guys... but its still acting a little weird
[cut]
However, i tried removing the cert from the CApath directory on the
sensor
side and it seems as though stunnel caches that cert it had read in
until
its restarted.
Stunnel is acting perfectly fine.
Deleting certificates is just not the correct way to revoke them.
http://stunnel.mirt.net/pipermail/stunnel-users/2004-October/000101.html http://stunnel.mirt.net/pipermail/stunnel-users/2005-January/000290.html
Best regards, Mike
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Rami Michael wrote:
#5 then i moved the cert from the capath to the crlpath
Your CA needs to create a CRL with the serial number of the certificate to be revoked. Than you need to put this CRL in your hashed CRLpath directory. Placing a certificate in the CRLpath is useless.
Please read: http://en.wikipedia.org/wiki/Certificate_revocation_list and then the manual for your CA on creating CRLs.
Best regards, Mike
-
Carter Browne -
Jan Meijer -
Michal Trojnara -
Rami Michael