On Tuesday 30 December 2008, you wrote:
Hello,
Happy new year!
- are the permissions correct on your files :
- key must belong to the user and have 0600 status (read only by the user)
- cert must belong to the user.
I think the permissions are OK. The file is owed by root and loaded at the start Wrote 1024 new random bytes to /root/.rnd RAND_status claims sufficient entropy for the PRNG PRNG seeded successfully Certificate: /etc/stunnel/stunnelclient.pem Certificate loaded Key file: /etc/stunnel/stunnelclient.pem Private key loaded SSL context initialized for service BreakOut
- Is the content of the cert file of this form
-----BEGIN CERTIFICATE----- certificate data here -----END CERTIFICATE----- ? and the content of the key file this form -----BEGIN RSA PRIVATE KEY----- key datat here -----END RSA PRIVATE KEY-----
I made several files. According to http://www.stunnel.org/faq/certs.html#ToC5 I got a file with a certificate, a RSA Key and a DH section (I removed the password for the certificate).
According to http://www.stunnel.org/examples/client_cert.html I got a different file: it has a certificate and a RSA section and between them an other section:
rcnyy/AbS1YPkdggJSnw+fqzg/L/QvQB6GTT5KWJzd0= -----END RSA PRIVATE KEY----- Certificate: Data: Version: 3 (0x2) Serial Number: 5 (0x5) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Germany, L=Munich, O=vbox4php, OU=Rektorat, CN=DE/emailAddress=michael.renner@gmx.de Validity Not Before: Dec 28 20:37:19 2008 GMT Not After : Dec 28 20:37:19 2009 GMT Subject: C=DE, ST=Germany, O=vbox4php, OU=stunnel, CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b1:05:47:7a:27:4f:19:2b:18:72:e3:3c:f6:a6: . . 2b:55:2d:c9:dc:96:55:14:bb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 86:F6:1F:71:29:AA:A5:61:DF:B2:81:F2:34:3A:A6:9E:58:C8:6A:5E X509v3 Authority Key Identifier:
keyid:72:68:1A:0C:9D:E9:93:81:07:E9:36:71:75:33:05:C6:70:35:01:BF
DirName:/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=Rektorat/CN=DE/emailAddress=michael.renner@gmx.de serial:BC:97:82:4E:E3:9F:FE:5A
X509v3 Issuer Alternative Name: email:michael.renner@gmx.de X509v3 Subject Alternative Name: email:michael.renner@gmx.de Signature Algorithm: sha1WithRSAEncryption 49:ef:06:aa:e5:71:b1:6e:23:87:02:9d:ce:56:e1:3b:77:5a: . . 41:93:92:ee:57:23:95:f3:99:62:27:6a:a4:b7:85:b4:92:86: 22:50:79:a0 -----BEGIN CERTIFICATE-----
Anyhow: it fails: 2008.12.31 17:51:07 LOG4[13056:1073809760]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=DE/ST=Germany/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de 2008.12.31 17:51:07 LOG3[13056:1073809760]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
With strace I can see the the key and the cert is OK on the client side: (I assume that it is only read once):
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4 [pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0 [pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000 [pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096 [pid 11829] read(4, "VQQDEwJERTEkMCIGCSqGSIb3\nDQEJARY"..., 4096) = 1425 [pid 11829] read(4, "", 4096) = 0 [pid 11829] close(4) = 0 [pid 11829] munmap(0x7f8f5f13b000, 4096) = 0 [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31 17:52:56 LOG7[11829:140253752059616]: Certificate loaded ) = 68 [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 902008.12.31 17:52:56 LOG7[11829:140253752059616]: Key file: /etc/stunnel/stunnelserver.pem ) = 90 [pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4 [pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0 [pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000 [pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096 [pid 11829] close(4) = 0 [pid 11829] munmap(0x7f8f5f13b000, 4096) = 0 [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31 17:52:56 LOG7[11829:140253752059616]: Private key loaded
While I see in the clients logfile: SSL state (connect): SSLv3 flush data SSL alert (read): fatal: bad certificate SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Strange!
One more hint?
On Wednesday 31 December 2008, Michael Renner wrote:
On Tuesday 30 December 2008, you wrote:
Hello,
Happy new year!
OK, one more experiment:
I installed libssl-dev to my debian box. There are 2 interesting files: /usr/share/doc/libssl-dev/demos/sign/cert.pem /usr/share/doc/libssl-dev/demos/sign/key.pem
I 'cat' them together and used this file as the server and the key file: same result!
SSL alert (read): fatal: bad certificate SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Why?
-
Michael Renner