[stunnel-users] Problem with verify = 3

Koenraad Lelong stunnel at ace-electronics.be
Tue Jun 5 13:48:54 CEST 2007 

Hi,
I would like to have a secure access to a Firebird database server. When 
I configure verify = 2 on the server I can connect, but I would like to 
have verify = 3 and this does not work.
This is my stunnel.conf :

client = no
foreground = yes
setuid = stunnel
setgid = nogroup
pid = /var/run/stunnel.pid
debug = 7
output = /var/log/stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CApath = /etc/stunnel/certs/
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/server.pem
[firebird]
accept = 3052
connect = localhost:gds_db

output of stunnel -version :

stunnel 4.14 on i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with 
OpenSSL 0.9.8a 11 Oct 2005

Global options
cert            = /etc/stunnel/stunnel.pem
ciphers         = ALL:!ADH:+RC4:@STRENGTH
debug           = 5
key             = /etc/stunnel/stunnel.pem
pid             = /var/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
session         = 300 seconds
verify          = none

Service-level options
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds

I'm running OpenSuse 10.1 on the server.
This is the log when I can't connect (verify = 3) :

2007.06.05 13:18:55 LOG5[15150:3083052720]: stunnel 4.14 on 
i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 
2005
2007.06.05 13:18:55 LOG7[15150:3083052720]: Snagged 64 random bytes from 
/root/.rnd
2007.06.05 13:18:55 LOG7[15150:3083052720]: Wrote 1024 new random bytes 
to /root/.rnd
2007.06.05 13:18:55 LOG7[15150:3083052720]: RAND_status claims 
sufficient entropy for the PRNG
2007.06.05 13:18:55 LOG6[15150:3083052720]: PRNG seeded successfully
2007.06.05 13:18:55 LOG7[15150:3083052720]: Certificate: 
/etc/stunnel/server.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Key file: 
/etc/stunnel/server.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Loaded verify certificates 
from /etc/stunnel/cacert.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Verify directory set to 
/etc/stunnel/certs/
2007.06.05 13:18:55 LOG5[15150:3083052720]: Peer certificate location 
/etc/stunnel/certs/
2007.06.05 13:18:55 LOG6[15150:3083052720]: file ulimit = 1024 (can be 
changed with 'ulimit -n')
2007.06.05 13:18:55 LOG6[15150:3083052720]: poll() used - no FD_SETSIZE 
limit for file descriptors
2007.06.05 13:18:55 LOG5[15150:3083052720]: 500 clients allowed
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 5 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 6 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 7 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: SO_REUSEADDR option set on 
accept socket
2007.06.05 13:18:55 LOG7[15150:3083052720]: firebird bound to 0.0.0.0:3052
2007.06.05 13:18:55 LOG7[15150:3083052720]: Created pid file 
/var/run/stunnel.pid
2007.06.05 13:19:02 LOG7[15150:3083052720]: firebird accepted FD=8 from 
192.168.0.13:25651
2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird started
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 8 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083049888]: TCP_NODELAY option set on 
local socket
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 9 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 11 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083052720]: Cleaning up the signal pipe
2007.06.05 13:19:02 LOG6[15150:3083052720]: Child process 15152 finished 
with code 0
2007.06.05 13:19:02 LOG7[15150:3083049888]: Connection from 
192.168.0.13:25651 permitted by libwrap
2007.06.05 13:19:02 LOG5[15150:3083049888]: firebird connected from 
192.168.0.13:25651
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): 
before/accept initialization
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
read client hello A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write server hello A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write certificate A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write certificate request A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
flush data
2007.06.05 13:19:02 LOG5[15150:3083049888]: VERIFY OK: depth=1, 
/C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics 
n.v./OU=IT/CN=Certificate 
Authority/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:02 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no 
cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics 
n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL alert (write): fatal: 
certificate unknown
2007.06.05 13:19:02 LOG3[15150:3083049888]: SSL_accept: 140890B2: 
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned
2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird finished (0 left)
2007.06.05 13:19:04 LOG7[15150:3083052720]: firebird accepted FD=8 from 
192.168.0.13:25653
2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird started
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 8 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083049888]: TCP_NODELAY option set on 
local socket
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 9 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 11 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083052720]: Cleaning up the signal pipe
2007.06.05 13:19:04 LOG6[15150:3083052720]: Child process 15154 finished 
with code 0
2007.06.05 13:19:04 LOG7[15150:3083049888]: Connection from 
192.168.0.13:25653 permitted by libwrap
2007.06.05 13:19:04 LOG5[15150:3083049888]: firebird connected from 
192.168.0.13:25653
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): 
before/accept initialization
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
read client hello A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write server hello A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write certificate A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
write certificate request A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 
flush data
2007.06.05 13:19:04 LOG5[15150:3083049888]: VERIFY OK: depth=1, 
/C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics 
n.v./OU=IT/CN=Certificate 
Authority/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:04 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no 
cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics 
n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL alert (write): fatal: 
certificate unknown
2007.06.05 13:19:04 LOG3[15150:3083049888]: SSL_accept: 140890B2: 
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned
2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird finished (0 left)
2007.06.05 13:19:09 LOG3[15150:3083052720]: Received signal 2; terminating
2007.06.05 13:19:09 LOG7[15150:3083052720]: removing pid file 
/var/run/stunnel.pid

I put the client cert in /etc/stunnel/certs and I ran 'c_rehash 
/etc/stunnel/certs'.
What am I missing ? Thanks for any input.
Regards,
Koenraad Lelong.

More information about the stunnel-users mailing list