[stunnel-users] Problem with verify = 3
Koenraad Lelong
stunnel at ace-electronics.be
Tue Jun 5 13:48:54 CEST 2007
Hi,
I would like to have a secure access to a Firebird database server. When
I configure verify = 2 on the server I can connect, but I would like to
have verify = 3 and this does not work.
This is my stunnel.conf :
client = no
foreground = yes
setuid = stunnel
setgid = nogroup
pid = /var/run/stunnel.pid
debug = 7
output = /var/log/stunnel.log
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CApath = /etc/stunnel/certs/
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/server.pem
[firebird]
accept = 3052
connect = localhost:gds_db
output of stunnel -version :
stunnel 4.14 on i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with
OpenSSL 0.9.8a 11 Oct 2005
Global options
cert = /etc/stunnel/stunnel.pem
ciphers = ALL:!ADH:+RC4:@STRENGTH
debug = 5
key = /etc/stunnel/stunnel.pem
pid = /var/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
session = 300 seconds
verify = none
Service-level options
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
I'm running OpenSuse 10.1 on the server.
This is the log when I can't connect (verify = 3) :
2007.06.05 13:18:55 LOG5[15150:3083052720]: stunnel 4.14 on
i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct
2005
2007.06.05 13:18:55 LOG7[15150:3083052720]: Snagged 64 random bytes from
/root/.rnd
2007.06.05 13:18:55 LOG7[15150:3083052720]: Wrote 1024 new random bytes
to /root/.rnd
2007.06.05 13:18:55 LOG7[15150:3083052720]: RAND_status claims
sufficient entropy for the PRNG
2007.06.05 13:18:55 LOG6[15150:3083052720]: PRNG seeded successfully
2007.06.05 13:18:55 LOG7[15150:3083052720]: Certificate:
/etc/stunnel/server.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Key file:
/etc/stunnel/server.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Loaded verify certificates
from /etc/stunnel/cacert.pem
2007.06.05 13:18:55 LOG7[15150:3083052720]: Verify directory set to
/etc/stunnel/certs/
2007.06.05 13:18:55 LOG5[15150:3083052720]: Peer certificate location
/etc/stunnel/certs/
2007.06.05 13:18:55 LOG6[15150:3083052720]: file ulimit = 1024 (can be
changed with 'ulimit -n')
2007.06.05 13:18:55 LOG6[15150:3083052720]: poll() used - no FD_SETSIZE
limit for file descriptors
2007.06.05 13:18:55 LOG5[15150:3083052720]: 500 clients allowed
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 5 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 6 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 7 in non-blocking mode
2007.06.05 13:18:55 LOG7[15150:3083052720]: SO_REUSEADDR option set on
accept socket
2007.06.05 13:18:55 LOG7[15150:3083052720]: firebird bound to 0.0.0.0:3052
2007.06.05 13:18:55 LOG7[15150:3083052720]: Created pid file
/var/run/stunnel.pid
2007.06.05 13:19:02 LOG7[15150:3083052720]: firebird accepted FD=8 from
192.168.0.13:25651
2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird started
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 8 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083049888]: TCP_NODELAY option set on
local socket
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 9 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 11 in non-blocking mode
2007.06.05 13:19:02 LOG7[15150:3083052720]: Cleaning up the signal pipe
2007.06.05 13:19:02 LOG6[15150:3083052720]: Child process 15152 finished
with code 0
2007.06.05 13:19:02 LOG7[15150:3083049888]: Connection from
192.168.0.13:25651 permitted by libwrap
2007.06.05 13:19:02 LOG5[15150:3083049888]: firebird connected from
192.168.0.13:25651
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept):
before/accept initialization
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3
read client hello A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write server hello A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write certificate A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write certificate request A
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3
flush data
2007.06.05 13:19:02 LOG5[15150:3083049888]: VERIFY OK: depth=1,
/C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics
n.v./OU=IT/CN=Certificate
Authority/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:02 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no
cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics
n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL alert (write): fatal:
certificate unknown
2007.06.05 13:19:02 LOG3[15150:3083049888]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird finished (0 left)
2007.06.05 13:19:04 LOG7[15150:3083052720]: firebird accepted FD=8 from
192.168.0.13:25653
2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird started
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 8 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083049888]: TCP_NODELAY option set on
local socket
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 9 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 11 in non-blocking mode
2007.06.05 13:19:04 LOG7[15150:3083052720]: Cleaning up the signal pipe
2007.06.05 13:19:04 LOG6[15150:3083052720]: Child process 15154 finished
with code 0
2007.06.05 13:19:04 LOG7[15150:3083049888]: Connection from
192.168.0.13:25653 permitted by libwrap
2007.06.05 13:19:04 LOG5[15150:3083049888]: firebird connected from
192.168.0.13:25653
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept):
before/accept initialization
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3
read client hello A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write server hello A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write certificate A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3
write certificate request A
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3
flush data
2007.06.05 13:19:04 LOG5[15150:3083049888]: VERIFY OK: depth=1,
/C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics
n.v./OU=IT/CN=Certificate
Authority/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:04 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no
cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics
n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be
2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL alert (write): fatal:
certificate unknown
2007.06.05 13:19:04 LOG3[15150:3083049888]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird finished (0 left)
2007.06.05 13:19:09 LOG3[15150:3083052720]: Received signal 2; terminating
2007.06.05 13:19:09 LOG7[15150:3083052720]: removing pid file
/var/run/stunnel.pid
I put the client cert in /etc/stunnel/certs and I ran 'c_rehash
/etc/stunnel/certs'.
What am I missing ? Thanks for any input.
Regards,
Koenraad Lelong.
More information about the stunnel-users
mailing list