[stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
Don Cohen
don-stunnel-zyx at isis.cs3-inc.com
Fri Mar 4 09:58:12 CET 2011
stuff in [brackets] is replaced to protect the innocent
stunnel.conf:
================
debug=5
output=/root/stunnel.log
cert=/etc/pki/tls/certs/[certfile]
CAfile=/etc/pki/tls/certs/[bundle].crt
key=/etc/pki/tls/private/[private-key].key
[debug]
accept=801
client=yes
connect=[...].com:443
================
I then connect to localhost:801 and stunnel.log contains:
================
2011.02.28 19:18:45 LOG5[20520:3086252944]: debug connected from
127.0.0.1:38472
2011.02.28 19:18:46 LOG3[20520:3086252944]: SSL_connect: 14094412:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
2011.02.28 19:18:46 LOG5[20520:3086252944]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket
================
I don't see anything wrong with the cert or private key -
the following demo shows that at least openssl is happy with them:
================
echo "hello there" | openssl rsautl -certin -inkey
/etc/pki/tls/certs/[certfile] -encrypt |openssl rsautl -inkey
/etc/pki/tls/private/[private-key].key -decrypt
hello there
I've captured the packets sent between stunnel and the server and
wireshark shows (at ssl level)
client
SSLv3 Client Hello
server
SSLv3 Server Hello, Certificate, Certificate Request, Server Hello Done
client
SSLv3 Certificate, Client Key Exchange, Certificate Verify,
Change Cipher Spec, Encrypted Handshake Message
server
SSLv3 Alert (Level: Fatal, Description: Bad Certificate)
followed by TCP resets
So the server is complaining about my certificate.
This is certainly not what I would have guessed the message in the log
meant. It looks like an error from stunnel. So is it an error from
stunnel or is it stunnel reporting a complaint from the server?
And if the latter, what exactly did the server send? The entire
message starting with error? or starting with 14094412? or what?
Could this mean that the server doesn't understand the certificate
(cause it's a 2K certificate instead of 1K?) or could it mean that
the server doesn't like it for some other reason?
More information about the stunnel-users
mailing list