[stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3

Don Cohen don-stunnel-zyx at isis.cs3-inc.com
Fri Mar 4 09:58:12 CET 2011 

stuff in [brackets] is replaced to protect the innocent

stunnel.conf:
================
debug=5 
output=/root/stunnel.log 
cert=/etc/pki/tls/certs/[certfile] 
CAfile=/etc/pki/tls/certs/[bundle].crt 
key=/etc/pki/tls/private/[private-key].key 
[debug] 
accept=801 
client=yes 
connect=[...].com:443 
================

I then connect to localhost:801 and stunnel.log contains:
================
2011.02.28 19:18:45 LOG5[20520:3086252944]: debug connected from
127.0.0.1:38472 
2011.02.28 19:18:46 LOG3[20520:3086252944]: SSL_connect: 14094412:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 
2011.02.28 19:18:46 LOG5[20520:3086252944]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket 
================

I don't see anything wrong with the cert or private key - 
the following demo shows that at least openssl is happy with them:
================
echo "hello there" | openssl rsautl -certin -inkey
/etc/pki/tls/certs/[certfile] -encrypt |openssl rsautl -inkey
/etc/pki/tls/private/[private-key].key -decrypt 
hello there

I've captured the packets sent between stunnel and the server and
wireshark shows (at ssl level)
client
 SSLv3    Client Hello
server
 SSLv3    Server Hello, Certificate, Certificate Request, Server Hello Done
client
 SSLv3    Certificate, Client Key Exchange, Certificate Verify,
          Change Cipher Spec, Encrypted Handshake Message
server
 SSLv3    Alert (Level: Fatal, Description: Bad Certificate)
followed by TCP resets

So the server is complaining about my certificate.
This is certainly not what I would have guessed the message in the log
meant.  It looks like an error from stunnel.  So is it an error from
stunnel or is it stunnel reporting a complaint from the server?
And if the latter, what exactly did the server send?  The entire
message starting with error? or starting with 14094412? or what?

Could this mean that the server doesn't understand the certificate
(cause it's a 2K certificate instead of 1K?) or could it mean that 
the server doesn't like it for some other reason?

More information about the stunnel-users mailing list