[stunnel-users] Problem with 'verify=3'
This is a discussion on [stunnel-users] Problem with 'verify=3' within the Stunnel Users forums, part of the Networking and Network Related category; Hi, I would like to have a secure access to a Firebird database server. When I configure verify = 2 on ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-05-2007
|
|||
|
|||
[stunnel-users] Problem with 'verify=3'
Hi,
I would like to have a secure access to a Firebird database server. When I configure verify = 2 on the server I can connect, but I would like to have verify = 3 and this does not work. This is my stunnel.conf : client = no foreground = yes setuid = stunnel setgid = nogroup pid = /var/run/stunnel.pid debug = 7 output = /var/log/stunnel.log socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 3 CApath = /etc/stunnel/certs/ CAfile = /etc/stunnel/cacert.pem cert = /etc/stunnel/server.pem [firebird] accept = 3052 connect = localhost:gds_db output of stunnel -version : stunnel 4.14 on i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 Global options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /etc/stunnel/stunnel.pem pid = /var/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds I'm running OpenSuse 10.1 on the server. This is the log when I can't connect (verify = 3) : 2007.06.05 13:18:55 LOG5[15150:3083052720]: stunnel 4.14 on i686-suse-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.8a 11 Oct 2005 2007.06.05 13:18:55 LOG7[15150:3083052720]: Snagged 64 random bytes from /root/.rnd 2007.06.05 13:18:55 LOG7[15150:3083052720]: Wrote 1024 new random bytes to /root/.rnd 2007.06.05 13:18:55 LOG7[15150:3083052720]: RAND_status claims sufficient entropy for the PRNG 2007.06.05 13:18:55 LOG6[15150:3083052720]: PRNG seeded successfully 2007.06.05 13:18:55 LOG7[15150:3083052720]: Certificate: /etc/stunnel/server.pem 2007.06.05 13:18:55 LOG7[15150:3083052720]: Key file: /etc/stunnel/server.pem 2007.06.05 13:18:55 LOG7[15150:3083052720]: Loaded verify certificates from /etc/stunnel/cacert.pem 2007.06.05 13:18:55 LOG7[15150:3083052720]: Verify directory set to /etc/stunnel/certs/ 2007.06.05 13:18:55 LOG5[15150:3083052720]: Peer certificate location /etc/stunnel/certs/ 2007.06.05 13:18:55 LOG6[15150:3083052720]: file ulimit = 1024 (can be changed with 'ulimit -n') 2007.06.05 13:18:55 LOG6[15150:3083052720]: poll() used - no FD_SETSIZE limit for file descriptors 2007.06.05 13:18:55 LOG5[15150:3083052720]: 500 clients allowed 2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 5 in non-blocking mode 2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 6 in non-blocking mode 2007.06.05 13:18:55 LOG7[15150:3083052720]: FD 7 in non-blocking mode 2007.06.05 13:18:55 LOG7[15150:3083052720]: SO_REUSEADDR option set on accept socket 2007.06.05 13:18:55 LOG7[15150:3083052720]: firebird bound to 0.0.0.0:3052 2007.06.05 13:18:55 LOG7[15150:3083052720]: Created pid file /var/run/stunnel.pid 2007.06.05 13:19:02 LOG7[15150:3083052720]: firebird accepted FD=8 from 192.168.0.13:25651 2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird started 2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 8 in non-blocking mode 2007.06.05 13:19:02 LOG7[15150:3083049888]: TCP_NODELAY option set on local socket 2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 9 in non-blocking mode 2007.06.05 13:19:02 LOG7[15150:3083049888]: FD 11 in non-blocking mode 2007.06.05 13:19:02 LOG7[15150:3083052720]: Cleaning up the signal pipe 2007.06.05 13:19:02 LOG6[15150:3083052720]: Child process 15152 finished with code 0 2007.06.05 13:19:02 LOG7[15150:3083049888]: Connection from 192.168.0.13:25651 permitted by libwrap 2007.06.05 13:19:02 LOG5[15150:3083049888]: firebird connected from 192.168.0.13:25651 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): before/accept initialization 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 read client hello A 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write server hello A 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write certificate A 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write certificate request A 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL state (accept): SSLv3 flush data 2007.06.05 13:19:02 LOG5[15150:3083049888]: VERIFY OK: depth=1, /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics n.v./OU=IT/CN=Certificate Authority/emailAddress=postmaster.ace-electronics.be 2007.06.05 13:19:02 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be 2007.06.05 13:19:02 LOG7[15150:3083049888]: SSL alert (write): fatal: certificate unknown 2007.06.05 13:19:02 LOG3[15150:3083049888]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2007.06.05 13:19:02 LOG7[15150:3083049888]: firebird finished (0 left) 2007.06.05 13:19:04 LOG7[15150:3083052720]: firebird accepted FD=8 from 192.168.0.13:25653 2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird started 2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 8 in non-blocking mode 2007.06.05 13:19:04 LOG7[15150:3083049888]: TCP_NODELAY option set on local socket 2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 9 in non-blocking mode 2007.06.05 13:19:04 LOG7[15150:3083049888]: FD 11 in non-blocking mode 2007.06.05 13:19:04 LOG7[15150:3083052720]: Cleaning up the signal pipe 2007.06.05 13:19:04 LOG6[15150:3083052720]: Child process 15154 finished with code 0 2007.06.05 13:19:04 LOG7[15150:3083049888]: Connection from 192.168.0.13:25653 permitted by libwrap 2007.06.05 13:19:04 LOG5[15150:3083049888]: firebird connected from 192.168.0.13:25653 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): before/accept initialization 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 read client hello A 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write server hello A 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write certificate A 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 write certificate request A 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL state (accept): SSLv3 flush data 2007.06.05 13:19:04 LOG5[15150:3083049888]: VERIFY OK: depth=1, /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics n.v./OU=IT/CN=Certificate Authority/emailAddress=postmaster.ace-electronics.be 2007.06.05 13:19:04 LOG4[15150:3083049888]: VERIFY ERROR ONLY MY: no cert for /C=BE/ST=Vlaams Brabant/L=Diest/O=ACE electronics n.v./OU=IT/CN=client/emailAddress=postmaster.ace-electronics.be 2007.06.05 13:19:04 LOG7[15150:3083049888]: SSL alert (write): fatal: certificate unknown 2007.06.05 13:19:04 LOG3[15150:3083049888]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2007.06.05 13:19:04 LOG7[15150:3083049888]: firebird finished (0 left) 2007.06.05 13:19:09 LOG3[15150:3083052720]: Received signal 2; terminating 2007.06.05 13:19:09 LOG7[15150:3083052720]: removing pid file /var/run/stunnel.pid I put the client cert in /etc/stunnel/certs and I ran 'c_rehash /etc/stunnel/certs'. What am I missing ? Thanks for any input. Regards, Koenraad Lelong. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users 
|
Linear Mode
