[stunnel-users] Bad certificate? (was Expired certificate?)

Fri Jun 30 17:04:17 CEST 2006

Mike,

I've created a self-signed certificate on my Windows test box using
OpenSSL 0.9.7j (the version from Shining Light). 
I created the key file with the following command:

"openssl genrsa 1024 > \host.key

Here is the command I used to create the self-signed cert:

"openssl req -new -x509 -nodes -sha1 -days 9999 -key \host.key >
\host.cert"

I then copied the key/cert to the appropriate file in the stunnel
directory.

I then copied the cert to the Solaris server and included it with all
other client certs.

Here is the Windows configuration file:

;
;CLIENT-ONLY stunnel configuration file
;
client = yes
cert = C:\Program Files\stunnel\stunnel.pem-client-certificate
CAfile = C:\Program Files\stunnel\stunnel.pem-server-certificate
;chroot = /var/run/stunnel
;pid = /usr/local/var/run/stunnel/stunnel.pid
;setuid = stunnel
;setgid = stunnel
verify = 3
;foreground = yes
debug = 7
output = C:\Program Files\stunnel\stunnel.log
[5140]
	accept = 127.0.0.1:514
	connect = 172.17.99.143:5140

Here is the Solaris configuration file:

;
;SERVER-ONLY stunnel configuration file
;
cert = /usr/local/etc/stunnel/stunnel.pem-server-certificate
CAfile = /usr/local/etc/stunnel/stunnel.pem-all-client-certificates
;chroot = /var/run/stunnel
;pid = /var/run/stunnel/run/stunnel.pid
;setuid = stunnel
;setgid = stunnel
verify = 3
;foreground = yes
debug = 7
output=/stunnel.log
[5140]
	accept = 172.17.99.143:5140
	connect = 127.0.0.1:514

The following happens on the Windows box when I first launch stunnel:

2006.06.30 09:51:31 LOG5[516:360]: stunnel 4.15 on x86-pc-mingw32-gnu
with OpenSSL 0.9.7i 14 Oct 2005
2006.06.30 09:51:31 LOG5[516:360]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2006.06.30 09:51:31 LOG5[516:392]: No limit detected for the number of
clients
2006.06.30 09:51:31 LOG7[516:392]: FD 1904 in non-blocking mode
2006.06.30 09:51:31 LOG7[516:392]: SO_REUSEADDR option set on accept
socket
2006.06.30 09:51:31 LOG7[516:392]: 5140 bound to 127.0.0.1:514

Nothing happens on the Solaris box.

When I start EventReporter, the following happens, in a continuous loop
(until I stop EventReporter):

2006.06.30 10:16:26 LOG7[296:700]: 5140 accepted FD=156 from
127.0.0.1:1154
2006.06.30 10:16:26 LOG7[296:700]: Creating a new thread
2006.06.30 10:16:26 LOG7[296:700]: New thread created
2006.06.30 10:16:27 LOG7[296:1204]: 5140 started
2006.06.30 10:16:27 LOG7[296:1204]: FD 156 in non-blocking mode
2006.06.30 10:16:27 LOG5[296:1204]: 5140 connected from 127.0.0.1:1154
2006.06.30 10:16:27 LOG7[296:1204]: FD 188 in non-blocking mode
2006.06.30 10:16:27 LOG7[296:1204]: 5140 connecting 172.17.99.143:5140
2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: waiting 10 seconds
2006.06.30 10:16:27 LOG7[296:1204]: connect_wait: connected
2006.06.30 10:16:27 LOG7[296:1204]: Remote FD=188 initialized
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): before/connect
initialization
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
client hello A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read
server hello A
2006.06.30 10:16:27 LOG5[296:1204]: VERIFY OK: depth=0,
/C=CA/ST=ONTARIO/L=TORONTO/O=BANK OF MONTREAL/OU=LMG-DTS/CN=jdb2u10
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read
server certificate A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read
server certificate request A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 read
server done A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
client certificate A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
client key exchange A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
certificate verify A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
change cipher spec A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 write
finished A
2006.06.30 10:16:27 LOG7[296:1204]: SSL state (connect): SSLv3 flush
data
2006.06.30 10:16:27 LOG3[296:1204]: SSL_connect: Peer suddenly
disconnected
2006.06.30 10:16:27 LOG5[296:1204]: Connection reset: 0 bytes sent to
SSL, 0 bytes sent to socket
2006.06.30 10:16:27 LOG7[296:1204]: 5140 finished (0 left)

On the Solaris box, here is the matching entry, also in a continuous
loop:

2006.06.30 10:16:47 LOG7[1214:1]: 5140 accepted FD=2 from
172.17.99.150:1155
2006.06.30 10:16:47 LOG7[1214:800]: 5140 started
2006.06.30 10:16:47 LOG7[1214:800]: FD 2 in non-blocking mode
2006.06.30 10:16:47 LOG5[1214:800]: 5140 connected from
172.17.99.150:1155
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): before/accept
initialization
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 read
client hello A
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write
server hello A
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write
certificate A
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 write
certificate request A
2006.06.30 10:16:47 LOG7[1214:800]: SSL state (accept): SSLv3 flush data
2006.06.30 10:16:48 LOG4[1214:800]: VERIFY ERROR: depth=0, error=self
signed certificate:
/C=CA/ST=ONTARIO/L=TORONTO/O=BMO/OU=LMG-DTS/CN=jdb1winxp
2006.06.30 10:16:48 LOG7[1214:800]: SSL alert (write): fatal: bad
certificate
2006.06.30 10:16:48 LOG3[1214:800]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2006.06.30 10:16:48 LOG5[1214:800]: Connection reset: 0 bytes sent to
SSL, 0 bytes sent to socket
2006.06.30 10:16:48 LOG7[1214:800]: 5140 finished (1 left)

It appears the server cert is ok, but "something" is wrong with the
client (Windows box) cert.

Any chance you could post the command used in the "make install" to kick
off the creation of the self-signed cert on Unix? I grep'd for it, but
couldn't find it.

Regards,

John Boxall