[stunnel-users] stunnel and bad rsa signature

• Previous message (by thread): [stunnel-users] Problem getting stunnel to chroot on Suse 10
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On a test environment, I successfully had stunnel securing MySQL  
traffic between 2 systems using a verify level of 3.  However, with  
the production system and what I would call an identical setup  
(albeit with new certificates), I get the following errors (see log  
below.)  The version I'm running of stunnel is 4.11.  I saw the "bad  
rsa signature" message in the server's output, so I regenerated the  
private key file to be sure I'd used the right one.  Everything seems  
to be in order, but it will not work.  Any ideas?

Client:
2006.05.30 09:20:21 LOG5[21951:1]: stunnel 4.11 on i686-pc-linux-gnu  
UCONTEXT+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003
2006.05.30 09:20:21 LOG5[21951:1]: 499 clients allowed
2006.05.30 09:20:25 LOG5[21951:2]: stunnel_mysql connected from  
127.0.0.1:32853
2006.05.30 09:20:25 LOG3[21951:2]: SSL_connect: 14094410: error: 
14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
2006.05.30 09:20:25 LOG5[21951:2]: stack_info: size=65536,  
current=15296 (23%), maximum=15296 (23%)

Server:
2006.05.30 09:19:42 LOG7[19964:3086334176]: RAND_status claims  
sufficient entropy for the PRNG
2006.05.30 09:19:42 LOG6[19964:3086334176]: PRNG seeded successfully
2006.05.30 09:19:42 LOG7[19964:3086334176]: Certificate: /usr/KRB5/ 
openssl/ssl/private/server.key
2006.05.30 09:19:42 LOG7[19964:3086334176]: Key file: /usr/KRB5/ 
openssl/ssl/private/server.key
2006.05.30 09:19:42 LOG7[19964:3086334176]: Verify directory set to / 
usr/KRB5/openssl/ssl/certs
2006.05.30 09:19:42 LOG5[19964:3086334176]: Peer certificate  
location /usr/KRB5/openssl/ssl/certs
2006.05.30 09:19:42 LOG7[19964:3086334176]: SSL context initialized  
for service stunnel_mysqld
2006.05.30 09:19:42 LOG5[19964:3086334176]: stunnel 4.15 on i686-pc- 
linux-gnu with OpenSSL 0.9.7a Feb 19 2003
2006.05.30 09:19:42 LOG5[19964:3086334176]: Threading:PTHREAD  
SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP
2006.05.30 09:19:42 LOG6[19964:3086334176]: file ulimit = 1022 (can  
be changed with 'ulimit -n')
2006.05.30 09:19:42 LOG6[19964:3086334176]: poll() used - no  
FD_SETSIZE limit for file descriptors
2006.05.30 09:19:42 LOG5[19964:3086334176]: 499 clients allowed
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 4 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 5 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: FD 6 in non-blocking mode
2006.05.30 09:19:42 LOG7[19964:3086334176]: SO_REUSEADDR option set  
on accept socket
2006.05.30 09:19:42 LOG7[19964:3086334176]: stunnel_mysqld bound to  
0.0.0.0:606
2006.05.30 09:19:42 LOG7[19964:3086334176]: Created pid file /usr/ 
local/var/stunnel/stunnel.pid
2006.05.30 09:20:40 LOG7[19964:3086334176]: stunnel_mysqld accepted  
FD=7 from xxx.xxx.xxx.xxx:32854
2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld started
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 7 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 8 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: FD 9 in non-blocking mode
2006.05.30 09:20:40 LOG7[19964:3086330800]: Connection from  
xxx.xxx.xxx.xxx:32854 permitted by libwrap
2006.05.30 09:20:40 LOG5[19964:3086330800]: stunnel_mysqld connected  
from xxx.xxx.xxx.xxx:32854
2006.05.30 09:20:40 LOG7[19964:3086334176]: Cleaning up the signal pipe
2006.05.30 09:20:40 LOG6[19964:3086334176]: Child process 19967  
finished with code 0
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=2, ...  
(Root CA)
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=1, ... (CA)
2006.05.30 09:20:40 LOG5[19964:3086330800]: VERIFY OK: depth=0, ...  
(client)
2006.05.30 09:20:40 LOG3[19964:3086330800]: error stack: 1408807A :  
error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature
2006.05.30 09:20:40 LOG3[19964:3086330800]: SSL_accept: 4077068:  
error:04077068:rsa routines:RSA_verify:bad signature
2006.05.30 09:20:40 LOG5[19964:3086330800]: Connection reset: 0 bytes  
sent to SSL, 0 bytes sent to socket
2006.05.30 09:20:40 LOG7[19964:3086330800]: stunnel_mysqld finished  
(0 left)

Thanks.




-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQA/AwUBRHx+bI0HAxBKv2yIEQIJ1wCcCVJ+9ZqXdxWGTBAS8y7ldUv+J4UAn1al
ZYIA5gmw38iwsYuE7tG9esAk
=ljGb
-----END PGP SIGNATURE-----

• Previous message (by thread): [stunnel-users] Problem getting stunnel to chroot on Suse 10
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]