[stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3

• Previous message (by thread): [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
• Next message (by thread): [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don,

Are you sure your cert bundle has certificates for all certificate authorities in the chain (root and intermediate)? 

-----Original Message-----
From: don-stunnel-zyx at isis.cs3-inc.com (Don Cohen)
Sender: stunnel-users-bounces at stunnel.org
Date: Fri,  4 Mar 2011 00:58:12 
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3

stuff in [brackets] is replaced to protect the innocent

stunnel.conf:
================
debug=5 
output=/root/stunnel.log 
cert=/etc/pki/tls/certs/[certfile] 
CAfile=/etc/pki/tls/certs/[bundle].crt 
key=/etc/pki/tls/private/[private-key].key 
[debug] 
accept=801 
client=yes 
connect=[...].com:443 
================

I then connect to localhost:801 and stunnel.log contains:
================
2011.02.28 19:18:45 LOG5[20520:3086252944]: debug connected from
127.0.0.1:38472 
2011.02.28 19:18:46 LOG3[20520:3086252944]: SSL_connect: 14094412:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate 
2011.02.28 19:18:46 LOG5[20520:3086252944]: Connection reset: 0 bytes
sent to SSL, 0 bytes sent to socket 
================

I don't see anything wrong with the cert or private key - 
the following demo shows that at least openssl is happy with them:
================
echo "hello there" | openssl rsautl -certin -inkey
/etc/pki/tls/certs/[certfile] -encrypt |openssl rsautl -inkey
/etc/pki/tls/private/[private-key].key -decrypt 
hello there

I've captured the packets sent between stunnel and the server and
wireshark shows (at ssl level)
client
 SSLv3    Client Hello
server
 SSLv3    Server Hello, Certificate, Certificate Request, Server Hello Done
client
 SSLv3    Certificate, Client Key Exchange, Certificate Verify,
          Change Cipher Spec, Encrypted Handshake Message
server
 SSLv3    Alert (Level: Fatal, Description: Bad Certificate)
followed by TCP resets

So the server is complaining about my certificate.
This is certainly not what I would have guessed the message in the log
meant.  It looks like an error from stunnel.  So is it an error from
stunnel or is it stunnel reporting a complaint from the server?
And if the latter, what exactly did the server send?  The entire
message starting with error? or starting with 14094412? or what?

Could this mean that the server doesn't understand the certificate
(cause it's a 2K certificate instead of 1K?) or could it mean that 
the server doesn't like it for some other reason?
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

• Previous message (by thread): [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
• Next message (by thread): [stunnel-users] error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]