[opensuse] stunnel certificates
Hi, I want to secure access to a databese server (Firebird). I want to do this with stunnel. I'm having troubles with the certificates. This is what I did, using standard Suse 10.0 stuff (I modified openssl.cnf to have a number of defaults) : #in a clean directory create structure : mkdir demoCA mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 00 > demoCA/serial #Create CA files openssl req -new -x509 -keyout demoCA/private/cakey.pem -out \ demoCA/cacert.pem #Create server key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout server.key -out \ server.req #sign server certificate openssl ca -policy policy_anything -notext -in server.req -out \ server.crt #Create client key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout client.key -out \ client.req #sign client certificate openssl ca -policy policy_anything -notext -in client.req -out \ client.crt cp demoCA/newcerts/00.pem /etc/stunnel/server.pem cp demoCA/cacert.pem /etc/stunnel/cacert.pem chmod 740 /etc/stunnel/server.pem My stunnel.conf is : client = no foreground = yes debug = 7 verify = 3 CApath = certs CAfile = cacert.pem cert = server.pem [firebird] accept = 3051 connect = localhost:3050 When I try to start stunnel I get : ace-cad-3:/etc/stunnel # stunnel stunnel.conf 2007.05.30 12:59:33 LOG7[14071:1076660896]: Snagged 64 random bytes from /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: Wrote 1024 new random bytes to /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: RAND_status claims sufficient entropy for the PRNG 2007.05.30 12:59:33 LOG6[14071:1076660896]: PRNG seeded successfully 2007.05.30 12:59:33 LOG5[14071:1076660896]: Could not load DH parameters from server.pem 2007.05.30 12:59:33 LOG4[14071:1076660896]: Diffie-Hellman initialization failed 2007.05.30 12:59:33 LOG3[14071:1076660896]: Error reading certificate file: server.pem 2007.05.30 12:59:33 LOG3[14071:1076660896]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line ace-cad-3:/etc/stunnel # This procedure is an adaptation from a document from the Firebird community. What am I missing ? I think the Diffie-Hellman stuff can be ignored. I tried three other documents (from the stunnel-site) but these don't work either (for me ;-) ). Anyone can give suggestions, tips, links ? They will be very much appreciated. Are there other methods ? I don't want to give ssh access to the users. I know of zebedee, but this seems old (unsupported ?). -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
I have used this:
http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certifi...
To create a csr and cert etc. I had to only add a flag to generate the
file for the serial number.
I am not sure what is causing this issue, but trying a different
approach may help or llead to a different error message.
HTH
George
On 5/30/07, Koenraad Lelong
Hi, I want to secure access to a databese server (Firebird). I want to do this with stunnel. I'm having troubles with the certificates. This is what I did, using standard Suse 10.0 stuff (I modified openssl.cnf to have a number of defaults) : #in a clean directory create structure : mkdir demoCA mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 00 > demoCA/serial #Create CA files openssl req -new -x509 -keyout demoCA/private/cakey.pem -out \ demoCA/cacert.pem #Create server key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout server.key -out \ server.req #sign server certificate openssl ca -policy policy_anything -notext -in server.req -out \ server.crt #Create client key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout client.key -out \ client.req #sign client certificate openssl ca -policy policy_anything -notext -in client.req -out \ client.crt cp demoCA/newcerts/00.pem /etc/stunnel/server.pem cp demoCA/cacert.pem /etc/stunnel/cacert.pem chmod 740 /etc/stunnel/server.pem
My stunnel.conf is : client = no foreground = yes debug = 7 verify = 3 CApath = certs CAfile = cacert.pem cert = server.pem [firebird] accept = 3051 connect = localhost:3050
When I try to start stunnel I get : ace-cad-3:/etc/stunnel # stunnel stunnel.conf 2007.05.30 12:59:33 LOG7[14071:1076660896]: Snagged 64 random bytes from /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: Wrote 1024 new random bytes to /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: RAND_status claims sufficient entropy for the PRNG 2007.05.30 12:59:33 LOG6[14071:1076660896]: PRNG seeded successfully 2007.05.30 12:59:33 LOG5[14071:1076660896]: Could not load DH parameters from server.pem 2007.05.30 12:59:33 LOG4[14071:1076660896]: Diffie-Hellman initialization failed 2007.05.30 12:59:33 LOG3[14071:1076660896]: Error reading certificate file: server.pem 2007.05.30 12:59:33 LOG3[14071:1076660896]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line ace-cad-3:/etc/stunnel #
This procedure is an adaptation from a document from the Firebird community. What am I missing ? I think the Diffie-Hellman stuff can be ignored. I tried three other documents (from the stunnel-site) but these don't work either (for me ;-) ). Anyone can give suggestions, tips, links ? They will be very much appreciated. Are there other methods ? I don't want to give ssh access to the users. I know of zebedee, but this seems old (unsupported ?). -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
George Stoianov schreef:
I have used this: http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certifi...
To create a csr and cert etc. I had to only add a flag to generate the file for the serial number. I am not sure what is causing this issue, but trying a different approach may help or llead to a different error message. HTH George
... Well, I tried another howto, about adding TLS support to Postfix, which worked for my mail-server. But this didn't work either for stunnel. Finally I combined some howto's and I got partial success. One has to append the private key, the certificate and "Diffie-Hellman parameters". Each section has a blank line between them. And the last line is also a blank line. I did it this way : cat server.key > server.keycrt echo \ >> server.keycrt cat server.crt >> server.keycrt echo \ >> server.keycrt openssl gendh 512 >> server.keycrt The server.keycrt is the cert stunnel uses. With partial success I mean I can connect if I don't check the client certificate at the server (verify = 2). I believe the server can't find the client-certificate, but I don't know why. Anyone knows how to see which file an application tries to open ? -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
George Stoianov
-
Koenraad Lelong