[opensuse] stunnel certificates
- From: Koenraad Lelong <k.lelong@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 May 2007 13:26:13 +0200
Hi,
I want to secure access to a databese server (Firebird). I want to do this with stunnel. I'm having troubles with the certificates. This is what I did, using standard Suse 10.0 stuff (I modified openssl.cnf to have a number of defaults) :
#in a clean directory create structure :
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 00 > demoCA/serial
#Create CA files
openssl req -new -x509 -keyout demoCA/private/cakey.pem -out \
demoCA/cacert.pem
#Create server key & signing request
openssl req -nodes -new -newkey rsa:1024 -keyout server.key -out \
server.req
#sign server certificate
openssl ca -policy policy_anything -notext -in server.req -out \
server.crt
#Create client key & signing request
openssl req -nodes -new -newkey rsa:1024 -keyout client.key -out \
client.req
#sign client certificate
openssl ca -policy policy_anything -notext -in client.req -out \
client.crt
cp demoCA/newcerts/00.pem /etc/stunnel/server.pem
cp demoCA/cacert.pem /etc/stunnel/cacert.pem
chmod 740 /etc/stunnel/server.pem
My stunnel.conf is :
client = no
foreground = yes
debug = 7
verify = 3
CApath = certs
CAfile = cacert.pem
cert = server.pem
[firebird]
accept = 3051
connect = localhost:3050
When I try to start stunnel I get :
ace-cad-3:/etc/stunnel # stunnel stunnel.conf
2007.05.30 12:59:33 LOG7[14071:1076660896]: Snagged 64 random bytes from /root/.rnd
2007.05.30 12:59:33 LOG7[14071:1076660896]: Wrote 1024 new random bytes to /root/.rnd
2007.05.30 12:59:33 LOG7[14071:1076660896]: RAND_status claims sufficient entropy for the PRNG
2007.05.30 12:59:33 LOG6[14071:1076660896]: PRNG seeded successfully
2007.05.30 12:59:33 LOG5[14071:1076660896]: Could not load DH parameters from server.pem
2007.05.30 12:59:33 LOG4[14071:1076660896]: Diffie-Hellman initialization failed
2007.05.30 12:59:33 LOG3[14071:1076660896]: Error reading certificate file: server.pem
2007.05.30 12:59:33 LOG3[14071:1076660896]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
ace-cad-3:/etc/stunnel #
This procedure is an adaptation from a document from the Firebird community. What am I missing ? I think the Diffie-Hellman stuff can be ignored.
I tried three other documents (from the stunnel-site) but these don't work either (for me ;-) ).
Anyone can give suggestions, tips, links ? They will be very much appreciated.
Are there other methods ? I don't want to give ssh access to the users.
I know of zebedee, but this seems old (unsupported ?).
--
Met vriendelijke groeten,
Koenraad Lelong
R&D Manager
ACE electronics n.v.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
- Follow-Ups:
- Re: [opensuse] stunnel certificates
- From: George Stoianov
- Re: [opensuse] stunnel certificates
- Prev by Date: [opensuse] RE:How to get old bugs just look at and may be accepted - OTJust a little
- Next by Date: Re: [opensuse] Problem with Mailgraph
- Previous by thread: [opensuse] RE:How to get old bugs just look at and may be accepted - OTJust a little
- Next by thread: Re: [opensuse] stunnel certificates
- Index(es):
Relevant Pages
|
|
