I have used this: http://www.5dollarwhitebox.org/wiki/index.php/Howtos_Self_Signed_SSL_Certificates
To create a csr and cert etc. I had to only add a flag to generate the file for the serial number. I am not sure what is causing this issue, but trying a different approach may help or llead to a different error message. HTH George On 5/30/07, Koenraad Lelong <[EMAIL PROTECTED]> wrote:
Hi, I want to secure access to a databese server (Firebird). I want to do this with stunnel. I'm having troubles with the certificates. This is what I did, using standard Suse 10.0 stuff (I modified openssl.cnf to have a number of defaults) : #in a clean directory create structure : mkdir demoCA mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 00 > demoCA/serial #Create CA files openssl req -new -x509 -keyout demoCA/private/cakey.pem -out \ demoCA/cacert.pem #Create server key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout server.key -out \ server.req #sign server certificate openssl ca -policy policy_anything -notext -in server.req -out \ server.crt #Create client key & signing request openssl req -nodes -new -newkey rsa:1024 -keyout client.key -out \ client.req #sign client certificate openssl ca -policy policy_anything -notext -in client.req -out \ client.crt cp demoCA/newcerts/00.pem /etc/stunnel/server.pem cp demoCA/cacert.pem /etc/stunnel/cacert.pem chmod 740 /etc/stunnel/server.pem My stunnel.conf is : client = no foreground = yes debug = 7 verify = 3 CApath = certs CAfile = cacert.pem cert = server.pem [firebird] accept = 3051 connect = localhost:3050 When I try to start stunnel I get : ace-cad-3:/etc/stunnel # stunnel stunnel.conf 2007.05.30 12:59:33 LOG7[14071:1076660896]: Snagged 64 random bytes from /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: Wrote 1024 new random bytes to /root/.rnd 2007.05.30 12:59:33 LOG7[14071:1076660896]: RAND_status claims sufficient entropy for the PRNG 2007.05.30 12:59:33 LOG6[14071:1076660896]: PRNG seeded successfully 2007.05.30 12:59:33 LOG5[14071:1076660896]: Could not load DH parameters from server.pem 2007.05.30 12:59:33 LOG4[14071:1076660896]: Diffie-Hellman initialization failed 2007.05.30 12:59:33 LOG3[14071:1076660896]: Error reading certificate file: server.pem 2007.05.30 12:59:33 LOG3[14071:1076660896]: SSL_CTX_use_certificate_chain_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line ace-cad-3:/etc/stunnel # This procedure is an adaptation from a document from the Firebird community. What am I missing ? I think the Diffie-Hellman stuff can be ignored. I tried three other documents (from the stunnel-site) but these don't work either (for me ;-) ). Anyone can give suggestions, tips, links ? They will be very much appreciated. Are there other methods ? I don't want to give ssh access to the users. I know of zebedee, but this seems old (unsupported ?). -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
