[stunnel-users] SSL Error

Discussion:

(too old to reply)

Randall LeJeune

2016-06-14 13:42:14 UTC

Hello. I am getting the following error when I try to run stunnel:

[***@doadmzqas stunnel]# stunnel
[ ] Clients allowed=31999
[.] stunnel 5.17 on powerpc-ibm-aix5.2.0.0 platform
[.] Compiled/running with OpenSSL 1.0.1s 1 Mar 2016
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*_Errno())
[.] Reading configuration from file /opt/freeware/etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] Snagged 64 random bytes from /home/root/.rnd
[ ] Wrote 1024 new random bytes to /home/root/.rnd
[ ] PRNG seeded successfully
[ ] Initializing service [sapdp3202]
[ ] Loading certificate from file: /opt/freeware/etc/stunnel/stunnel.pem
[!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib
[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory
[!] Service [sapdp3202]: Failed to initialize SSL context

The version is 5.17 as you can see above. My config file looks like this:

; Log file (enable for troubleshooting)
output = /var/log/stunnel.log

; SSL Certificate and key files
cert = /opt/freeware/etc/stunnel/stunnel.pem
key = /opt/freeware/etc/stunnel/stunnel.key

; Restrict to FIPS compliant ciphers only ciphers = FIPS

; Force the SSL version to TLSv1 only
sslVersion = TLSv1

; The cipher list and SSL version restrictions above should make us ; _de_facto_ FIPS compliant; our OpenSSL library is *not* FIPS ; compliant, so
this cannot be set to 'yes'
fips = no

[sapdp3202]
client = yes
accept = 127.0.0.1:3202
connect = doaprdssl.dot.com.gov:4709

The OS is AIX version 7. Does anybody have any idea what this means?

Thanks in advance.

Małgorzata Olszówka

2016-06-14 15:28:23 UTC

Permalink

Hi!
Where have you got certificate and key files?
Maybe cert = /etc/stunnel/stunnel.pem etc...

Regards.

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

Małgorzata Olszówka

2016-06-14 16:33:24 UTC

Permalink

I always can see one stunnel on one port.
You can kill -9 this old process of stunnel and run it again.

privkey-2014-hb_fix.pem
privkey.pem
sscert.pem
stunnel.conf
root 13238338 0.0 0.0 224 236 pts/6 A 10:48:14 0:00 grep stunnel
root 9896190 0.0 0.0 1096 1120 - A May 10 0:00 stunnel
When I ran stunnel at my house, I got a series of threads running. Does this look correct to you?
Thanks,
Randy

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

Małgorzata Olszówka

2016-06-15 07:57:37 UTC

Permalink

OK, thanks. Do you know of any way that I can tell if it is actually working? Like sending some data to the port and checking to see if stunnel received it?
Thanks in advance,
Randy

Hello Randy,

Please reply to the list, so others are able to comment too.
You can see connection in the log file stunnel.log
and detailed data transfer in any sniffer.

Regards.

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast.
https://www.avast.com/antivirus

j***@gmail.com

2019-07-11 09:55:20 UTC

Permalink

tls: Failed reading certificate file "/etc/freeradius/3.0/certs/***@gmail.com-cert.pem"
tls: error:0200100D:system library:fopen:Permission denied
tls: error:20074002:BIO routines:file_ctrl:system lib
tls: error:140DC002:SSL routines:use_certificate_chain_file:system lib
rlm_eap_tls: Failed initializing SSL context
rlm_eap (EAP): Failed to initialise rlm_eap_tls
/etc/freeradius/3.0/mods-enabled/eap[14]: Instantiation failed for module "eap"

Please help me

Post by Randall LeJeune
Thanks in advance.