Hey Ben - once you've figured out how to do this, why don't you write up a howto ? ;) On Tue, Mar 20, 2001 at 12:17:07PM -0600, Jason J (jasonj at innominatus.com) wrote: > Are you sure your ssl certificates are valid? > > 'openssl verify <filename>.pem' > > I had some errors in the beginning when some of my certs where bad. I dont know why > the cert was bad, but I remade it with: > > 'openssl req -new -x509 -nodes -days 365 -out /usr/local/ssl/certs/stunnel.pem > -keyout /usr/local/ssl/certs/stunnel.pem' > > > > > > Ben Lutgens wrote: > > > On Mon, Mar 19, 2001 at 11:28:39PM -0600, Jason J wrote: > > >Stunnel doesnt suck. I have been using this method to tunnel my database > > >interaction for atleast 6 months. > > > > No matter what I do, it seems like it's going to connect and then I get > > SSL_connect: error:0000000000::lib(0) :func:(0) :reason(0) > > in the log on client side > > and > > > > stunnel: localhost.3306 connected from web.server.ip:some_randomportnumber > > stunnel: remote connect: Connection Refused (111) > > > > in the log on the server side. I am not trying to go through my firewall yet. > > and am running the exact same commands I see both in this mail and on > > stunnel.org > > > > > > > >Client Web Server Side: > > >IP: Any IP > > >box1# /usr/local/sbin/stunnel -c -p /usr/local/ssl/certs/stunnel.pem -d > > >127.0.0.1:3306 -r 10.10.10.5:3306 # Only bound to local loopback, not > > >accessible from any other interfaces > > > > > >Server MySQL Side: > > >IP: 10.10.10.5 > > >box2# /usr/local/sbin/stunnel -p /usr/local/ssl/certs/stunnel.pem -d > > >10.10.10.5:3306 -r 127.0.0.1:3306 # Only bound to ethX and forwards traffic > > >from ethX to local loopback > > >/usr/local/bin/safe_mysqld --bind-address=127.0.0.1 # Only bound to local > > >loopback interface, not accessible from any other interfaces > > > > > >Test: > > >box1# telnet 127.0.0.1 3306 > > >Trying 127.0.0.1... > > >Connected to 127.0.0.1. > > >Escape character is '^]'. > > >? > > >3.22.32KiQ;n=&A > > > > > >3.22.32 is the version of mysql currently running on the old dev box I ran this > > >test on. So it worked. > > > > > > > > >the binding of mysql on 3306 only on 'lo' and stunnel on 3306 only on 'ethX' > > >wont conflict. Plus, you dont have to use the same port numbers anyway, I just > > >do it for convience, mysql always running on 3306. > > > > > > > > > > > > > > >Ben Lutgens wrote: > > > > > >> O.k. so I am trying to tunnel mmysql using stunnel. So far I'm convinced it's > > >> not possible. How can you bind port 3306 on your tunnel when mysql is using > > >> that port? It makes no sense to me. > > >> > > >> On the server side if you run stunnel -p $PEMFILE -d $REMOTEIP -r > > >> 127.0.0.1:3306 > > >> > > >> I get "Can't bind requested address" > > >> > > >> Tunneling stuff through ssh sucks, and it seems stunnel sucks too. > > >> > > >> -- > > >> Ben Lutgens cell: 612.670.4789 > > >> Sistina Software Inc. work: 612.379.3951 > > >> Code Monkey Support (A.K.A. System Administrator) > > >> > > >> "It's hard to believe that's the same frail woman who once sprained her wrist > > >> from having too much dip on a cracker!" -- Frazier Crane > > >> > > >> ------------------------------------------------------------------------ > > >> Part 1.2Type: application/pgp-signature > > > > > >_______________________________________________ > > >tclug-list mailing list > > >tclug-list at mn-linux.org > > >https://mailman.mn-linux.org/mailman/listinfo/tclug-list > > > > -- > > Ben Lutgens cell: 612.670.4789 > > Sistina Software Inc. work: 612.379.3951 > > Code Monkey Support (A.K.A. System Administrator) > > > > "It's hard to believe that's the same frail woman who once sprained her wrist > > from having too much dip on a cracker!" -- Frazier Crane > > > > ------------------------------------------------------------------------ > > Part 1.2Type: application/pgp-signature > > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Amy Tanner Voice: 952.943.8700 Real Time Enterprises, Inc. Fax: 952.943.8500 amy at real-time.com http://www.real-time.com GPG Fingerprint: DAC7 E1B2 80D9 3099 1A20 0817 2DFE 5086 81B3 5466