Hello,

 

I'm trying to set up sTunnel to use client certificates in the following arrangement:

 

Client Java Server (HTTP) --> sTunnel (HTTPS w/client cert) --> Windows IIS SOAP service, requires client cert

 

The client certificate was generated from a MS CA cert generation tool, one we use for our internal certificates and our internal CA. The client cert was generated as a .pfx file and I used OpenSSL to convert it to a .pem file with the -nodes option.

 

Testing without the client certificates shows that if the IIS hosted SOAP service is set to not require a client certificate, the sTunnel configuration works and we're able to communicate between the HTTP only client and the HTTPS IIS hosted service.

 

However, once we add the certificate, the communication stops at the handshake. I'm wondering if I need to change the client .pem cert to have the private key (don't use the -nodes option when converting using OpenSSL).

 

Here is the contents of the .conf file:

 

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration

; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = user_cert.pem
key = user_cert.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = c:\temp\stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

[http]
accept = 8090
connect = 10.12.32.164:443
TIMEOUTclose = 0

; vim:ft=dosini

 

 

 

Here is the output from the log file showing two attempts to hit the service with the client cert, one from a browser and one from a bit of client code:

 

2010.03.19 09:58:27 LOG5[5864:4032]: Reading configuration from file stunnel.conf
2010.03.19 09:58:27 LOG7[5864:4032]: RAND_status claims sufficient entropy for the PRNG
2010.03.19 09:58:27 LOG7[5864:4032]: PRNG seeded successfully
2010.03.19 09:58:27 LOG7[5864:4032]: Certificate: user_cert.pem
2010.03.19 09:58:27 LOG7[5864:4032]: Certificate loaded
2010.03.19 09:58:27 LOG7[5864:4032]: Key file: user_cert.pem
2010.03.19 09:58:27 LOG7[5864:4032]: Private key loaded
2010.03.19 09:58:27 LOG7[5864:4032]: SSL context initialized for service http
2010.03.19 09:58:27 LOG5[5864:4032]: Configuration successful
2010.03.19 09:58:27 LOG5[5864:4032]: No limit detected for the number of clients
2010.03.19 09:58:27 LOG7[5864:4032]: FD=176 in non-blocking mode
2010.03.19 09:58:27 LOG7[5864:4032]: Option SO_REUSEADDR set on accept socket
2010.03.19 09:58:27 LOG7[5864:4032]: Service http bound to 0.0.0.0:8090
2010.03.19 09:58:27 LOG7[5864:4032]: Service http opened FD=176
2010.03.19 09:58:27 LOG5[5864:4032]: stunnel 4.31 on x86-pc-mingw32-gnu with OpenSSL 0.9.8l 5 Nov 2009
2010.03.19 09:58:27 LOG5[5864:4032]: Threading:WIN32 SSL:ENGINE Sockets:SELECT,IPv6
2010.03.19 09:59:42 LOG7[5864:3864]: Service http accepted FD=440 from 127.0.0.1:49886
2010.03.19 09:59:42 LOG7[5864:3864]: Creating a new thread
2010.03.19 09:59:42 LOG7[5864:3864]: New thread created
2010.03.19 09:59:42 LOG7[5864:4328]: Service http started
2010.03.19 09:59:42 LOG7[5864:4328]: FD=440 in non-blocking mode
2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on local socket
2010.03.19 09:59:42 LOG5[5864:4328]: Service http accepted connection from 127.0.0.1:49886
2010.03.19 09:59:42 LOG7[5864:4328]: FD=460 in non-blocking mode
2010.03.19 09:59:42 LOG6[5864:4328]: connect_blocking: connecting 10.12.32.164:443
2010.03.19 09:59:42 LOG7[5864:4328]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds
2010.03.19 09:59:42 LOG5[5864:4328]: connect_blocking: connected 10.12.32.164:443
2010.03.19 09:59:42 LOG5[5864:4328]: Service http connected remote server from 10.12.47.109:49887
2010.03.19 09:59:42 LOG7[5864:4328]: Remote FD=460 initialized
2010.03.19 09:59:42 LOG7[5864:4328]: Option TCP_NODELAY set on remote socket
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): before/connect initialization
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client hello A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server hello A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server certificate A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read server done A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write client key exchange A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write change cipher spec A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 write finished A
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 flush data
2010.03.19 09:59:42 LOG7[5864:4328]: SSL state (connect): SSLv3 read finished A
2010.03.19 09:59:42 LOG7[5864:4328]:    1 items in the session cache
2010.03.19 09:59:42 LOG7[5864:4328]:    1 client connects (SSL_connect())
2010.03.19 09:59:42 LOG7[5864:4328]:    1 client connects that finished
2010.03.19 09:59:42 LOG7[5864:4328]:    0 client renegotiations requested
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server connects (SSL_accept())
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server connects that finished
2010.03.19 09:59:42 LOG7[5864:4328]:    0 server renegotiations requested
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache hits
2010.03.19 09:59:42 LOG7[5864:4328]:    0 external session cache hits
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache misses
2010.03.19 09:59:42 LOG7[5864:4328]:    0 session cache timeouts
2010.03.19 09:59:42 LOG6[5864:4328]: SSL connected: new session negotiated
2010.03.19 09:59:42 LOG6[5864:4328]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
2010.03.19 10:01:54 LOG3[5864:4328]: SSL_read: Connection reset by peer (WSAECONNRESET) (10054)
2010.03.19 10:01:54 LOG5[5864:4328]: Connection reset: 568 bytes sent to SSL, 0 bytes sent to socket
2010.03.19 10:01:54 LOG7[5864:4328]: Service http finished (0 left)
2010.03.19 10:03:28 LOG7[5864:3864]: Service http accepted FD=476 from 127.0.0.1:50155
2010.03.19 10:03:28 LOG7[5864:3864]: Creating a new thread
2010.03.19 10:03:28 LOG7[5864:3864]: New thread created
2010.03.19 10:03:28 LOG7[5864:1216]: Service http started
2010.03.19 10:03:28 LOG7[5864:1216]: FD=476 in non-blocking mode
2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on local socket
2010.03.19 10:03:28 LOG5[5864:1216]: Service http accepted connection from 127.0.0.1:50155
2010.03.19 10:03:28 LOG7[5864:1216]: FD=440 in non-blocking mode
2010.03.19 10:03:28 LOG6[5864:1216]: connect_blocking: connecting 10.12.32.164:443
2010.03.19 10:03:28 LOG7[5864:1216]: connect_blocking: s_poll_wait 10.12.32.164:443: waiting 10 seconds
2010.03.19 10:03:28 LOG5[5864:1216]: connect_blocking: connected 10.12.32.164:443
2010.03.19 10:03:28 LOG5[5864:1216]: Service http connected remote server from 10.12.47.109:50156
2010.03.19 10:03:28 LOG7[5864:1216]: Remote FD=440 initialized
2010.03.19 10:03:28 LOG7[5864:1216]: Option TCP_NODELAY set on remote socket
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): before/connect initialization
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write client hello A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read server hello A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 read finished A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write change cipher spec A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 write finished A
2010.03.19 10:03:28 LOG7[5864:1216]: SSL state (connect): SSLv3 flush data
2010.03.19 10:03:28 LOG7[5864:1216]:    1 items in the session cache
2010.03.19 10:03:28 LOG7[5864:1216]:    2 client connects (SSL_connect())
2010.03.19 10:03:28 LOG7[5864:1216]:    2 client connects that finished
2010.03.19 10:03:28 LOG7[5864:1216]:    0 client renegotiations requested
2010.03.19 10:03:28 LOG7[5864:1216]:    0 server connects (SSL_accept())
2010.03.19 10:03:28 LOG7[5864:1216]:    0 server connects that finished
2010.03.19 10:03:29 LOG7[5864:1216]:    0 server renegotiations requested
2010.03.19 10:03:29 LOG7[5864:1216]:    1 session cache hits
2010.03.19 10:03:29 LOG7[5864:1216]:    0 external session cache hits
2010.03.19 10:03:29 LOG7[5864:1216]:    0 session cache misses
2010.03.19 10:03:29 LOG7[5864:1216]:    0 session cache timeouts
2010.03.19 10:03:29 LOG6[5864:1216]: SSL connected: previous session reused
2010.03.19 10:04:28 LOG7[5864:1216]: Socket closed on read
2010.03.19 10:04:28 LOG7[5864:1216]: SSL write shutdown
2010.03.19 10:04:28 LOG7[5864:1216]: SSL alert (write): warning: close notify
2010.03.19 10:04:28 LOG6[5864:1216]: SSL_shutdown successfully sent close_notify
2010.03.19 10:04:28 LOG6[5864:1216]: s_poll_wait timeout: connection close
2010.03.19 10:04:28 LOG5[5864:1216]: Connection closed: 1541 bytes sent to SSL, 25 bytes sent to socket
2010.03.19 10:04:28 LOG7[5864:1216]: Service http finished (0 left)

 

 

Any hints would be appreciated!