Hello,
after a day of trying..
- 2 box of *Win7 Pro x64* - fresh install of *stunnel 4.52* - keys generated with C:\Program Files (x86)\stunnel>* **.\openssl.exe req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem* - *certs.pem* on both box contains certificate part of stunnel.pem from both machine
server stunnel.conf (192.168.0.52):
debug = 7 cert = stunnel.pem verify = 2 CAfile = certs.pem options = NO_SSLv2
[unison] accept = 10001 connect = 127.0.0.1:10000
client stunnel.conf (192.168.0.216):
client = yes debug = 7 cert = stunnel.pem verify = 2 CAfile = certs.pem options = NO_SSLv2
[unison] client = yes accept = 127.0.0.1:10000 connect = 192.168.0.52:10001
Test #1: *OK*
C:\Program Files (x86)\stunnel>* .\openssl verify -CAfile certs.pem stunnel.pem* *stunnel.pem: OK*
C:\Program Files (x86)\stunnel>* .\openssl verify -CAfile certs.pem certs.pem* *certs.pem: OK*
Test #2: *OK*
C:\Program Files (x86)\stunnel> *.\openssl s_server -accept 10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*
vs
C:\Program Files (x86)\stunnel> *.\openssl s_client -connect 192.168.0.52:10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*
Test #3: *OK - "certificate accepted" *
C:\Program Files (x86)\stunnel> *.\openssl s_server -accept 10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*
vs
*stunnel client** *
Test #4: *OK - "certificate accepted" *
*stunnel server*
vs
C:\Program Files (x86)\stunnel> *.\openssl s_client -connect 192.168.0.52:10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*
Test #5: *FAILED*
*stunnel server*
Service unison accepted connection from 192.168.0.216:23134 2012.02.14 09:02:39 LOG3[134028:132792]: SSL_accept: 140943F2: error:140943F2:SSL routines:*SSL3_READ_BYTES:sslv3 alert unexpected message* 2012.02.14 09:02:39 LOG5[134028:132792]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket* *
vs
*stunnel client *
2012.02.14 09:02:33 LOG5[2500:5876]: Service unison connected remote server from 192.168.0.216:23134 2012.02.14 09:02:33 LOG7[2500:5876]: Remote FD=372 initialized 2012.02.14 09:02:33 LOG3[2500:5876]: SSL_connect: 140870E8: error:140870E8:SSL routines:*SSL3_GET_CERTIFICATE_**REQUEST:tls client cert req with anon cipher* 2012.02.14 09:02:33 LOG5[2500:5876]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
After a *stunnel.conf **reload* on both box (yes, only a reload) then the following details and differences appear:
*stunnel server* vs *openssl s_client : OK - "certificate accepted" *
2012.02.14 09:42:02 LOG5[134236:132440]: Service unison accepted connection from 192.168.0.216:23698 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): before/accept initialization 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client hello B 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write server hello A* 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write certificate A* 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write key exchange A* 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write certificate request A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush data 2012.02.14 09:42:02 LOG7[134236:132440]: Starting certificate verification: depth=0, /C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc 2012.02.14 09:42:02 LOG5[134236:132440]: Certificate accepted: depth=0, /C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client certificate A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read client key exchange A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read certificate verify A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read finished A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write session ticket A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write change cipher spec A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write finished A 2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush data
*stunnel server* vs *stunnel client : FAILED *
*server:*
2012.02.14 09:45:24 LOG5[134236:134552]: Service unison accepted connection from 192.168.0.216:23752 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): before/accept initialization 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 read client hello B 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): *SSLv3 write server hello A* 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): *SSLv3 write key exchange A* 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 write certificate request A 2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 flush data 2012.02.14 09:45:24 LOG7[134236:134552]: SSL alert (read): fatal: unexpected_message 2012.02.14 09:45:24 LOG3[134236:134552]: SSL_accept: 140943F2: error:140943F2:SSL routines:*SSL3_READ_BYTES:sslv3 alert unexpected message* 2012.02.14 09:45:24 LOG5[134236:134552]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2012.02.14 09:45:24 LOG7[134236:134552]: Service unison finished (0 left)
*client:*
2012.02.14 09:45:18 LOG5[1100:7176]: Service unison connected remote server from 192.168.0.216:23752 2012.02.14 09:45:18 LOG7[1100:7176]: Remote FD=452 initialized 2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): before/connect initialization 2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): SSLv3 write client hello A 2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): *SSLv3 read server hello A* 2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): *SSLv3 read server key exchange A* 2012.02.14 09:45:18 LOG7[1100:7176]: SSL alert (write): *fatal: unexpected_message* 2012.02.14 09:45:18 LOG3[1100:7176]: SSL_connect: 140870E8: error:140870E8:SSL routines:*SSL3_GET_CERTIFICATE_**REQUEST:tls client cert req with anon cipher* 2012.02.14 09:45:18 LOG5[1100:7176]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Please, give me some clues.
Thank you,
Laszlo
**