Pierre and List,
Thanks for the answer. Maybe i wasn't clear enough in my question: 1 - I have a p12 and p7b file, which work in firefox and iexplore. 2 - I want to setup a tunnel, so the encryption is done by stunnel and not by the browser(so i can 'talk' normal http for soap)
Removing the password sounds like a good idea, so i started with this. However, somehow my openssl doesnt know the command pkey. (as mentioned: http://www.openssl.org/docs/apps/pkey.html)
$ openssl pkey openssl:Error: 'pkey' is an invalid command. openssl version OpenSSL 0.9.8g 19 Oct 2007
And
openssl.exe pkey openssl:Error: 'pkey' is an invalid command. openssl version OpenSSL 0.9.8i 15 Sept 2008
I searched the net for the error message, but i couldnt find a solution (i did find more questions regarding this on mailinglists)
On Thu, 2009-03-12 at 08:21 +0100, delaage.pierre@free.fr wrote:
Selon Eduard Witteveen eduard@nergens.org: Hello, In such case a definitive solution is to remove password protection of the private key, although it is not good for your security, so be careful. See info at openssl.org : http://www.openssl.org/docs/apps/pkey.html#EXAMPLES
"... To remove the pass phrase on an RSA private key:
openssl pkey -in key.pem -out keyout.pem ..."
and then regenerate a p12 file for your browsers.
I do not know ways to specify the password in stunnel, but I think this should not be a good idea. Anyway ie and firefox should be able to cache your password at least for a session, so...
Yours sincerely, Pierre Delaage
Hello,
I'm trying to get stunnel running on my local system, so it will connect to the remote a host, which requires authentication with this p12 file(with password). I also have the chain of trust which is in the p7b file.
The reason why i want to do this, is that the remote host exposes a soap interface by https, and i think it would be a good idea to tunnel the communications with stunnel, so a transparant configuration can be used. Also, this would mean there is no configuration needed for the browser anymore, since it can connect to the localhost instead of to the remoteserver.
I've tested the p12(certificate PKCS12?) and (trust chain PKCS7?) files with internet explorer and firefox. They work(i can browse the remotehost), but i still have to enter the password.
I've converted the p12 and p7b files into dem files with the following commands:
openssl pkcs12 -in certificate.p12 -out certificate.pem Enter Import Password: MAC verified OKK Enter PEM pass phrase: Verifying - Enter PEM pass phrase
firefox: store as PEM with chain chain.p7b --> chain.pem
Config:
key=certificate.pem CAfile=chain.pem client=yes debug=7 output=stunnel.log verify=1 [http] accept=80 connect=www.remoteserver.com:443 TIMEOUTclose=0
Command:
sudo /usr/bin/stunnel4 stunnel.conf
Error:
009.03.11 00:58:10 LOG5[30424:3082909360]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP 2009.03.11 00:58:10 LOG6[30424:3082909360]: file ulimit = 1024 (can be changed with 'ulimit -n') 2009.03.11 00:58:10 LOG6[30424:3082909360]: poll() used - no FD_SETSIZE limit for file descriptors 2009.03.11 00:58:10 LOG5[30424:3082909360]: 500 clients allowed 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 10 in non-blocking mode 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 11 in non-blocking mode 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 12 in non-blocking mode 2009.03.11 00:58:10 LOG7[30424:3082909360]: SO_REUSEADDR option set on accept socket 2009.03.11 00:58:10 LOG7[30424:3082909360]: http bound to 0.0.0.0:80 2009.03.11 00:58:10 LOG7[30430:3082909360]: Created pid file /var/run/stunnel4.pid
2009.03.11 00:58:20 LOG7[30430:3082909360]: http accepted FD=13 from 127.0.0.1:59793 2009.03.11 00:58:20 LOG7[30430:3082738576]: http started 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 13 in non-blocking mode 2009.03.11 00:58:20 LOG7[30430:3082738576]: Waiting for a libwrap process 2009.03.11 00:58:20 LOG7[30430:3082738576]: Acquired libwrap process #0 2009.03.11 00:58:20 LOG7[30430:3082738576]: Releasing libwrap process #0 2009.03.11 00:58:20 LOG7[30430:3082738576]: Released libwrap process #0 2009.03.11 00:58:20 LOG7[30430:3082738576]: http permitted by libwrap from 127.0.0.1:59793 2009.03.11 00:58:20 LOG5[30430:3082738576]: http accepted connection from 127.0.0.1:59793 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 14 in non-blocking mode 2009.03.11 00:58:20 LOG7[30430:3082738576]: http connecting ${REMOTESERVER_IP}:443 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: waiting 10 seconds 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: connected 2009.03.11 00:58:20 LOG5[30430:3082738576]: http connected remote server from 10.0.2.15:38710 2009.03.11 00:58:20 LOG7[30430:3082738576]: Remote FD=14 initialized 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): before/connect initialization 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3 write client hello A 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3 read server hello A 2009.03.11 00:58:20 LOG4[30430:3082738576]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: ${UNIQUE NAME} 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL alert (write): fatal: bad certificate 2009.03.11 00:58:20 LOG3[30430:3082738576]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2009.03.11 00:58:20 LOG5[30430:3082738576]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket 2009.03.11 00:58:20 LOG7[30430:3082738576]: http finished (0 left)
(${UNIQUE NAME} / ${REMOTESERVER_IP} were replaced)
Tested by connecting the browser to http://127.0.0.1:80/
How can i get stunnel to redirect http://127.0.0.1:80/ to http://remoteserver:443/ and use the certificate and chain to validate the connection? Any pointers would also be welcome, since i searched in google but i cannot find the correct information, while one would expect that this is not the first time that this is being tried.
Thanks,
Eduard Witteveen
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users