Configuring stunnel to use p12 and p7b in client mode - stunnel-users

11 Mar 2009


      Hello,
I'm trying to get stunnel running on my local system, so it will connect
to the remote a host, which requires authentication with this p12
file(with password). I also have the chain of trust which is in the p7b
file.
The reason why i want to do this, is that the remote host exposes a soap
interface by https, and i think it would be a good idea to tunnel the
communications with stunnel, so a transparant configuration can be used.
Also, this would mean there is no configuration needed for the browser
anymore, since it can connect to the localhost instead of to the
remoteserver.
I've tested the p12(certificate PKCS12?) and (trust chain PKCS7?) files
with internet explorer and firefox. They work(i can browse the
remotehost), but i still have to enter the password.
I've converted the p12 and p7b files into dem files with the following
commands:
...
openssl pkcs12 -in certificate.p12 -out certificate.pem
Enter Import Password:
MAC verified OKK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase
firefox: store as PEM with chain 
    chain.p7b --> chain.pem
Config:
...
key=certificate.pem
CAfile=chain.pem
client=yes
debug=7
output=stunnel.log
verify=1
[http]
accept=80
connect=www.remoteserver.com:443
TIMEOUTclose=0
Command:
...
sudo /usr/bin/stunnel4 stunnel.conf
Error:
...
009.03.11 00:58:10 LOG5[30424:3082909360]: Threading:PTHREAD
SSL:ENGINE
Sockets:POLL,IPv6 Auth:LIBWRAP
2009.03.11 00:58:10 LOG6[30424:3082909360]: file ulimit = 1024 (can be
changed with 'ulimit -n')
2009.03.11 00:58:10 LOG6[30424:3082909360]: poll() used - no
FD_SETSIZE
limit for file descriptors
2009.03.11 00:58:10 LOG5[30424:3082909360]: 500 clients allowed
2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 10 in non-blocking mode
2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 11 in non-blocking mode
2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 12 in non-blocking mode
2009.03.11 00:58:10 LOG7[30424:3082909360]: SO_REUSEADDR option set on
accept socket
2009.03.11 00:58:10 LOG7[30424:3082909360]: http bound to 0.0.0.0:80
2009.03.11 00:58:10 LOG7[30430:3082909360]: Created pid file
/var/run/stunnel4.pid
2009.03.11 00:58:20 LOG7[30430:3082909360]: http accepted FD=13 from
127.0.0.1:59793
2009.03.11 00:58:20 LOG7[30430:3082738576]: http started
2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 13 in non-blocking mode
2009.03.11 00:58:20 LOG7[30430:3082738576]: Waiting for a libwrap
process
2009.03.11 00:58:20 LOG7[30430:3082738576]: Acquired libwrap process
#0
2009.03.11 00:58:20 LOG7[30430:3082738576]: Releasing libwrap process
#0
2009.03.11 00:58:20 LOG7[30430:3082738576]: Released libwrap process
#0
2009.03.11 00:58:20 LOG7[30430:3082738576]: http permitted by libwrap
from
127.0.0.1:59793
2009.03.11 00:58:20 LOG5[30430:3082738576]: http accepted connection
from
127.0.0.1:59793
2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 14 in non-blocking mode
2009.03.11 00:58:20 LOG7[30430:3082738576]: http connecting
${REMOTESERVER_IP}:443
2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: waiting 10
seconds
2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: connected
2009.03.11 00:58:20 LOG5[30430:3082738576]: http connected remote
server
from 10.0.2.15:38710
2009.03.11 00:58:20 LOG7[30430:3082738576]: Remote FD=14 initialized
2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect):
before/connect initialization
2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
write
client hello A
2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
read
server hello A
2009.03.11 00:58:20 LOG4[30430:3082738576]: VERIFY ERROR: depth=0,
error=unable to get local issuer certificate: ${UNIQUE NAME}
2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL alert (write): fatal:
bad
certificate
2009.03.11 00:58:20 LOG3[30430:3082738576]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify
failed
2009.03.11 00:58:20 LOG5[30430:3082738576]: Connection reset: 0 bytes
sent
to SSL, 0 bytes sent to socket
2009.03.11 00:58:20 LOG7[30430:3082738576]: http finished (0 left)
(${UNIQUE NAME} / ${REMOTESERVER_IP} were replaced)
Tested by connecting the browser to http://127.0.0.1:80/
How can i get stunnel to redirect http://127.0.0.1:80/ to
http://remoteserver:443/ and use the certificate and chain to validate
the connection? Any pointers would also be welcome, since i searched in
google but i cannot find the correct information, while one would expect
that this is not the first time that this is being tried.
Thanks,
Eduard Witteveen