Re: Trying to get stunnel to verify remote server certificate - stunnel-users

19 Jul 2024


      Thank you Mike for your reply.  I apologize for my lack of experience with networks.  One thing that I personally did not understand in using stunnel is that my SSL traffic that I want to "wrap" needs to be directed at the "accept" port, and that the stunnel wrap THEN sends it out over the connect port with the SSL "magic" applied.  With that in mind, I have amended my configuration, and I have a new problem (s?):
client = yes
accept = 127.0.0.1:8080
connect = 192.111.85.171:9400
cert = C:\Certificates\WMW_trade_csr.pem
CAfile = C:\Certificates\ca-cert1.pem
securityLevel = 0
verifyPeer = yes
checkHost = api.gainfutures.com
sslVersion = TLSv1.2
sslVersionMax = TLSv1.2
This binds the service to 127.0.0.1:8080
So far so good.  When I start my program, which directs its output stream to the "accept" port, the stunnel log now responds as I send messages:
(I have pulled out just the last part before the error)
2024.07.18 12:19:45 LOG6[1150]: Peer certificate required
2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): before SSL initialization
2024.07.18 12:19:45 LOG7[1150]: Initializing application specific data for session authenticated
2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS write client hello
2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS write client hello
2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS read server hello
This looks okay to me so far
2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
2024.07.18 12:19:45 LOG6[1150]: CERT: Pre-verification error ignored: self-signed certificate in certificate chain
2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled
2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded
2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled
2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2
2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K
2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded
2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled
2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K
2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com
2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded
2024.07.18 12:19:45 LOG6[1150]: CERT: Host name "api.gainfutures.com" matched with "*.gainfutures.com"
2024.07.18 12:19:45 LOG4[1150]: CERT: Certificate not found in local repository
not sure what this indicates (not found in local repository)
2024.07.18 12:19:45 LOG4[1150]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com
2024.07.18 12:19:45 LOG7[1150]: Remove session callback
2024.07.18 12:19:45 LOG7[1150]: TLS alert (write): fatal: bad certificate
2024.07.18 12:19:45 LOG3[1150]: SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed
After looking on the internet, I think that the [TLS alert (write): fatal: bad certificate] may refer to the cert = (file.pem), which in this case is a certificate I had made and verified by a trusted authority.  The rejected by CERT is clearly referring to the certificate which comes from the server located at the other end of the "connect" port.  I have looked specifically at this certificate, and the chain is comprised of two authenticated certificates, with a self-authenticated third certificate.  As an example, when I change the "checkHost =" to an IP address, the error message changes:
2024.07.18 12:40:45 LOG7[1157]: CERT: Pre-verification succeeded
*2024.07.18 12:40:45 LOG4[1157]: CERT: Subject checks failed
*2024.07.18 12:40:45 LOG4[1157]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com
2024.07.18 12:40:45 LOG7[1157]: Remove session callback
*2024.07.18 12:40:45 LOG7[1157]: TLS alert (write): fatal: unknown CA
What seems to be consistent is that the remote certificate is being rejected because there is a self-authenticated certificate as the third part of the chain.
I have tried the following:
CAfile = C:\Certificates\ca-cert.pem
(CA file which comes with openssl, I believe) which gives the same results.
CAfile = C:\Certificates\ca-cert1.pem
(Here I have added the chain certificates from file    gain-futures-chain.pem)  same results
CAfile = C:\Certificates\ca-cert2.pem
(Here I have added the chain certificates from file    gain-futures-chainpumpbut removed the self-signed part)  same results
CAfile =C:\Certificates\ca-cert3.pem
(ca-cert3.pem contains ONLY the certificates from   gain-futures-chain.pem)  same results
CAfile =C:\Certificates\gain-futures-chain.pem
This causes the service NOT to be bound, and throws what look like a bunch of openssl errors
So it appears that I am actually probing the certificate that the remote server is sending me.  I am still not clear on the role of CAfile, because of the behavior I have outlined.  Do I need somehow to find a CAfile which recognizes and validates the certificate from the remote server?
Thank you again!
-William Wood