Hello all. I am sure I am missing something really obvious here, but I can't get this to work.
HTTP client (localhost) -> stunnel (localhost) -> HTTPS server (remote host)
I'd like to user stunnel as proxy for my HTTP requests that go to a HTTPS server (apache if that makes any difference) on a remote host (fresh) that uses a cert to authenticate the request. I wrote this little ruby script[2] to test the request, and it works, so i am sure that on the server/client/cert end there is no problem.
Now I'd like to use a simple wget or w3m to get the file from the remote server trough stunnel, but I keep getting SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The only difference between the ruby script and the stunnel setup is that in the ruby script i have two different files for the crt and the key, and with stunnel I joined those files together with cat s2@magnesium.key s2@magnesium.crt >s2@magnesium.pam
on localhost i run:
$ stunnel -r fresh:443 -d localhost:11443 -c -f -D 7 -c -S 0 -p certs/s2@magnesium.pem -a certs/ -A certs/freshCA.crt -v 3 -P none 2008.03.09 21:21:38 LOG5[9026:3082811056]: Using 'fresh.443' as tcpwrapper service name 2008.03.09 21:21:38 LOG7[9026:3082811056]: RAND_status claims sufficient entropy for the PRNG 2008.03.09 21:21:38 LOG6[9026:3082811056]: PRNG seeded successfully 2008.03.09 21:21:38 LOG7[9026:3082811056]: Certificate: certs/s2@magnesium.pem Enter PEM pass phrase: 2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_defaults is 0 2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_dir is certs/ 2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_file is certs/freshCA.crt 2008.03.09 21:21:40 LOG7[9026:3082811056]: Loaded verify certificates from certs/freshCA.crt 2008.03.09 21:21:40 LOG7[9026:3082811056]: Set verify directory to certs/ 2008.03.09 21:21:40 LOG5[9026:3082811056]: Peer certificate location certs/ 2008.03.09 21:21:40 LOG5[9026:3082811056]: stunnel 3.26 on i486-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.8e 23 Feb 2007 2008.03.09 21:21:40 LOG7[9026:3082811056]: No pid file being created 2008.03.09 21:21:40 LOG5[9026:3082811056]: FD_SETSIZE=1024, file ulimit=1024 -> 500 clients allowed 2008.03.09 21:21:40 LOG7[9026:3082811056]: SO_REUSEADDR option set on accept socket 2008.03.09 21:21:40 LOG7[9026:3082811056]: fresh.443 bound to 127.0.0.1:11443
then, I try to connect to localhost:11443 with w3m, in the hope that my HTTP request is encrypted and send to fresh:443, and stunnel should check if the PEER certificate is correct, but all I get is:
2008.03.09 21:26:44 LOG7[9214:3082585776]: fresh.443 accepted FD=6 from 127.0.0.1:43888 2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 started 2008.03.09 21:26:44 LOG5[9214:3082423184]: fresh.443 connected from 127.0.0.1:43888 2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 connecting 192.168.0.2:443 2008.03.09 21:26:44 LOG7[9214:3082423184]: Remote FD=7 initialized 2008.03.09 21:26:44 LOG7[9214:3082423184]: Relying on OpenSSL RSA Blinding. 2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): before/connect initialization 2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): SSLv3 write client hello A 2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL state (connect): SSLv3 read server hello A 2008.03.09 21:26:45 LOG5[9214:3082423184]: VERIFY OK: depth=1, /C=IT/O=S2 corp./CN=S2/emailAddress=s2@fresh 2008.03.09 21:26:45 LOG4[9214:3082423184]: VERIFY ERROR ONLY MY: no cert for /C=IT/O=S2 corp./CN=fresh 2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL alert (write): fatal: certificate unknown 2008.03.09 21:26:45 LOG3[9214:3082423184]: SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2008.03.09 21:26:45 LOG7[9214:3082423184]: fresh.443 finished (0 left)
Did I something wrong? What am I missing? Please help me, it would save me really a lot of work on the client side if I could get this going.
Thanks! Simon
[1] ---------------------------------------------------- #!/usr/bin/ruby
SERVER_CERT_FILE = "certs/freshCA.crt"
CERT_FILE = "certs/s2@magnesium.crt" CERT_FILE_KEY = "certs/s2@magnesium.key"
require 'net/https' https = Net::HTTP.new('fresh', 443) https.use_ssl = true
#client certificates https.cert = OpenSSL::X509::Certificate.new( File.read(CERT_FILE) ) https.key = OpenSSL::PKey::RSA.new( File.read(CERT_FILE_KEY), 'panza')
#server certificate https.ca_file = SERVER_CERT_FILE
https.verify_mode = OpenSSL::SSL::VERIFY_PEER #VERIFY_NONE
https.read_timeout = 120
https.start do |https| request = Net::HTTP::Get.new('/notes/test_auth') # request.basic_auth 's', 'x' response = https.request(request) response.value puts response.body end ----------------------------------------------------
On Sunday 09 March 2008 21:33:52 Simon Santoro wrote:
Hello all. I am sure I am missing something really obvious here, but I can't get this to work.
HTTP client (localhost) -> stunnel (localhost) -> HTTPS server (remote host)
1 second after posting this message I got a flash in my brain: I used the cert of the CA that signed the cert of the webserver instead of the cert of the webserver to check the peer. I feel really stupid now. Sorry for the spam.