I'm new to stunnel and think it may be easier to use this in our environment. Any help would be appreciated! Here is my setup.
Source and Destination OS: Windows 2022 Data Center VMs I copied the stunnel.pem from SERVER to CLIENT and named it stunnel_client.pem. I get the following error when connecting from CLIENT -> SERVER.
2022.07.23 17:30:28 LOG6[3]: SNI: sending servername: x.x.x.x 2022.07.23 17:30:28 LOG6[3]: Peer certificate required 2022.07.23 17:30:28 LOG4[3]: CERT: Subject checks failed 2022.07.23 17:30:28 LOG4[3]: Rejected by CERT at depth=0: C=US, ST=New Jersey, L=Edison, O=Crestron, OU=ProPortal, CN=vmsql-edatahub-.crestron.com 2022.07.23 17:30:28 LOG3[3]: SSL_connect: ssl/statem/statem_clnt.c:1887: error:0A000086:SSL routines::certificate verify failed 2022.07.23 17:30:28 LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
*****STUNNEL.CONF***** SERVER:
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 sslVersion = TLSv1.2
[ncatListener] accept = 8443 connect = 4489 cert = stunnel.pem
CLIENT:
socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 options = NO_SSLv2 options = NO_SSLv3 options = NO_TLSv1 sslVersion = TLSv1.2
[ncatSender] client = yes accept = 127.0.0.1:4488 connect = <x.x.x.x>:8443 verifyPeer = yes CAfile = stunnel_client.pem checkIP = <x.x.x.x> OCSPaia = yes
Maybe failing because the cert is a *server* cert, not valid for verifying clients. Certs contain a set of flags that specify what they can be used for, might be worth checking whether your cert is valid for both verifying server identity *and* for verifying client identity.
- Mike S
How do I use STunnel self-signed server cert to create a client cert?