key file corresponding to key=file in config file.
CERTIFICATE...) in the cert file corresponding to cert=file in the config
file.
These files must exist for server and client since you want mutual
authentication.
For verifying the certificate, you need to put the client certificate
(autosigned) in the CAfile option of the server config file.
The same for the client : put the server certificate in the CAfile option
of the client config file.
on the server, the command 'openssl verify -CAfile client_cert.pem
client_cert.pem' should return ok
on the client, the command 'openssl verify -CAfile server_cert.pem
server_cert.pem' should return ok.
It can seem stupid but, as you have self-signed certificate, the CAfile is
the cert file.
If you use tinyCA, you can easily build your own CA with one CA cert and
several certs for clients or servers. Then, you would be able to have the
same CAfile on the client and on the server.
I hope this is clear enough. If not, write me back.
On Tuesday 30 December 2008, you wrote:
Hello,
Happy new year!
- are the permissions correct on your files :
- key must belong to the user and have 0600 status (read only by the
user)
- cert must belong to the user.
I think the permissions are OK. The file is owed by root and loaded at
the start
Wrote 1024 new random bytes to /root/.rnd
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /etc/stunnel/stunnelclient.pem
Certificate loaded
Key file: /etc/stunnel/stunnelclient.pem
Private key loaded
SSL context initialized for service BreakOut
- Is the content of the cert file of this form
-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----
?
and the content of the key file this form
-----BEGIN RSA PRIVATE KEY-----
key datat here
-----END RSA PRIVATE KEY-----
I made several files. According to
http://www.stunnel.org/faq/certs.html#ToC5
I got a file with a certificate, a RSA Key and a DH section (I removed
the password for the certificate).
According to http://www.stunnel.org/examples/client_cert.html I got a
different file: it has a certificate and a RSA section and between them
an other section:
rcnyy/AbS1YPkdggJSnw+fqzg/L/QvQB6GTT5KWJzd0=
-----END RSA PRIVATE KEY-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Germany, L=Munich, O=vbox4php, OU=Rektorat,
CN=DE/emailAddress=michael.renner@gmx.de
Validity
Not Before: Dec 28 20:37:19 2008 GMT
Not After : Dec 28 20:37:19 2009 GMT
Subject: C=DE, ST=Germany, O=vbox4php, OU=stunnel,
CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b1:05:47:7a:27:4f:19:2b:18:72:e3:3c:f6:a6:
.
.
2b:55:2d:c9:dc:96:55:14:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
86:F6:1F:71:29:AA:A5:61:DF:B2:81:F2:34:3A:A6:9E:58:C8:6A:5E X509v3
Authority Key Identifier:
keyid:72:68:1A:0C:9D:E9:93:81:07:E9:36:71:75:33:05:C6:70:35:01:BF
DirName:/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=Rektorat/CN=DE/emailAddre
ss= michael.renner@gmx.de
serial:BC:97:82:4E:E3:9F:FE:5A
X509v3 Issuer Alternative Name:
email:michael.renner@gmx.de
email%3Amichael.renner@gmx.de X509v3 Subject Alternative Name:
email:michael.renner@gmx.de
email%3Amichael.renner@gmx.de Signature Algorithm:
sha1WithRSAEncryption
49:ef:06:aa:e5:71:b1:6e:23:87:02:9d:ce:56:e1:3b:77:5a:
.
.
41:93:92:ee:57:23:95:f3:99:62:27:6a:a4:b7:85:b4:92:86:
22:50:79:a0
-----BEGIN CERTIFICATE-----
Anyhow: it fails:
2008.12.31 17:51:07 LOG4[13056:1073809760]: VERIFY ERROR: depth=0,
error=unable to get local issuer
certificate: /C=DE/ST=Germany/O=vbox4php/OU=stunnel/CN=
boulder.vbox4php.org/emailAddress=michael.renner@gmx.de
2008.12.31 17:51:07 LOG3[13056:1073809760]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
With strace I can see the the key and the cert is OK on the client side:
(I assume that it is only read once):
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] read(4, "VQQDEwJERTEkMCIGCSqGSIb3\nDQEJARY"..., 4096) = 1425
[pid 11829] read(4, "", 4096) = 0
[pid 11829] close(4) = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
17:52:56 LOG7[11829:140253752059616]: Certificate loaded
) = 68
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 902008.12.31
17:52:56 LOG7[11829:140253752059616]: Key
file: /etc/stunnel/stunnelserver.pem
) = 90
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] close(4) = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
17:52:56 LOG7[11829:140253752059616]: Private key loaded
While I see in the clients logfile:
SSL state (connect): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert
bad certificate
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Strange!
One more hint?
|Michael Renner E-mail: michael.renner@gmx.de |
|D-81541 Munich Germany ICQ: #112280325 |
|Germany Don't drink as root! ESC:wq
Michael Renner