Hello everybody
I am using stunnel in server mode with mutual authentication. Auth is ok, but the crl didn't work, and I need it in production next week.... I do many tries with CRLpath/CRLfile, with my production version (5.08), the last one (5.26)
Same result. With a revoked certificate, my client connect on the server.
Do you have some idea? Or maybe found my mistake?
If you need something else please contact me.
Stunnel 1 is the server. Stunnel 1 certificate is revoked
** Configuration **
*** root@auditd:/var/lib/stunnel/2/ca# cat /etc/stunnel/1.conf *** ; * Global options *
chroot = /var/lib/stunnel/1/
; Chroot jail can be escaped if setuid option is not used setuid = stunnel5 setgid = stunnel5
pid = /pid/1.pid
;debug = 0 debug = 7 output = /log/1.log
;foreground = yes
options = NO_SSLv2 options = NO_SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS
[1] verify = 2
CAFile = /root/CA/CA.cert
cert = /root/CA/1.cert key = /root/CA/1.key
client = no accept = 127.0.0.1:59062 connect = 127.0.0.1:22 ciphers = ECDHE-RSA-AES256-GCM-SHA384 sslVersion = TLSv1.2
*** root@auditd:/var/lib/stunnel/2/ca# cat /etc/stunnel/2.conf *** ; * Global options *
chroot = /var/lib/stunnel/2/
; Chroot jail can be escaped if setuid option is not used setuid = stunnel5 setgid = stunnel5
pid = /pid/2.pid
;debug = 0 debug = 7 output = /log/2.log
;foreground = yes
options = NO_SSLv2 options = NO_SSLv3 options = DONT_INSERT_EMPTY_FRAGMENTS
[2] verify = 2
;CRLfile = /var/lib/stunnel/2/CA.crl.pem ;CAFile = /var/lib/stunnel/2/CA.pem
CRLpath = /crl/ CApath = /ca/
cert = /var/lib/stunnel/2/2.cert key = /var/lib/stunnel/2/2.key
client = yes accept = 127.0.0.1:23 connect = 127.0.0.1:59062 ciphers = ECDHE-RSA-AES256-GCM-SHA384 sslVersion = TLSv1.2
** Logs **
==> /var/lib/stunnel/1/log/1.log <== 2015.12.02 12:11:46 LOG7[25595]: Clients allowed=500 2015.12.02 12:11:46 LOG5[25595]: stunnel 5.08 on x86_64-unknown-linux-gnu platform 2015.12.02 12:11:46 LOG5[25595]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2015.12.02 12:11:46 LOG5[25595]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2015.12.02 12:11:46 LOG7[25595]: errno: (*__errno_location ()) 2015.12.02 12:11:46 LOG5[25595]: Reading configuration from file /etc/stunnel/1.conf 2015.12.02 12:11:46 LOG5[25595]: UTF-8 byte order mark not detected 2015.12.02 12:11:46 LOG5[25595]: FIPS mode disabled 2015.12.02 12:11:46 LOG7[25595]: Compression disabled 2015.12.02 12:11:46 LOG7[25595]: Snagged 64 random bytes from /root/.rnd 2015.12.02 12:11:46 LOG7[25595]: Wrote 1024 new random bytes to /root/.rnd 2015.12.02 12:11:46 LOG7[25595]: PRNG seeded successfully 2015.12.02 12:11:46 LOG6[25595]: Initializing service [1] 2015.12.02 12:11:46 LOG6[25595]: Loading cert from file: /root/CA/1.cert 2015.12.02 12:11:46 LOG6[25595]: Loading key from file: /root/CA/1.key 2015.12.02 12:11:46 LOG7[25595]: Private key check succeeded 2015.12.02 12:11:46 LOG7[25595]: Loaded /root/CA/CA.cert revocation lookup file 2015.12.02 12:11:46 LOG7[25595]: Client CA list: /root/CA/CA.cert 2015.12.02 12:11:46 LOG6[25595]: Client CA: C=FR, ST=Some-State, O=Internet Widgits Pty Ltd 2015.12.02 12:11:46 LOG7[25595]: DH initialization 2015.12.02 12:11:46 LOG7[25595]: Could not load DH parameters from /root/CA/1.cert 2015.12.02 12:11:46 LOG7[25595]: Using hardcoded DH parameters 2015.12.02 12:11:46 LOG7[25595]: DH initialized with 2048-bit key 2015.12.02 12:11:46 LOG7[25595]: ECDH initialization 2015.12.02 12:11:46 LOG7[25595]: ECDH initialized with curve prime256v1 2015.12.02 12:11:46 LOG7[25595]: SSL options: 0x03000804 (+0x03000800, -0x00000000) 2015.12.02 12:11:46 LOG5[25595]: Configuration successful 2015.12.02 12:11:46 LOG7[25595]: Listening file descriptor created (FD=6) 2015.12.02 12:11:46 LOG7[25595]: Service [1] (FD=6) bound to 127.0.0.1:59062 2015.12.02 12:11:46 LOG7[25596]: Created pid file /pid/1.pid
==> /var/lib/stunnel/2/log/2.log <== 2015.12.02 12:11:46 LOG7[25604]: Clients allowed=500 2015.12.02 12:11:46 LOG5[25604]: stunnel 5.08 on x86_64-unknown-linux-gnu platform 2015.12.02 12:11:46 LOG5[25604]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2015.12.02 12:11:46 LOG5[25604]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP 2015.12.02 12:11:46 LOG7[25604]: errno: (*__errno_location ()) 2015.12.02 12:11:46 LOG5[25604]: Reading configuration from file /etc/stunnel/2.conf 2015.12.02 12:11:46 LOG5[25604]: UTF-8 byte order mark not detected 2015.12.02 12:11:46 LOG5[25604]: FIPS mode disabled 2015.12.02 12:11:46 LOG7[25604]: Compression disabled 2015.12.02 12:11:46 LOG7[25604]: Snagged 64 random bytes from /root/.rnd 2015.12.02 12:11:46 LOG7[25604]: Wrote 1024 new random bytes to /root/.rnd 2015.12.02 12:11:46 LOG7[25604]: PRNG seeded successfully 2015.12.02 12:11:46 LOG6[25604]: Initializing service [2] 2015.12.02 12:11:46 LOG6[25604]: Loading cert from file: /var/lib/stunnel/2/2.cert 2015.12.02 12:11:46 LOG6[25604]: Loading key from file: /var/lib/stunnel/2/2.key 2015.12.02 12:11:46 LOG7[25604]: Private key check succeeded 2015.12.02 12:11:46 LOG7[25604]: Verify directory set to /ca/ 2015.12.02 12:11:46 LOG7[25604]: Added /ca/ revocation lookup directory 2015.12.02 12:11:46 LOG7[25604]: Added /crl/ revocation lookup directory 2015.12.02 12:11:46 LOG7[25604]: SSL options: 0x03000804 (+0x03000800, -0x00000000) 2015.12.02 12:11:46 LOG5[25604]: Configuration successful 2015.12.02 12:11:46 LOG7[25604]: Listening file descriptor created (FD=6) 2015.12.02 12:11:46 LOG7[25604]: Service [2] (FD=6) bound to 127.0.0.1:23 2015.12.02 12:11:46 LOG7[25605]: Created pid file /pid/2.pid
** ls **
root@auditd:/var/lib/stunnel/2/ca# ll total 4 lrwxrwxrwx 1 root root 6 Dec 2 12:05 1a870aad.0 -> CA.pem lrwxrwxrwx 1 root root 6 Dec 2 12:05 aeb35906.0 -> CA.pem -rw-r----- 1 stunnel5 root 1919 Dec 1 16:55 CA.pem root@auditd:/var/lib/stunnel/2/ca# ll ../crl/ total 4 lrwxrwxrwx 1 root root 10 Dec 2 12:04 aeb35906.r0 -> CA.crl.pem -rw-r----- 1 stunnel5 root 1129 Dec 2 11:42 CA.crl.pem
** check openssl **
root@auditd:~/stunnel-5.26# openssl verify -crl_check -CAfile /var/lib/stunnel/2/ca/aeb35906.0 -CRLfile /var/lib/stunnel/2/crl/aeb35906.r0 /root/CA/1.cert /root/CA/1.cert: C = FR, ST = FR, O = PLOP, CN = 1 error 23 at 0 depth lookup:certificate revoked
** other :**
root@auditd:~/CA# openssl crl -in /opt/syslog-ng/etc/crl/1a870aad.r0 -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /C=FR/ST=Some-State/O=Internet Widgits Pty Ltd Last Update: Dec 2 09:04:38 2015 GMT Next Update: Jan 1 09:04:38 2016 GMT CRL extensions: X509v3 CRL Number: 2 Revoked Certificates: Serial Number: 01 Revocation Date: Dec 1 14:46:38 2015 GMT Serial Number: 02 Revocation Date: Dec 2 09:04:29 2015 GMT Serial Number: 03 Revocation Date: Dec 2 07:25:34 2015 GMT Serial Number: 04 Revocation Date: Dec 2 07:27:45 2015 GMT Serial Number: 05 Revocation Date: Dec 2 07:32:21 2015 GMT Serial Number: 06 Revocation Date: Dec 2 08:21:48 2015 GMT Signature Algorithm: sha256WithRSAEncryption 16:24:d4:f8:77:82:7b:ca:70:1a:01:26:5f:83:9f:13:6f:51: 67:85:b0:2c:a7:25:c1:46:66:ca:b8:46:74:85:4a:ca:26:2b: ff:46:e7:91:a3:10:09:ce:6b:84:1d:58:a1:4a:1c:38:ac:1a: 58:fc:50:0a:7a:1e:1c:5c:f9:2b:ef:25:7a:93:27:b3:5e:65: d6:66:89:33:23:52:fd:0d:38:7e:66:d6:74:d7:e4:b2:72:d8: 74:49:73:d3:2a:b5:e0:23:8a:03:b5:c6:ce:2a:f4:03:ef:8c: 50:83:be:9f:68:04:47:79:ff:5d:4b:cb:8a:cd:3c:6a:5f:02: 33:e6:61:86:ff:4c:f3:74:2c:81:70:c1:13:05:43:54:1a:04: a0:7b:df:fe:f8:e5:50:53:ce:2c:04:86:36:ed:0a:98:24:72: 5e:68:1a:23:7f:8e:85:5c:2c:2b:7b:df:23:56:fe:2f:c7:da: ec:ca:8f:48:a0:29:15:72:38:e3:ff:48:1e:89:30:b1:72:1b: 21:3f:0b:e0:ad:eb:89:c3:65:70:cc:29:03:f0:6e:73:be:c8: 24:64:93:b8:7b:af:21:a0:67:24:5a:be:e8:b0:ec:e0:a1:5f: 0c:a9:e5:de:09:39:08:23:60:d9:d9:4e:07:a2:f2:1e:4f:96: 0c:b7:c6:bb:5b:2a:e3:78:92:2e:fa:39:9c:ae:d4:4c:b2:b2: e3:7f:2a:58:14:86:80:97:fd:5e:95:b1:9d:d6:23:3d:cc:ce: 2b:0b:65:b2:43:f5:15:fb:20:2c:72:8f:fd:62:7d:7f:54:80: 54:22:22:42:15:7b:27:18:2f:24:70:81:ca:44:cc:c4:d8:9c: d8:99:69:f2:fd:4a:7f:3e:11:57:91:25:d8:6f:42:ae:b0:d5: bc:fd:cd:0b:9b:a5:c2:f6:d0:ce:8b:e3:66:7b:78:03:90:a6: ca:44:f9:e1:cb:80:70:2e:db:b0:3c:d1:fc:5a:d8:f5:fd:c6: 44:5f:4f:19:f5:da:13:a5:2f:11:f3:db:73:22:a1:98:83:b0: 44:0d:2b:59:2f:3a:54:fb:00:a0:8f:1b:19:2b:c0:3c:9d:fb: f0:80:50:9a:9e:7b:b6:46:84:d3:df:b2:36:6b:d2:97:53:f9: da:1e:8c:7a:e8:40:15:17:3b:17:b7:c6:0d:e0:64:e4:68:96: 11:43:d2:d8:d4:f8:1b:7b:44:15:29:d9:ca:e5:3a:97:b6:b4: c6:b9:2b:c2:8a:6d:47:62:75:33:a1:dd:e9:93:28:eb:82:00: 8d:ef:0d:b6:17:72:a6:59:95:4c:97:fa:47:a8:ff:27:60:dd: c1:6e:6a:62:dc:1b:a8:e7 -----BEGIN X509 CRL----- MIIDGTCCAQECAQEwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCRlIxEzARBgNV BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 ZBcNMTUxMjAyMDkwNDM4WhcNMTYwMTAxMDkwNDM4WjB4MBICAQEXDTE1MTIwMTE0 NDYzOFowEgIBAhcNMTUxMjAyMDkwNDI5WjASAgEDFw0xNTEyMDIwNzI1MzRaMBIC AQQXDTE1MTIwMjA3Mjc0NVowEgIBBRcNMTUxMjAyMDczMjIxWjASAgEGFw0xNTEy MDIwODIxNDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAgEAFiTU +HeCe8pwGgEmX4OfE29RZ4WwLKclwUZmyrhGdIVKyiYr/0bnkaMQCc5rhB1YoUoc OKwaWPxQCnoeHFz5K+8lepMns15l1maJMyNS/Q04fmbWdNfksnLYdElz0yq14COK A7XGzir0A++MUIO+n2gER3n/XUvLis08al8CM+Zhhv9M83QsgXDBEwVDVBoEoHvf /vjlUFPOLASGNu0KmCRyXmgaI3+OhVwsK3vfI1b+L8fa7MqPSKApFXI44/9IHokw sXIbIT8L4K3ricNlcMwpA/Buc77IJGSTuHuvIaBnJFq+6LDs4KFfDKnl3gk5CCNg 2dlOB6LyHk+WDLfGu1sq43iSLvo5nK7UTLKy438qWBSGgJf9XpWxndYjPczOKwtl skP1FfsgLHKP/WJ9f1SAVCIiQhV7JxgvJHCBykTMxNic2Jlp8v1Kfz4RV5El2G9C rrDVvP3NC5ulwvbQzovjZnt4A5CmykT54cuAcC7bsDzR/FrY9f3GRF9PGfXaE6Uv EfPbcyKhmIOwRA0rWS86VPsAoI8bGSvAPJ378IBQmp57tkaE09+yNmvSl1P52h6M euhAFRc7F7fGDeBk5GiWEUPS2NT4G3tEFSnZyuU6l7a0xrkrwoptR2J1M6Hd6ZMo 64IAje8NthdyplmVTJf6R6j/J2DdwW5qYtwbqOc= -----END X509 CRL-----
root@auditd:~/CA# openssl x509 -in /opt/syslog-ng/etc/cert.d/1.cert -text Certificate: Data: Version: 3 (0x2) Serial Number: 6 (0x6) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Some-State, O=Internet Widgits Pty Ltd Validity Not Before: Dec 2 07:32:36 2015 GMT Not After : Nov 29 07:32:36 2025 GMT Subject: C=FR, ST=FR, O=PLOP, CN=1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:ae:2a:9e:a6:6f:54:eb:f7:1f:7f:d6:67:b5:68: 11:9d:a8:79:93:78:e8:b6:48:f6:64:7e:e5:bf:72: 33:61:6f:4a:e9:c0:25:f6:61:47:de:f7:a3:5d:3d: da:fa:2d:97:08:20:5b:b1:a9:10:2b:50:18:ca:40: ea:16:f8:3d:a5:5e:cc:18:d4:80:30:62:cc:4c:b7: 2b:99:9e:6a:3a:09:97:2b:1d:79:36:d2:53:7a:8d: 96:4f:20:c0:f3:ac:e9:01:d1:a0:d7:00:37:83:1f: 64:ee:df:4f:27:61:a2:5f:94:66:be:35:58:9e:52: a0:91:0a:00:57:13:d5:b4:b3:90:10:8c:42:4f:34: 69:3f:9c:1b:7d:9b:ae:eb:79:8d:d9:9d:2c:3c:74: 58:c2:ba:a5:34:e5:15:01:45:d3:47:85:82:eb:34: b2:21:ba:97:2b:4e:90:92:4f:85:19:c7:b0:7f:cd: 8c:49:08:4e:32:d0:9e:34:af:b9:02:aa:40:2e:af: f5:6b:41:92:9f:5a:ab:09:b5:bd:7a:73:fe:4d:f4: 1b:c6:23:22:15:7c:b5:47:e1:88:bd:8a:b7:d7:1b: 5e:4a:53:f9:41:33:e9:30:97:ce:9b:b4:88:77:f6: 35:9c:47:a7:12:5d:98:9e:e4:1c:27:bf:bd:e5:85: b1:c1:1f:dc:17:03:c0:00:9f:0b:d8:40:c3:1c:31: f3:9b:60:17:05:0d:ac:79:9e:53:2b:aa:da:78:e7: f4:a8:3e:f9:14:f1:40:1f:47:df:45:c7:57:14:3d: 26:68:9c:a7:77:da:29:50:85:1c:e3:62:e6:66:f0: 5e:59:6f:35:61:32:e4:a8:7d:a1:30:b5:85:69:0e: e3:fd:8e:67:78:c3:47:58:5d:88:36:65:85:09:52: 46:47:bb:48:03:9c:e5:42:48:66:7d:34:7d:01:9c: 67:ea:82:f0:d5:4e:9b:64:0c:c6:db:1c:0d:2a:de: 67:ba:a5:04:44:4a:fc:12:94:77:b0:30:fc:d0:06: 26:d4:e8:94:ed:a1:78:4d:cd:fa:8b:a4:4e:45:fc: cf:2b:d8:47:11:e0:68:e0:78:36:34:4f:76:5c:76: 4b:69:02:4c:22:47:57:10:92:ce:b9:d8:20:7e:80: 80:a7:ca:55:7c:41:a4:0a:0e:08:e0:86:e2:63:9f: e4:f6:e0:13:fd:67:7a:14:f7:e2:fe:6e:14:2a:ba: 80:e1:29:0d:7c:5a:36:91:60:ae:9b:14:6f:1e:2d: 40:b9:28:03:e5:d6:f8:f4:64:6d:ca:8b:1d:38:48: 30:92:fa:6f:75:c9:7a:62:61:47:0e:32:3e:e5:7e: 0a:3b:d5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 33:1A:1E:42:87:07:1F:05:83:C6:14:DE:5D:BC:90:89:8C:10:39:44 X509v3 Authority Key Identifier:
keyid:C0:B7:97:89:CD:42:1E:6A:FB:7D:AE:3B:1E:A1:30:7E:94:FA:FB:35
X509v3 CRL Distribution Points:
Full Name: URI:https://deb.plop.net/ssl/
Signature Algorithm: sha256WithRSAEncryption ad:d7:d0:1f:d1:f2:10:88:d4:4c:5e:fe:80:88:96:35:55:26: 12:8d:1f:1f:38:d2:36:6e:75:00:37:e8:45:28:eb:c3:b5:e7: 71:90:91:5a:96:2d:b6:3e:5b:c0:45:84:e5:dc:07:65:63:54: b1:06:4b:6a:ee:63:80:54:63:4c:72:1a:2f:eb:00:7c:36:0b: 18:22:3a:d2:90:e6:3f:69:9a:cf:b7:50:72:19:f6:3d:d5:19: fa:2a:46:09:cf:86:f7:12:0e:2c:4a:59:6c:26:45:2b:52:90: 72:55:a9:7d:16:27:db:ba:19:cb:c8:96:4c:e1:42:79:6b:ab: f9:87:97:43:e0:d1:71:2d:ef:fc:c9:f0:02:b1:7d:6c:59:ef: fd:00:76:4b:a7:f9:9c:1a:05:90:5b:df:2e:35:52:c7:79:f9: f3:31:d5:3f:60:2a:93:78:48:19:3b:53:43:ed:ee:f0:39:c8: fa:88:b8:7e:b0:5e:ce:73:c2:b2:c2:da:95:39:d9:1e:b7:02: d7:98:20:31:d2:91:c2:c9:61:45:cd:9b:f1:54:3d:17:df:96: 09:3d:11:96:b4:97:2a:9f:e8:9e:77:d4:1b:67:d9:a1:9d:1e: b8:d9:58:3a:b4:26:24:23:d5:a0:d6:52:78:1d:2f:d9:ce:f4: 41:66:82:7c:56:d9:df:a0:08:cb:b4:ae:2a:79:16:bf:91:09: 46:be:35:17:44:73:7b:48:e0:3e:f4:03:45:a7:36:3e:8e:8e: 58:7c:02:a9:c7:9d:22:98:bc:d3:05:90:81:39:d6:00:09:a4: 33:58:0f:57:b9:a5:e2:d0:3f:e4:ad:4e:47:a4:af:98:b6:d0: 49:f0:f9:d5:9b:b1:18:c6:fb:7d:3d:18:6c:90:62:1f:cb:c9: 97:00:92:57:29:32:1d:be:02:61:af:1f:17:48:eb:6a:b0:a2: f4:96:e1:0f:24:63:11:c7:66:2f:bc:7e:c2:e0:fd:25:3c:ac: 83:5b:05:35:b3:45:64:8e:93:21:3d:ed:1c:95:ae:24:55:98: 07:5f:99:71:28:8e:01:5d:94:16:62:03:a1:63:1f:08:88:6f: 9b:0b:db:43:21:31:4a:08:a2:a2:f6:af:7a:b3:20:94:5f:7d: 2f:53:3a:20:ea:08:5f:db:38:89:24:83:bd:9c:a0:78:ea:68: cd:39:47:b8:b6:f3:f4:bb:14:cc:e8:d0:24:59:7e:fc:0f:05: e9:73:18:5b:5d:31:0b:d2:e0:17:0f:ff:0d:b8:39:54:32:42: a2:07:b3:d3:53:5c:89:f7:b4:c3:44:60:7e:0c:5f:d1:80:e8: d2:6b:89:8d:1f:a9:79:7b -----BEGIN CERTIFICATE----- MIIFnDCCA4SgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJGUjET MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ dHkgTHRkMB4XDTE1MTIwMjA3MzIzNloXDTI1MTEyOTA3MzIzNlowNDELMAkGA1UE BhMCRlIxCzAJBgNVBAgMAkZSMQwwCgYDVQQKDANPVkgxCjAIBgNVBAMMATEwggIi MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuKp6mb1Tr9x9/1me1aBGdqHmT eOi2SPZkfuW/cjNhb0rpwCX2YUfe96NdPdr6LZcIIFuxqRArUBjKQOoW+D2lXswY 1IAwYsxMtyuZnmo6CZcrHXk20lN6jZZPIMDzrOkB0aDXADeDH2Tu308nYaJflGa+ NVieUqCRCgBXE9W0s5AQjEJPNGk/nBt9m67reY3ZnSw8dFjCuqU05RUBRdNHhYLr NLIhupcrTpCST4UZx7B/zYxJCE4y0J40r7kCqkAur/VrQZKfWqsJtb16c/5N9BvG IyIVfLVH4Yi9irfXG15KU/lBM+kwl86btIh39jWcR6cSXZie5Bwnv73lhbHBH9wX A8AAnwvYQMMcMfObYBcFDax5nlMrqtp45/SoPvkU8UAfR99Fx1cUPSZonKd32ilQ hRzjYuZm8F5ZbzVhMuSofaEwtYVpDuP9jmd4w0dYXYg2ZYUJUkZHu0gDnOVCSGZ9 NH0BnGfqgvDVTptkDMbbHA0q3me6pQRESvwSlHewMPzQBibU6JTtoXhNzfqLpE5F /M8r2EcR4GjgeDY0T3ZcdktpAkwiR1cQks652CB+gICnylV8QaQKDgjghuJjn+T2 4BP9Z3oU9+L+bhQquoDhKQ18WjaRYK6bFG8eLUC5KAPl1vj0ZG3Kix04SDCS+m91 yXpiYUcOMj7lfgo71QIDAQABo4GnMIGkMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQzGh5C hwcfBYPGFN5dvJCJjBA5RDAfBgNVHSMEGDAWgBTAt5eJzUIeavt9rjseoTB+lPr7 NTApBgNVHR8EIjAgMB6gHKAahhhodHRwczovL2RlYi5vdmgubmV0L3NzbC8wDQYJ KoZIhvcNAQELBQADggIBAK3X0B/R8hCI1Exe/oCIljVVJhKNHx840jZudQA36EUo 68O153GQkVqWLbY+W8BFhOXcB2VjVLEGS2ruY4BUY0xyGi/rAHw2CxgiOtKQ5j9p ms+3UHIZ9j3VGfoqRgnPhvcSDixKWWwmRStSkHJVqX0WJ9u6GcvIlkzhQnlrq/mH l0Pg0XEt7/zJ8AKxfWxZ7/0Adkun+ZwaBZBb3y41Usd5+fMx1T9gKpN4SBk7U0Pt 7vA5yPqIuH6wXs5zwrLC2pU52R63AteYIDHSkcLJYUXNm/FUPRfflgk9EZa0lyqf 6J531Btn2aGdHrjZWDq0JiQj1aDWUngdL9nO9EFmgnxW2d+gCMu0rip5Fr+RCUa+ NRdEc3tI4D70A0WnNj6Ojlh8AqnHnSKYvNMFkIE51gAJpDNYD1e5peLQP+StTkek r5i20Enw+dWbsRjG+309GGyQYh/LyZcAklcpMh2+AmGvHxdI62qwovSW4Q8kYxHH Zi+8fsLg/SU8rINbBTWzRWSOkyE97RyVriRVmAdfmXEojgFdlBZiA6FjHwiIb5sL 20MhMUoIoqL2r3qzIJRffS9TOiDqCF/bOIkkg72coHjqaM05R7i28/S7FMzo0CRZ fvwPBelzGFtdMQvS4BcP/w24OVQyQqIHs9NTXIn3tMNEYH4MX9GA6NJriY0fqXl7 -----END CERTIFICATE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi Mehdi B.,
You have forgotten to include the most important parts of the log files, which are the logs of an actual attempted connection. We cannot see the certificate verification logs without it. Of course the initialization logs are also useful.
CRL verification was rewritten from scratch in stunnel 5.24, so please use stunnel 5.26 for testing.
Try to simplify your configuration as much as possible: 1. Get rid of chroot/setuid/setgid 2. Replace CApath with CAfile. 3. Replace CRLpath with CRLfile.
Once you get the most basic configuration working, you can re-add advanced features one-by-one to see which one causes the problem.
Mike
On 02.12.2015 12:30, Mehdi B. wrote:
Hello
I'm affraid, but logs are activated in debug mode :
debug = 7 output = /log/2.log
I'll try with 5.26 and a simplest configuration
Thank you
2015-12-02 13:20 GMT+01:00 Michal Trojnara Michal.Trojnara@mirt.net:
Hi
I try an easiest configuration :
root@auditd:~# cat /etc/stunnel/2.conf| sed '/^;/d;/^$/d' debug = 7 output = /var/lib/stunnel/2/log/2.log [2] verify = 2 CRLfile = /var/lib/stunnel/2/crl/CA.crl.pem CAFile = /var/lib/stunnel/2/ca/CA.pem cert = /var/lib/stunnel/2/2.cert key = /var/lib/stunnel/2/2.key client = yes accept = 127.0.0.1:23 connect = 127.0.0.1:59062
Doesn't work :
2015.12.02 14:14:19 LOG7[cron]: Cron started 2015.12.02 14:14:19 LOG7[ui]: Clients allowed=500 2015.12.02 14:14:19 LOG5[ui]: stunnel 5.26 on x86_64-unknown-linux-gnu platform 2015.12.02 14:14:19 LOG5[ui]: Compiled/running with OpenSSL 1.0.1e 11 Feb 2013 2015.12.02 14:14:19 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI 2015.12.02 14:14:19 LOG7[ui]: errno: (*__errno_location ()) 2015.12.02 14:14:19 LOG5[ui]: Reading configuration from file /etc/stunnel/2.conf 2015.12.02 14:14:19 LOG5[ui]: UTF-8 byte order mark not detected 2015.12.02 14:14:19 LOG5[ui]: FIPS mode disabled 2015.12.02 14:14:19 LOG7[ui]: Compression disabled 2015.12.02 14:14:19 LOG7[ui]: Snagged 64 random bytes from /root/.rnd 2015.12.02 14:14:19 LOG7[ui]: Wrote 1024 new random bytes to /root/.rnd 2015.12.02 14:14:19 LOG7[ui]: PRNG seeded successfully 2015.12.02 14:14:19 LOG6[ui]: Initializing service [2] 2015.12.02 14:14:19 LOG6[ui]: Loading certificate from file: /var/lib/stunnel/2/2.cert 2015.12.02 14:14:19 LOG6[ui]: Loading key from file: /var/lib/stunnel/2/2.key 2015.12.02 14:14:19 LOG7[ui]: Private key check succeeded 2015.12.02 14:14:19 LOG7[ui]: Loaded /var/lib/stunnel/2/crl/CA.crl.pem revocation lookup file 2015.12.02 14:14:19 LOG4[ui]: Service [2] uses "verify = 2" without subject checks 2015.12.02 14:14:19 LOG4[ui]: Rebuild your stunnel against OpenSSL version 1.0.2 or higher 2015.12.02 14:14:19 LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates 2015.12.02 14:14:19 LOG7[ui]: SSL options: 0x03000004 (+0x03000000, -0x00000000) 2015.12.02 14:14:19 LOG5[ui]: Configuration successful 2015.12.02 14:14:19 LOG7[ui]: Listening file descriptor created (FD=6) 2015.12.02 14:14:19 LOG7[ui]: Service [2] (FD=6) bound to 127.0.0.1:23 2015.12.02 14:14:19 LOG7[main]: No pid file being created
CRL doesn't work, because I don't do a checkHost?
Regards
2015-12-02 13:59 GMT+01:00 Mehdi B. likarum@gmail.com:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi Mehdi B.,
You still didn't include the logs of an actual attempted connection.
Every connection serviced by stunnel logs a number of lines. If nothing is logged than this instance of stunnel is not used at all (which clearly explains why it doesn't work as expected).
Mike
On 02.12.2015 14:23, Mehdi B. wrote:
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZBcNMTUxMjAyMDkwNDM4WhcNMTYwMTAxMDkwNDM4WjB4MBICAQEXDTE1MTIwMTE0
NDYzOFowEgIBAhcNMTUxMjAyMDkwNDI5WjASAgEDFw0xNTEyMDIwNzI1MzRaMBIC
AQQXDTE1MTIwMjA3Mjc0NVowEgIBBRcNMTUxMjAyMDczMjIxWjASAgEGFw0xNTEy
MDIwODIxNDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAgEAFiTU
+HeCe8pwGgEmX4OfE29RZ4WwLKclwUZmyrhGdIVKyiYr/0bnkaMQCc5rhB1YoUoc
OKwaWPxQCnoeHFz5K+8lepMns15l1maJMyNS/Q04fmbWdNfksnLYdElz0yq14COK
A7XGzir0A++MUIO+n2gER3n/XUvLis08al8CM+Zhhv9M83QsgXDBEwVDVBoEoHvf
/vjlUFPOLASGNu0KmCRyXmgaI3+OhVwsK3vfI1b+L8fa7MqPSKApFXI44/9IHokw
sXIbIT8L4K3ricNlcMwpA/Buc77IJGSTuHuvIaBnJFq+6LDs4KFfDKnl3gk5CCNg
2dlOB6LyHk+WDLfGu1sq43iSLvo5nK7UTLKy438qWBSGgJf9XpWxndYjPczOKwtl
skP1FfsgLHKP/WJ9f1SAVCIiQhV7JxgvJHCBykTMxNic2Jlp8v1Kfz4RV5El2G9C
rrDVvP3NC5ulwvbQzovjZnt4A5CmykT54cuAcC7bsDzR/FrY9f3GRF9PGfXaE6Uv
EfPbcyKhmIOwRA0rWS86VPsAoI8bGSvAPJ378IBQmp57tkaE09+yNmvSl1P52h6M
euhAFRc7F7fGDeBk5GiWEUPS2NT4G3tEFSnZyuU6l7a0xrkrwoptR2J1M6Hd6ZMo
X509v3 CRL Distribution Points:
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMB4XDTE1MTIwMjA3MzIzNloXDTI1MTEyOTA3MzIzNlowNDELMAkGA1UE
BhMCRlIxCzAJBgNVBAgMAkZSMQwwCgYDVQQKDANPVkgxCjAIBgNVBAMMATEwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuKp6mb1Tr9x9/1me1aBGdqHmT
eOi2SPZkfuW/cjNhb0rpwCX2YUfe96NdPdr6LZcIIFuxqRArUBjKQOoW+D2lXswY
1IAwYsxMtyuZnmo6CZcrHXk20lN6jZZPIMDzrOkB0aDXADeDH2Tu308nYaJflGa+
NVieUqCRCgBXE9W0s5AQjEJPNGk/nBt9m67reY3ZnSw8dFjCuqU05RUBRdNHhYLr
NLIhupcrTpCST4UZx7B/zYxJCE4y0J40r7kCqkAur/VrQZKfWqsJtb16c/5N9BvG
IyIVfLVH4Yi9irfXG15KU/lBM+kwl86btIh39jWcR6cSXZie5Bwnv73lhbHBH9wX
A8AAnwvYQMMcMfObYBcFDax5nlMrqtp45/SoPvkU8UAfR99Fx1cUPSZonKd32ilQ
hRzjYuZm8F5ZbzVhMuSofaEwtYVpDuP9jmd4w0dYXYg2ZYUJUkZHu0gDnOVCSGZ9
NH0BnGfqgvDVTptkDMbbHA0q3me6pQRESvwSlHewMPzQBibU6JTtoXhNzfqLpE5F
/M8r2EcR4GjgeDY0T3ZcdktpAkwiR1cQks652CB+gICnylV8QaQKDgjghuJjn+T2
4BP9Z3oU9+L+bhQquoDhKQ18WjaRYK6bFG8eLUC5KAPl1vj0ZG3Kix04SDCS+m91
yXpiYUcOMj7lfgo71QIDAQABo4GnMIGkMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQzGh5C
hwcfBYPGFN5dvJCJjBA5RDAfBgNVHSMEGDAWgBTAt5eJzUIeavt9rjseoTB+lPr7
NTApBgNVHR8EIjAgMB6gHKAahhhodHRwczovL2RlYi5vdmgubmV0L3NzbC8wDQYJ
KoZIhvcNAQELBQADggIBAK3X0B/R8hCI1Exe/oCIljVVJhKNHx840jZudQA36EUo
68O153GQkVqWLbY+W8BFhOXcB2VjVLEGS2ruY4BUY0xyGi/rAHw2CxgiOtKQ5j9p
ms+3UHIZ9j3VGfoqRgnPhvcSDixKWWwmRStSkHJVqX0WJ9u6GcvIlkzhQnlrq/mH
l0Pg0XEt7/zJ8AKxfWxZ7/0Adkun+ZwaBZBb3y41Usd5+fMx1T9gKpN4SBk7U0Pt
7vA5yPqIuH6wXs5zwrLC2pU52R63AteYIDHSkcLJYUXNm/FUPRfflgk9EZa0lyqf
6J531Btn2aGdHrjZWDq0JiQj1aDWUngdL9nO9EFmgnxW2d+gCMu0rip5Fr+RCUa+
NRdEc3tI4D70A0WnNj6Ojlh8AqnHnSKYvNMFkIE51gAJpDNYD1e5peLQP+StTkek
r5i20Enw+dWbsRjG+309GGyQYh/LyZcAklcpMh2+AmGvHxdI62qwovSW4Q8kYxHH
Zi+8fsLg/SU8rINbBTWzRWSOkyE97RyVriRVmAdfmXEojgFdlBZiA6FjHwiIb5sL
20MhMUoIoqL2r3qzIJRffS9TOiDqCF/bOIkkg72coHjqaM05R7i28/S7FMzo0CRZ
fvwPBelzGFtdMQvS4BcP/w24OVQyQqIHs9NTXIn3tMNEYH4MX9GA6NJriY0fqXl7
_______________________________________________
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I noticed a typo in my email. What I meant was: "If nothing is logged *then* this instance of stunnel is not used at all (which clearly explains why it doesn't work as expected)."
Mike
On 02.12.2015 14:34, Michal Trojnara wrote:
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZBcNMTUxMjAyMDkwNDM4WhcNMTYwMTAxMDkwNDM4WjB4MBICAQEXDTE1MTIwMTE0
NDYzOFowEgIBAhcNMTUxMjAyMDkwNDI5WjASAgEDFw0xNTEyMDIwNzI1MzRaMBIC
AQQXDTE1MTIwMjA3Mjc0NVowEgIBBRcNMTUxMjAyMDczMjIxWjASAgEGFw0xNTEy
MDIwODIxNDhaoA4wDDAKBgNVHRQEAwIBAjANBgkqhkiG9w0BAQsFAAOCAgEAFiTU
+HeCe8pwGgEmX4OfE29RZ4WwLKclwUZmyrhGdIVKyiYr/0bnkaMQCc5rhB1YoUoc
OKwaWPxQCnoeHFz5K+8lepMns15l1maJMyNS/Q04fmbWdNfksnLYdElz0yq14COK
A7XGzir0A++MUIO+n2gER3n/XUvLis08al8CM+Zhhv9M83QsgXDBEwVDVBoEoHvf
/vjlUFPOLASGNu0KmCRyXmgaI3+OhVwsK3vfI1b+L8fa7MqPSKApFXI44/9IHokw
sXIbIT8L4K3ricNlcMwpA/Buc77IJGSTuHuvIaBnJFq+6LDs4KFfDKnl3gk5CCNg
2dlOB6LyHk+WDLfGu1sq43iSLvo5nK7UTLKy438qWBSGgJf9XpWxndYjPczOKwtl
skP1FfsgLHKP/WJ9f1SAVCIiQhV7JxgvJHCBykTMxNic2Jlp8v1Kfz4RV5El2G9C
rrDVvP3NC5ulwvbQzovjZnt4A5CmykT54cuAcC7bsDzR/FrY9f3GRF9PGfXaE6Uv
EfPbcyKhmIOwRA0rWS86VPsAoI8bGSvAPJ378IBQmp57tkaE09+yNmvSl1P52h6M
euhAFRc7F7fGDeBk5GiWEUPS2NT4G3tEFSnZyuU6l7a0xrkrwoptR2J1M6Hd6ZMo
X509v3 Authority Key Identifier:
keyid:C0:B7:97:89:CD:42:1E:6A:FB:7D:AE:3B:1E:A1:30:7E:94:FA:FB:35
X509v3 CRL Distribution Points:
MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQ
dHkgTHRkMB4XDTE1MTIwMjA3MzIzNloXDTI1MTEyOTA3MzIzNlowNDELMAkGA1UE
BhMCRlIxCzAJBgNVBAgMAkZSMQwwCgYDVQQKDANPVkgxCjAIBgNVBAMMATEwggIi
MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCuKp6mb1Tr9x9/1me1aBGdqHmT
eOi2SPZkfuW/cjNhb0rpwCX2YUfe96NdPdr6LZcIIFuxqRArUBjKQOoW+D2lXswY
1IAwYsxMtyuZnmo6CZcrHXk20lN6jZZPIMDzrOkB0aDXADeDH2Tu308nYaJflGa+
NVieUqCRCgBXE9W0s5AQjEJPNGk/nBt9m67reY3ZnSw8dFjCuqU05RUBRdNHhYLr
NLIhupcrTpCST4UZx7B/zYxJCE4y0J40r7kCqkAur/VrQZKfWqsJtb16c/5N9BvG
IyIVfLVH4Yi9irfXG15KU/lBM+kwl86btIh39jWcR6cSXZie5Bwnv73lhbHBH9wX
A8AAnwvYQMMcMfObYBcFDax5nlMrqtp45/SoPvkU8UAfR99Fx1cUPSZonKd32ilQ
hRzjYuZm8F5ZbzVhMuSofaEwtYVpDuP9jmd4w0dYXYg2ZYUJUkZHu0gDnOVCSGZ9
NH0BnGfqgvDVTptkDMbbHA0q3me6pQRESvwSlHewMPzQBibU6JTtoXhNzfqLpE5F
/M8r2EcR4GjgeDY0T3ZcdktpAkwiR1cQks652CB+gICnylV8QaQKDgjghuJjn+T2
4BP9Z3oU9+L+bhQquoDhKQ18WjaRYK6bFG8eLUC5KAPl1vj0ZG3Kix04SDCS+m91
yXpiYUcOMj7lfgo71QIDAQABo4GnMIGkMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgEN
BB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQzGh5C
hwcfBYPGFN5dvJCJjBA5RDAfBgNVHSMEGDAWgBTAt5eJzUIeavt9rjseoTB+lPr7
NTApBgNVHR8EIjAgMB6gHKAahhhodHRwczovL2RlYi5vdmgubmV0L3NzbC8wDQYJ
KoZIhvcNAQELBQADggIBAK3X0B/R8hCI1Exe/oCIljVVJhKNHx840jZudQA36EUo
68O153GQkVqWLbY+W8BFhOXcB2VjVLEGS2ruY4BUY0xyGi/rAHw2CxgiOtKQ5j9p
ms+3UHIZ9j3VGfoqRgnPhvcSDixKWWwmRStSkHJVqX0WJ9u6GcvIlkzhQnlrq/mH
l0Pg0XEt7/zJ8AKxfWxZ7/0Adkun+ZwaBZBb3y41Usd5+fMx1T9gKpN4SBk7U0Pt
7vA5yPqIuH6wXs5zwrLC2pU52R63AteYIDHSkcLJYUXNm/FUPRfflgk9EZa0lyqf
6J531Btn2aGdHrjZWDq0JiQj1aDWUngdL9nO9EFmgnxW2d+gCMu0rip5Fr+RCUa+
NRdEc3tI4D70A0WnNj6Ojlh8AqnHnSKYvNMFkIE51gAJpDNYD1e5peLQP+StTkek
r5i20Enw+dWbsRjG+309GGyQYh/LyZcAklcpMh2+AmGvHxdI62qwovSW4Q8kYxHH
Zi+8fsLg/SU8rINbBTWzRWSOkyE97RyVriRVmAdfmXEojgFdlBZiA6FjHwiIb5sL
20MhMUoIoqL2r3qzIJRffS9TOiDqCF/bOIkkg72coHjqaM05R7i28/S7FMzo0CRZ
fvwPBelzGFtdMQvS4BcP/w24OVQyQqIHs9NTXIn3tMNEYH4MX9GA6NJriY0fqXl7
_______________________________________________
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hello
It's my mistake. When I configured the server/client, I think : "Connection will open and die"
In reality, connection still opened, but the certificate is denied, when we use it.
Sorry
2015-12-02 14:37 GMT+01:00 Michal Trojnara Michal.Trojnara@mirt.net:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 02.12.2015 15:16, Mehdi B. wrote:
SSH tunnelling (as in OpenSSH) opens one persistent connection and multiplexes tunnelled TCP sessions inside it.
TLS tunnelling (as in stunnel) does not keep any persistent connection. It uses separate TCP connections created on demand for individual tunnelled TCP sessions. This is a better approach for many reasons, including reliability, bandwidth management, and power consumption (no keepalives are needed on battery powered devices to survive timeouts on NATs and stateful firewalls).
Mike
-
Mehdi B. -
Michal Trojnara