Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log).
On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring.
Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this.
Thx!
---- David G. Bucci
If you can't say anything nice, at least have the decency to be vague.
More details, and checking the source code ... messages are being output during engine setup and such (all the msgs that should be logged during verification_init() in verify.c), but none of the messages from verify_callback().
We have verify = 2, debug = 7, and CAfile set (and during startup we see a msg that the CAfile is successfully read. The verification is in fact working correctly - when we pass in a self-signed cert, the connection is denied (and we see a "certificate bad" message in the client's log), but when we pass in a valid cert, it's accepted. In neither case do we see any msgs in the server's log.
The exact msgs we want are there in verify.c/verify_callback() -- the subject name listed for rejected and accepted certs, it looks like LOG_INFO should be enough, but we're simply not seeing any msgs.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Bucci, David G Sent: Tuesday, September 21, 2010 11:26 AM To: stunnel-users@mirt.net Subject: [stunnel-users] Server side logging, no connection details logged
Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log).
On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring.
Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this.
Thx!
---- David G. Bucci
If you can't say anything nice, at least have the decency to be vague. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Further followup - in the note immediately below, I was looking at the 4.34 source, but we were testing with 4.33 yesterday. Diffing, msgs were added to 4.34 for failed certificates (thank you -- you're very prescient :-). We're upgrading to 4.34 and retesting today, and I'll let everyone know.
That said -- 4.33 code has a msg that we should have seen when a certificate is accepted, at the end of verify_callback(), and we weren't seeing it.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Bucci, David G Sent: Wednesday, September 22, 2010 12:25 PM To: stunnel-users@mirt.net Subject: EXTERNAL: Re: [stunnel-users] Server side logging, no connection details logged
More details, and checking the source code ... messages are being output during engine setup and such (all the msgs that should be logged during verification_init() in verify.c), but none of the messages from verify_callback().
We have verify = 2, debug = 7, and CAfile set (and during startup we see a msg that the CAfile is successfully read. The verification is in fact working correctly - when we pass in a self-signed cert, the connection is denied (and we see a "certificate bad" message in the client's log), but when we pass in a valid cert, it's accepted. In neither case do we see any msgs in the server's log.
The exact msgs we want are there in verify.c/verify_callback() -- the subject name listed for rejected and accepted certs, it looks like LOG_INFO should be enough, but we're simply not seeing any msgs.
-----Original Message----- From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Bucci, David G Sent: Tuesday, September 21, 2010 11:26 AM To: stunnel-users@mirt.net Subject: [stunnel-users] Server side logging, no connection details logged
Hi - using Stunnel to enforce client certificate based authentication, and as part of that, we want to log accesses, and the CN used to access, on the server side (kind of an audit log).
On the client side, with debug set to 7, we get details about the connection, the SSL steps in the handshake, etc. - but on the server side, even with debug = 7, we're not seeing any info at all about the connections that are occurring.
Sooo ... is there a way to enable such logging on the server side of the tunnel? Or possibly turn on independent logging in the OpenSSL libs that are used? I looked, but haven't found anything online about this.
Thx!
---- David G. Bucci
If you can't say anything nice, at least have the decency to be vague. _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Bucci, David G