Moin,

it seems that I understood something wrong with stunnel client certificates. First of all: until now I run stunnel 4.18 and stunnel 4.21 with debian and kubuntu without client certificates (with success). I use it to reach a proprietary application through an untrusted network.

Now, I want the clients to authenticate against the server. Therefor, as a quick and dirty test, I used the same stunnel.pem file at the server and at the client side. The configuration at the server side (where the application is waiting for connections, in this example it is just a script) looks like this: cert = /etc/stunnel/stunnel.pem #chroot = /var/run/stunnel/ pid = /tmp/stunnel.pid setuid = nobody setgid = nogroup output = /var/log/stunnel4.log exec = /root/stest.sh verify = 1 [BreakOut] accept = 192.168.0.1:443

Here is the configuration at the client side, where a browser establish a connection cert = /etc/stunnel/stunnel.pem key = /etc/stunnel/stunnel.pem sslVersion = SSLv3 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 pid = /stunnel4.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 verify = 0 debug = 7 output = /var/log/stunnel4/stunnel.log client = yes [BreakOut] accept = 127.0.0.1:8080 connect = 192.168.0.1:443

First of all: is it right to set 'verify = 1' at the server side, and 'verify = 0' at the client side? It seems right to me, because the client should authenticate, but not the other way.

Anyhow: As soon as a connection is opened using this configuration it will terminate at the same second. renner@mars:~$ telnet localhost 8080 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host.

In the clients logfile I see SSL state (connect): before/connect initialization SSL state (connect): SSLv3 write client hello A SSL state (connect): SSLv3 read server hello A VERIFY IGNORE: depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de VERIFY OK: depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de VERIFY IGNORE: depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de VERIFY OK: depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de SSL state (connect): SSLv3 read server certificate A SSL state (connect): SSLv3 read server certificate request A SSL state (connect): SSLv3 read server done A SSL state (connect): SSLv3 write client certificate A SSL state (connect): SSLv3 write client key exchange A SSL state (connect): SSLv3 write certificate verify A SSL state (connect): SSLv3 write change cipher spec A SSL state (connect): SSLv3 write finished A SSL state (connect): SSLv3 flush data SSL alert (read): fatal: bad certificate SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket BreakOut finished (0 left)

And, more interesting, at the server side:

BreakOut connected from 84.57.55.105:57987 VERIFY ERROR: depth=0, error=self signed certificate: /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner@gmx.de SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

Is something wrong with my self signed certificate? In my first tests I used one that I made with tinyCA, an other was made according http://www.stunnel.org/faq/certs.html: * openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem * openssl gendh 512 >> stunnel.pem * openssl rsa -in stunnel.pem -out new.pem * edit new.pem, merge some parts with stunnel.pem and rename it

Any hint?

Thanks