[stunnel-users] client auth saga

markzero at logik.ath.cx markzero at logik.ath.cx
Mon Aug 30 16:04:25 CEST 2004


Frustration doesn't begin to express it!
SEC Productions presents:

* THE CLIENT AND SERVER AUTH SAGA *

lets get on with it:

complete walkthrough of ssl cert creation
-----------------------------------------

By the way, please don't lecture me on ssh'ing into
machines as root, they are located on an isolated network
and of course, all logging in as root is disabled when
they are put into production. :)

There now follows a step by step account of everything so
far...

command prompt key:

ca# = certificate authority machine (or my isolated desktop,
		whichever you prefer).
		
records# = log server
dns# = my dns server (the logging client)

(obvious output of scripts snipped)

-----------------------------------------

ca# cd /etc/ssl/misc
ca# ./CA.sh -newca

<snip>

ca# ./CA.sh -newreq

<snip>

Request (and private key) is in newreq.pem

ca# ./CA.sh -sign
Signed certificate is in newcert.pem

ca# cat newreq.pem newcert.pem > log_server.pem

Then I realised that I needed it to be passwordless.

ca# openssl rsa -in newreq.pem -out decryptedcert.pem

ca# cat decryptedcert.pem newcert.pem > log_server_np.pem

(log_server_np.pem is now passwordless)

ca# scp log_server_np.pem records:/etc/ssl/stunnel_cert/
ca# scp demoCA/cacert.pem dns:/var/stunnel/cert/cacert.pem

we'll just try with server side auth at the moment, on the
loghost:

records# cat /etc/stunnel/stunnel.conf

	cert = /etc/ssl/stunnel_cert/log_server_np.pem
	chroot = /var/stunnel
	pid = /var/run/stunnel.pid

	CApath = /certs
	CRLpath = /crls

	#verify = 2 

	debug = 7
	output = stunnel.log

	setuid = _stunnel
	setgid = _stunnel

	[syslogngs]
	accept = 192.168.1.9:5514
	connect = 127.0.0.1:5515

on the client:

dns# cat /etc/stunnel/stunnel.conf

	#cert = /etc/stunnel/cert/clientkeycert.pem
	chroot = /var/stunnel
	pid = /var/run/stunnel.pid

	CAfile = /certs/cacert.pem
	CRLpath = /crls

	debug = 7
	output = stunnel.log

	client = yes

	setuid = _stunnel
	setgid = _stunnel

	[syslogngs]
	accept = 127.0.0.1:5515
	connect = 192.168.1.9:5514

looks good...

dns# telnet localhost 5515

(in the interests of patience and readability, the output
of stunnel.log isn't posted here, suffice to say the connection
is successful and works)

now to step up to client and server authentication.

ca# openssl req -x509 -newkey rsa:2048 -keyout clientkey.pem -out \
	clientcert -days 365

(forgot to use -nodes)

ca# openssl rsa -in clientkey.pem -out client_decrypted_key.pem
ca# cat clientkey.pem clientcert.pem > clientkeycert.pem
ca# ./c_hash clientkeycert.pem
4410a4d9.0 => clientkeycert.pem

ca# scp clientkeycert.pem dns:/etc/stunnel/cert
ca# scp clientcert.pem records:/var/stunnel/certs

on the server:

records# ln -s /var/stunnel/certs/clientcert.pem \
	/var/stunnel/certs/4410a4d9.0
	
adjust the stunnel.conf on both hosts accordingly:

records# cat /etc/stunnel/stunnel.conf

	cert = /etc/ssl/stunnel_cert/log_server_np.pem
	chroot = /var/stunnel
	pid = /var/run/stunnel.pid

	CApath = /certs
	CRLpath = /crls

	verify = 3 

	debug = 7
	output = stunnel.log

	setuid = _stunnel
	setgid = _stunnel

	[syslogngs]
	accept = 192.168.1.9:5514
	connect = 127.0.0.1:5515

dns# cat /etc/stunnel/stunnel.conf

	cert = /etc/stunnel/cert/clientkeycert.pem
	chroot = /var/stunnel
	pid = /var/run/stunnel.pid

	CAfile = /certs/cacert.pem
	CRLpath = /crls

	debug = 7
	output = stunnel.log

	client = yes

	setuid = _stunnel
	setgid = _stunnel

	[syslogngs]
	accept = 127.0.0.1:5515
	connect = 192.168.1.9:5514
	
and just to show the permissions:

records# ls -al /etc/ssl/
drwx------   2 _stunnel  _stunnel   512 Aug 30 12:19 stunnel_cert

records# ls -al /etc/ssl/stunnel_cert
-rw-------  1 _stunnel  _stunnel  4320 Aug 30 12:19 log_server_np.pem

records# ls -al /var/stunnel/certs/
lrwxr-xr-x  1 root      _stunnel    33 Aug 30 14:33 4410a4d9.0 -> 
/var/stunnel/certs/clientcert.pem
-rw-------  1 _stunnel  _stunnel  1489 Aug 30 14:32 clientcert.pem

dns# ls -al /etc/stunnel/dns# ls -al /etc/stunnel/
drwx------   3 _stunnel  _stunnel    512 Aug 29 21:50 .
drwx------   2 _stunnel  _stunnel    512 Aug 30 14:18 cert
-rw-------   1 _stunnel  _stunnel    301 Aug 30 14:22 stunnel.conf
-rw-------   1 _stunnel  _stunnel  13401 Aug 29 22:21 stunnel.log

dns# ls -al /etc/stunnel/cert/
-rw-------  1 _stunnel  _stunnel  3168 Aug 30 14:18 clientkeycert.pem

dns# ls -al /var/stunnel/
drwx------   5 _stunnel  _stunnel  512 Aug 29 21:28 .
drwx------   2 _stunnel  _stunnel  512 Aug 30 13:59 cert
drwx------   2 _stunnel  _stunnel  512 Aug 29 21:16 crl
drwx------   3 _stunnel  _stunnel  512 Aug 29 21:28 var

dns# ls -al /var/stunnel/cert/
drwx------  2 _stunnel  _stunnel   512 Aug 30 13:59 .
-rw-------  1 _stunnel  _stunnel  1115 Aug 30 13:59 cacert.pem

now, to test.

records# /usr/local/sbin/stunnel /etc/stunnel/stunnel.conf

dns# /usr/local/sbin/stunnel /etc/stunnel/stunnel.conf

the log files on both show no errors, lets try a connection from
dns to records...

dns# telnet localhost 5515 
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

urgh! what went wrong?

records# cat stunnel.log

2004.08.30 14:46:43 LOG5[27205:1006690304]: stunnel 4.05 on i386-unknown-openbsd3.5 PTHREAD with OpenSSL 0.9.7c 30 Sep 2003
2004.08.30 14:46:43 LOG7[27205:1006690304]: Snagged 64 random bytes from /dev/arandom
2004.08.30 14:46:43 LOG7[27205:1006690304]: RAND_status claims sufficient entropy for the PRNG
2004.08.30 14:46:43 LOG6[27205:1006690304]: PRNG seeded successfully
2004.08.30 14:46:43 LOG7[27205:1006690304]: Certificate: /etc/ssl/stunnel_cert/log_server_np.pem
2004.08.30 14:46:43 LOG7[27205:1006690304]: Key file: /etc/ssl/stunnel_cert/log_server_np.pem
2004.08.30 14:46:43 LOG7[27205:1006690304]: Verify directory set to /certs
2004.08.30 14:46:43 LOG7[27205:1006690304]: CRL directory set to /crls
2004.08.30 14:46:43 LOG5[27205:1006690304]: Peer certificate location /certs
2004.08.30 14:46:43 LOG5[27205:1006690304]: FD_SETSIZE=1024, file ulimit=128 -> 61 clients allowed
2004.08.30 14:46:43 LOG7[27205:1006690304]: FD 10 in non-blocking mode
2004.08.30 14:46:43 LOG7[27205:1006690304]: SO_REUSEADDR option set on accept socket
2004.08.30 14:46:43 LOG7[27205:1006690304]: syslogngs bound to 192.168.1.9:5514
2004.08.30 14:46:43 LOG7[27205:1006690304]: FD 11 in non-blocking mode
2004.08.30 14:46:43 LOG7[27205:1006690304]: FD 12 in non-blocking mode
2004.08.30 14:46:43 LOG7[20297:1006690304]: Created pid file /var/run/stunnel.pid
2004.08.30 14:46:51 LOG7[20297:1006690304]: syslogngs accepted FD=13 from 192.168.1.6:7109
2004.08.30 14:46:51 LOG7[20297:1006690304]: FD 13 in non-blocking mode
2004.08.30 14:46:51 LOG7[20297:1006693376]: syslogngs started
2004.08.30 14:46:51 LOG5[20297:1006693376]: syslogngs connected from 192.168.1.6:7109
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): before/accept initialization
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): SSLv3 read client hello A
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): SSLv3 write server hello A
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): SSLv3 write certificate A
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): SSLv3 write certificate request A
2004.08.30 14:46:51 LOG7[20297:1006693376]: SSL state (accept): SSLv3 flush data
2004.08.30 14:46:51 LOG7[20297:1006693376]: waitforsocket: FD=13, DIR=read
2004.08.30 14:46:52 LOG7[20297:1006693376]: waitforsocket: ok
2004.08.30 14:46:52 LOG4[20297:1006693376]: VERIFY ERROR: depth=0, error=self signed certificate: /C=UK/L=London/O=SI/OU=SEC/CN=LogClient/emailAddress=root at localhost
2004.08.30 14:46:52 LOG7[20297:1006693376]: SSL alert (write): fatal: bad certificate
2004.08.30 14:46:52 LOG3[20297:1006693376]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2004.08.30 14:46:52 LOG7[20297:1006693376]: syslogngs finished (0 left)

---
dns# cat stunnel.log

2004.08.30 14:33:24 LOG5[10920:1006690304]: stunnel 4.05 on i386-unknown-openbsd3.5 PTHREAD with OpenSSL 0.9.7c 30 Sep 2003
2004.08.30 14:33:24 LOG7[10920:1006690304]: Snagged 64 random bytes from /dev/arandom
2004.08.30 14:33:24 LOG7[10920:1006690304]: RAND_status claims sufficient entropy for the PRNG
2004.08.30 14:33:24 LOG6[10920:1006690304]: PRNG seeded successfully
2004.08.30 14:33:24 LOG7[10920:1006690304]: Certificate: /etc/stunnel/cert/clientkeycert.pem
2004.08.30 14:33:24 LOG7[10920:1006690304]: Key file: /etc/stunnel/cert/clientkeycert.pem
2004.08.30 14:33:24 LOG5[10920:1006690304]: FD_SETSIZE=1024, file ulimit=128 -> 61 clients allowed
2004.08.30 14:33:24 LOG7[10920:1006690304]: FD 10 in non-blocking mode
2004.08.30 14:33:24 LOG7[10920:1006690304]: SO_REUSEADDR option set on accept socket
2004.08.30 14:33:24 LOG7[10920:1006690304]: syslogngs bound to 127.0.0.1:5515
2004.08.30 14:33:24 LOG7[10920:1006690304]: FD 11 in non-blocking mode
2004.08.30 14:33:24 LOG7[10920:1006690304]: FD 12 in non-blocking mode
2004.08.30 14:33:24 LOG7[11717:1006690304]: Created pid file /var/run/stunnel.pid
2004.08.30 14:33:30 LOG7[11717:1006690304]: syslogngs accepted FD=13 from 127.0.0.1:20109
2004.08.30 14:33:30 LOG7[11717:1006690304]: FD 13 in non-blocking mode
2004.08.30 14:33:30 LOG7[11717:1006693376]: syslogngs started
2004.08.30 14:33:30 LOG5[11717:1006693376]: syslogngs connected from 127.0.0.1:20109
2004.08.30 14:33:30 LOG7[11717:1006693376]: FD 14 in non-blocking mode
2004.08.30 14:33:30 LOG7[11717:1006693376]: syslogngs connecting 192.168.1.9:5514
2004.08.30 14:33:30 LOG7[11717:1006693376]: remote connect #1: EINPROGRESS: retrying
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: FD=14, DIR=write
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: ok
2004.08.30 14:33:30 LOG7[11717:1006693376]: Remote FD=14 initialized
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): before/connect initialization
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write client hello A
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: FD=14, DIR=read
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: ok
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 read server hello A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 read server certificate A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 read server certificate request A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 read server done A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write client certificate A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write client key exchange A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write certificate verify A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write change cipher spec A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 write finished A
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL state (connect): SSLv3 flush data
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: FD=14, DIR=read
2004.08.30 14:33:30 LOG7[11717:1006693376]: waitforsocket: ok
2004.08.30 14:33:30 LOG7[11717:1006693376]: SSL alert (read): fatal: bad certificate
2004.08.30 14:33:30 LOG3[11717:1006693376]: SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
2004.08.30 14:33:30 LOG7[11717:1006693376]: syslogngs finished (0 left)

(sorry about the unwrapped lines)

I've also tried using ktrace, but the ktrace.out drops off before the
connection (making it useless). I don't understand what can be wrong, I've
retraced my steps over and over. I did actually have it working before, but
due to testing, reinstalled the OS and now it doesn't work. I'm loathe
to install the developement tools, as there are so many it would be a 
nightmare to remove them after (prompting a reinstall, and look what 
happened last time).

Any ideas? Anything I've done blindingly obviously wrong?

Why did it work before and not now?

ARGH!

cheers
mark



More information about the stunnel-users mailing list