[stunnel-users] ssl mutual authentication
Simon Santoro
simon.santoro at gmail.com
Sun Mar 9 21:33:52 CET 2008
Hello all.
I am sure I am missing something really obvious here, but I can't get this to
work.
HTTP client (localhost) -> stunnel (localhost) -> HTTPS server (remote host)
I'd like to user stunnel as proxy for my HTTP requests that go to a HTTPS
server (apache if that makes any difference) on a remote host (fresh) that
uses a cert to authenticate the request.
I wrote this little ruby script[2] to test the request, and it works, so i am
sure that on the server/client/cert end there is no problem.
Now I'd like to use a simple wget or w3m to get the file from the remote
server trough stunnel, but I keep getting
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
The only difference between the ruby script and the stunnel setup is that in
the ruby script i have two different files for the crt and the key, and with
stunnel I joined those files together with
cat s2 at magnesium.key s2 at magnesium.crt >s2 at magnesium.pam
on localhost i run:
$ stunnel -r fresh:443 -d localhost:11443 -c -f -D 7 -c -S 0 -p
certs/s2 at magnesium.pem -a certs/ -A certs/freshCA.crt -v 3 -P none
2008.03.09 21:21:38 LOG5[9026:3082811056]: Using 'fresh.443' as tcpwrapper
service name
2008.03.09 21:21:38 LOG7[9026:3082811056]: RAND_status claims sufficient
entropy for the PRNG
2008.03.09 21:21:38 LOG6[9026:3082811056]: PRNG seeded successfully
2008.03.09 21:21:38 LOG7[9026:3082811056]: Certificate: certs/s2 at magnesium.pem
Enter PEM pass phrase:
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_defaults is 0
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_dir is certs/
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_file is certs/freshCA.crt
2008.03.09 21:21:40 LOG7[9026:3082811056]: Loaded verify certificates from
certs/freshCA.crt
2008.03.09 21:21:40 LOG7[9026:3082811056]: Set verify directory to certs/
2008.03.09 21:21:40 LOG5[9026:3082811056]: Peer certificate location certs/
2008.03.09 21:21:40 LOG5[9026:3082811056]: stunnel 3.26 on i486-pc-linux-gnu
PTHREAD+LIBWRAP with OpenSSL 0.9.8e 23 Feb 2007
2008.03.09 21:21:40 LOG7[9026:3082811056]: No pid file being created
2008.03.09 21:21:40 LOG5[9026:3082811056]: FD_SETSIZE=1024, file
ulimit=1024 -> 500 clients allowed
2008.03.09 21:21:40 LOG7[9026:3082811056]: SO_REUSEADDR option set on accept
socket
2008.03.09 21:21:40 LOG7[9026:3082811056]: fresh.443 bound to 127.0.0.1:11443
then, I try to connect to localhost:11443 with w3m, in the hope that my HTTP
request is encrypted and send to fresh:443, and stunnel should check if the
PEER certificate is correct, but all I get is:
2008.03.09 21:26:44 LOG7[9214:3082585776]: fresh.443 accepted FD=6 from
127.0.0.1:43888
2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 started
2008.03.09 21:26:44 LOG5[9214:3082423184]: fresh.443 connected from
127.0.0.1:43888
2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 connecting
192.168.0.2:443
2008.03.09 21:26:44 LOG7[9214:3082423184]: Remote FD=7 initialized
2008.03.09 21:26:44 LOG7[9214:3082423184]: Relying on OpenSSL RSA Blinding.
2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): before/connect
initialization
2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): SSLv3 write
client hello A
2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL state (connect): SSLv3 read
server hello A
2008.03.09 21:26:45 LOG5[9214:3082423184]: VERIFY OK: depth=1, /C=IT/O=S2
corp./CN=S2/emailAddress=s2 at fresh
2008.03.09 21:26:45 LOG4[9214:3082423184]: VERIFY ERROR ONLY MY: no cert
for /C=IT/O=S2 corp./CN=fresh
2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL alert (write): fatal:
certificate unknown
2008.03.09 21:26:45 LOG3[9214:3082423184]: SSL_connect: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2008.03.09 21:26:45 LOG7[9214:3082423184]: fresh.443 finished (0 left)
Did I something wrong? What am I missing? Please help me, it would save me
really a lot of work on the client side if I could get this going.
Thanks!
Simon
[1]
----------------------------------------------------
#!/usr/bin/ruby
SERVER_CERT_FILE = "certs/freshCA.crt"
CERT_FILE = "certs/s2 at magnesium.crt"
CERT_FILE_KEY = "certs/s2 at magnesium.key"
require 'net/https'
https = Net::HTTP.new('fresh', 443)
https.use_ssl = true
#client certificates
https.cert = OpenSSL::X509::Certificate.new( File.read(CERT_FILE) )
https.key = OpenSSL::PKey::RSA.new( File.read(CERT_FILE_KEY), 'panza')
#server certificate
https.ca_file = SERVER_CERT_FILE
https.verify_mode = OpenSSL::SSL::VERIFY_PEER #VERIFY_NONE
https.read_timeout = 120
https.start do |https|
request = Net::HTTP::Get.new('/notes/test_auth')
# request.basic_auth 's', 'x'
response = https.request(request)
response.value
puts response.body
end
----------------------------------------------------
More information about the stunnel-users
mailing list