[stunnel-users] stunnel and OCSP verification: strange behaviour
Andreas Ntaflos
daff at pseudoterminal.org
Thu May 15 20:01:43 CEST 2008
Hi list,
[My apologies, I accidentally tried to send this message to stunnel-announce
earlier.]
I have a quick question regarding the use of stunnel with verification against
an OCSP responder. I am using stunnel 4.20 and (for testing) 4.23 but I don't
see any difference in the behaviour of both.
The main problem is that stunnel accepts and establishes connections from
clients even if those clients had their certificates revoked and the OCSP
responder correctly informs stunnel about it.
Consider the following configuration:
foreground = yes
CAfile = /path/to/cacert.pem
cert = /path/to/stunnel_cert.pem
key = /path/to/stunnel_key.pem
debug = 7
[clientauth]
accept = localhost:43434
connect = localhost:43433
verify = 2
OCSP = http://localhost:43435
The OCSP responder runs on localhost:43435 as you can see. Client verification
is enabled. Using openssl to manually check against the responder works fine:
openssl ocsp -issuer cacert.pem -CAfile cacert.pem -url \
http://localhost:43435 -cert revoked_cert.pem
Response verify OK
/path/to/revoked_cert.pem: revoked
This Update: May 15 15:38:46 2008 GMT
Next Update: May 15 17:04:32 2008 GMT
Revocation Time: May 15 15:38:26 2008 GMT
The relevant portion of stunnel's debug output looks like this:
[...]
Starting OCSP verification
FD 8 in non-blocking mode
connect_wait: waiting 10 seconds
connect_wait: connected
OCSP server connected
FD 8 in blocking mode
FD 8 in non-blocking mode
OCSP response received
OCSP verification passed: status=0, reason=-1208427072
VERIFY OK: depth=1, /CN=The CA/C=AT/ST=SomeState/L=SomeCity/O=The \
Organisation/emailAddress=camaster at the-organisation.invalid
Starting OCSP verification
FD 8 in non-blocking mode
connect_wait: waiting 10 seconds
connect_wait: connected
OCSP server connected
FD 8 in blocking mode
FD 8 in non-blocking mode
OCSP response received
OCSP verification passed: status=1, reason=-1
VERIFY OK: depth=0, /C=AT/ST=SomeState/O=The Organisation/CN=this is a \
revoked cert
SSL state (accept): SSLv3 read client certificate A
[...]
As far as I can see the OCSP verification works fine here, too, and at depth 0
stunnel finds the certificate to have been revoked (status=1 indicates that,
I believe). The connection, however, is not rejected.
Is there any way to have stunnel reject the connection when the client
certificate has been revoked? Where would I configure this? The only way I
have found yet was to patch src/verify.c but surely there must be a more
convenient approach to this?
On a related matter: if stunnel cannot and will not reject the connection upon
a negative response from the OCSP, what would be the best way to script
stunnel so that it rejects such a connection? I am asking because I am in the
process of writing a few Python scripts that incorporate stunnel to aid in
testing of some SSL-speaking components. Such a client component without a
valid, non-revoked certificate must not be able to connect.
I mean what good is OCSP verification if the result of the process, i.e. the
responders answer "the certificate is valid" or "the certificate is no longer
valid" doesn't matter to stunnel?
Am I missing the point somewhere?
I'd appreciate any insights on this.
Kind regards,
Andreas
--
Andreas "daff" Ntaflos
Vienna, Austria
GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC 7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080515/51954c0c/attachment.sig>
More information about the stunnel-users
mailing list