[stunnel-users] Problem with the client certificate
Michael Renner
michael.renner at gmx.de
Sat Jan 3 22:44:07 CET 2009
On Thursday 01 January 2009, Christophe Nanteuil wrote:
> Well,
> I think the problem comes from the CAfile, ie the cert used to verify the
> other certs.
This is right. I thought that the CA file is not essential with verify depths
less than 2. It seems this was a mistake.
This time (yes, I use tinyCA), I made and used client- and server certificates
as well as the CA. Now it works.
Thanks for your help!
> To test, I think it is better to have only one section per file :
> - your key (section ----BEGIN RSA PRIVATE KEY----- to ---END RSA...) in the
> key file corresponding to key=file in config file.
> - your certificate (section ----BEGIN CERTIFICATE ----- to ---END
> CERTIFICATE...) in the cert file corresponding to cert=file in the config
> file.
> These files must exist for server and client since you want mutual
> authentication.
> For verifying the certificate, you need to put the client certificate
> (autosigned) in the CAfile option of the server config file.
> The same for the client : put the server certificate in the CAfile option
> of the client config file.
>
> on the server, the command 'openssl verify -CAfile client_cert.pem
> client_cert.pem' should return ok
> on the client, the command 'openssl verify -CAfile server_cert.pem
> server_cert.pem' should return ok.
> It can seem stupid but, as you have self-signed certificate, the CAfile is
> the cert file.
>
> If you use tinyCA, you can easily build your own CA with one CA cert and
> several certs for clients or servers. Then, you would be able to have the
> same CAfile on the client and on the server.
>
> I hope this is clear enough. If not, write me back.
>
>
>
>
> 2008/12/31 Michael Renner <michael.renner at gmx.de>
>
> > On Tuesday 30 December 2008, you wrote:
> > > Hello,
> >
> > Happy new year!
> >
> > > * are the permissions correct on your files :
> > > - key must belong to the user and have 0600 status (read only by the
> >
> > user)
> >
> > > - cert must belong to the user.
> >
> > I think the permissions are OK. The file is owed by root and loaded at
> > the start
> > Wrote 1024 new random bytes to /root/.rnd
> > RAND_status claims sufficient entropy for the PRNG
> > PRNG seeded successfully
> > Certificate: /etc/stunnel/stunnelclient.pem
> > Certificate loaded
> > Key file: /etc/stunnel/stunnelclient.pem
> > Private key loaded
> > SSL context initialized for service BreakOut
> >
> > > * Is the content of the cert file of this form
> > >
> > > -----BEGIN CERTIFICATE-----
> > > certificate data here
> > > -----END CERTIFICATE-----
> > > ?
> > > and the content of the key file this form
> > > -----BEGIN RSA PRIVATE KEY-----
> > > key datat here
> > > -----END RSA PRIVATE KEY-----
> >
> > I made several files. According to
> > http://www.stunnel.org/faq/certs.html#ToC5
> > I got a file with a certificate, a RSA Key and a DH section (I removed
> > the password for the certificate).
> >
> > According to http://www.stunnel.org/examples/client_cert.html I got a
> > different file: it has a certificate and a RSA section and between them
> > an other section:
> >
> > rcnyy/AbS1YPkdggJSnw+fqzg/L/QvQB6GTT5KWJzd0=
> > -----END RSA PRIVATE KEY-----
> > Certificate:
> > Data:
> > Version: 3 (0x2)
> > Serial Number: 5 (0x5)
> > Signature Algorithm: sha1WithRSAEncryption
> > Issuer: C=DE, ST=Germany, L=Munich, O=vbox4php, OU=Rektorat,
> > CN=DE/emailAddress=michael.renner at gmx.de
> > Validity
> > Not Before: Dec 28 20:37:19 2008 GMT
> > Not After : Dec 28 20:37:19 2009 GMT
> > Subject: C=DE, ST=Germany, O=vbox4php, OU=stunnel,
> > CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
> > Subject Public Key Info:
> > Public Key Algorithm: rsaEncryption
> > RSA Public Key: (1024 bit)
> > Modulus (1024 bit):
> > 00:b1:05:47:7a:27:4f:19:2b:18:72:e3:3c:f6:a6:
> > .
> > .
> > 2b:55:2d:c9:dc:96:55:14:bb
> > Exponent: 65537 (0x10001)
> > X509v3 extensions:
> > X509v3 Basic Constraints:
> > CA:FALSE
> > Netscape Cert Type:
> > SSL Server
> > Netscape Comment:
> > TinyCA Generated Certificate
> > X509v3 Subject Key Identifier:
> >
> > 86:F6:1F:71:29:AA:A5:61:DF:B2:81:F2:34:3A:A6:9E:58:C8:6A:5E X509v3
> > Authority Key Identifier:
> >
> > keyid:72:68:1A:0C:9D:E9:93:81:07:E9:36:71:75:33:05:C6:70:35:01:BF
> >
> >
> > DirName:/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=Rektorat/CN=DE/emailAddre
> >ss= michael.renner at gmx.de
> > serial:BC:97:82:4E:E3:9F:FE:5A
> >
> > X509v3 Issuer Alternative Name:
> > email:michael.renner at gmx.de
> > <email%3Amichael.renner at gmx.de> X509v3 Subject Alternative Name:
> > email:michael.renner at gmx.de
> > <email%3Amichael.renner at gmx.de> Signature Algorithm:
> > sha1WithRSAEncryption
> > 49:ef:06:aa:e5:71:b1:6e:23:87:02:9d:ce:56:e1:3b:77:5a:
> > .
> > .
> > 41:93:92:ee:57:23:95:f3:99:62:27:6a:a4:b7:85:b4:92:86:
> > 22:50:79:a0
> > -----BEGIN CERTIFICATE-----
> >
> > Anyhow: it fails:
> > 2008.12.31 17:51:07 LOG4[13056:1073809760]: VERIFY ERROR: depth=0,
> > error=unable to get local issuer
> > certificate: /C=DE/ST=Germany/O=vbox4php/OU=stunnel/CN=
> > boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
> > 2008.12.31 17:51:07 LOG3[13056:1073809760]: SSL_accept: 140890B2:
> > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> > returned
> >
> > With strace I can see the the key and the cert is OK on the client side:
> > (I assume that it is only read once):
> >
> > [pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
> > [pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
> > [pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> > MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
> > [pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
> > [pid 11829] read(4, "VQQDEwJERTEkMCIGCSqGSIb3\nDQEJARY"..., 4096) = 1425
> > [pid 11829] read(4, "", 4096) = 0
> > [pid 11829] close(4) = 0
> > [pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
> > [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
> > 17:52:56 LOG7[11829:140253752059616]: Certificate loaded
> > ) = 68
> > [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 902008.12.31
> > 17:52:56 LOG7[11829:140253752059616]: Key
> > file: /etc/stunnel/stunnelserver.pem
> > ) = 90
> > [pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
> > [pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
> > [pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
> > MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
> > [pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
> > [pid 11829] close(4) = 0
> > [pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
> > [pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
> > 17:52:56 LOG7[11829:140253752059616]: Private key loaded
> >
> >
> > While I see in the clients logfile:
> > SSL state (connect): SSLv3 flush data
> > SSL alert (read): fatal: bad certificate
> > SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> > alert
> > bad certificate
> > Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
> >
> >
> > Strange!
> >
> >
> > One more hint?
> > --
> >
> > |Michael Renner E-mail: michael.renner at gmx.de |
> > |D-81541 Munich Germany ICQ: #112280325 |
> > |Germany Don't drink as root! ESC:wq
--
|Michael Renner E-mail: michael.renner at gmx.de |
|D-81541 Munich Germany ICQ: #112280325 |
|Germany Don't drink as root! ESC:wq
More information about the stunnel-users
mailing list