[stunnel-users] Configuring stunnel to use p12 and p7b in client mode

Eduard Witteveen eduard at nergens.org
Wed Mar 11 01:09:09 CET 2009


Hello,

I'm trying to get stunnel running on my local system, so it will connect
to the remote a host, which requires authentication with this p12
file(with password). I also have the chain of trust which is in the p7b
file.

The reason why i want to do this, is that the remote host exposes a soap
interface by https, and i think it would be a good idea to tunnel the
communications with stunnel, so a transparant configuration can be used.
Also, this would mean there is no configuration needed for the browser
anymore, since it can connect to the localhost instead of to the
remoteserver.

I've tested the p12(certificate PKCS12?) and (trust chain PKCS7?) files
with internet explorer and firefox. They work(i can browse the
remotehost), but i still have to enter the password.

I've converted the p12 and p7b files into dem files with the following
commands:

> openssl pkcs12 -in certificate.p12 -out certificate.pem
> Enter Import Password:
> MAC verified OKK
> Enter PEM pass phrase:
> Verifying - Enter PEM pass phrase

firefox: store as PEM with chain 
	chain.p7b --> chain.pem

Config:
> key=certificate.pem
> CAfile=chain.pem
> client=yes
> debug=7
> output=stunnel.log
> verify=1
> [http]
> accept=80
> connect=www.remoteserver.com:443
> TIMEOUTclose=0

Command:	
> sudo /usr/bin/stunnel4 stunnel.conf

Error:
> 009.03.11 00:58:10 LOG5[30424:3082909360]: Threading:PTHREAD
> SSL:ENGINE
> Sockets:POLL,IPv6 Auth:LIBWRAP
> 2009.03.11 00:58:10 LOG6[30424:3082909360]: file ulimit = 1024 (can be
> changed with 'ulimit -n')
> 2009.03.11 00:58:10 LOG6[30424:3082909360]: poll() used - no
> FD_SETSIZE
> limit for file descriptors
> 2009.03.11 00:58:10 LOG5[30424:3082909360]: 500 clients allowed
> 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 10 in non-blocking mode
> 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 11 in non-blocking mode
> 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 12 in non-blocking mode
> 2009.03.11 00:58:10 LOG7[30424:3082909360]: SO_REUSEADDR option set on
> accept socket
> 2009.03.11 00:58:10 LOG7[30424:3082909360]: http bound to 0.0.0.0:80
> 2009.03.11 00:58:10 LOG7[30430:3082909360]: Created pid file
> /var/run/stunnel4.pid
> 
> 2009.03.11 00:58:20 LOG7[30430:3082909360]: http accepted FD=13 from
> 127.0.0.1:59793
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: http started
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 13 in non-blocking mode
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: Waiting for a libwrap
> process
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: Acquired libwrap process
> #0
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: Releasing libwrap process
> #0
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: Released libwrap process
> #0
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: http permitted by libwrap
> from
> 127.0.0.1:59793
> 2009.03.11 00:58:20 LOG5[30430:3082738576]: http accepted connection
> from
> 127.0.0.1:59793
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 14 in non-blocking mode
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: http connecting
> ${REMOTESERVER_IP}:443
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: waiting 10
> seconds
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: connected
> 2009.03.11 00:58:20 LOG5[30430:3082738576]: http connected remote
> server
> from 10.0.2.15:38710
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: Remote FD=14 initialized
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect):
> before/connect initialization
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
> write
> client hello A
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
> read
> server hello A
> 2009.03.11 00:58:20 LOG4[30430:3082738576]: VERIFY ERROR: depth=0,
> error=unable to get local issuer certificate: ${UNIQUE NAME}
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL alert (write): fatal:
> bad
> certificate
> 2009.03.11 00:58:20 LOG3[30430:3082738576]: SSL_connect: 14090086:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed
> 2009.03.11 00:58:20 LOG5[30430:3082738576]: Connection reset: 0 bytes
> sent
> to SSL, 0 bytes sent to socket
> 2009.03.11 00:58:20 LOG7[30430:3082738576]: http finished (0 left) 
(${UNIQUE NAME} / ${REMOTESERVER_IP} were replaced)

Tested by connecting the browser to http://127.0.0.1:80/

How can i get stunnel to redirect http://127.0.0.1:80/ to
http://remoteserver:443/ and use the certificate and chain to validate
the connection? Any pointers would also be welcome, since i searched in
google but i cannot find the correct information, while one would expect
that this is not the first time that this is being tried.

Thanks,

Eduard Witteveen




More information about the stunnel-users mailing list