[stunnel-users] Authenticate both client and server?
Kārlis Repsons
repsons at gmail.com
Fri Nov 20 15:17:53 CET 2009
Maks, Ludolf, others,
Still I can't figure out whats wrong. Here is what I did:
0) there is root-ca.crt, server.crt, client.crt in /etc/ssl/certs on both client and server.
1-3 on both client and server:
1)
cd=/etc/stunnel/certs
mkdir $cd
cd $cd
openssl x509 -in /etc/ssl/certs/root-ca.crt -out root-ca.pem
openssl x509 -in /etc/ssl/certs/server.crt -out server.pem
openssl x509 -in /etc/ssl/certs/client.crt -out client.pem
(note: *.crt have cleartext at top, so I extract to *.pem)
2)
c_rehash .
Doing .
root-ca.pem => c95040a3.0
server.pem => 61745f30.0
client.pem => b638178e.0
3)
openssl verify -CApath . root-ca.pem
root-ca.pem: OK
openssl verify -CApath . server.pem
server.pem: OK
openssl verify -CApath . client.pem
client.pem: OK
4) on server:
nano service.conf:
"
cert = /etc/stunnel/certs/server.pem
key = /etc/ssl/private/server.pr
CApath = /etc/stunnel/certs/
client = no
verify = 3
"
5) on client:
nano service.conf:
"
cert = /etc/stunnel/certs/client.pem
key = /etc/ssl/private/client.pr
CApath = /etc/stunnel/certs
client = yes
verify = 3
"
6) start service on both server and client
7) try using tunnel, which previously worked well without 'verify = '
8) Bum into these log fragments:
"
Nov 20 13:12:15 client stunnel: LOG5[14540:140719468754672]: Peer certificate location /etc/stunnel/certs
Nov 20 13:12:15 client stunnel: LOG5[14540:140719468754672]: stunnel 4.27 on x86_64-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
Nov 20 13:12:15 client stunnel: LOG5[14540:140719468754672]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
Nov 20 13:12:15 client stunnel: LOG5[14540:140719468754672]: 500 clients allowed
Nov 20 13:12:35 client stunnel: LOG5[14547:140719468951888]: service accepted connection from 127.0.0.1:37556
Nov 20 13:12:35 client stunnel: LOG5[14547:140719468951888]: connect_blocking: connected 192.168.5.31:5874
Nov 20 13:12:35 client stunnel: LOG5[14547:140719468951888]: service connected remote server from 192.168.5.32:58151
Nov 20 13:12:35 client stunnel: LOG4[14547:140719468951888]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=LV/O=11.lv/CN=server
Nov 20 13:12:35 client stunnel: LOG3[14547:140719468951888]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 20 13:12:35 client stunnel: LOG5[14547:140719468951888]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
"
"
Nov 20 13:11:16 server stunnel: LOG5[7688:1342130912]: Peer certificate location /etc/stunnel/certs/
Nov 20 13:11:16 server stunnel: LOG5[7688:1342130912]: stunnel 4.27 on i686-pc-linux-gnu with OpenSSL 0.9.8k 25 Mar 2009
Nov 20 13:11:16 server stunnel: LOG5[7688:1342130912]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4 Auth:LIBWRAP
Nov 20 13:11:16 server stunnel: LOG5[7688:1342130912]: 500 clients allowed
Nov 20 13:12:35 server stunnel: LOG5[7695:1342004112]: service accepted connection from 192.168.5.32:58151
Nov 20 13:12:35 server stunnel: LOG3[7695:1342004112]: SSL_accept: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Nov 20 13:12:35 server stunnel: LOG5[7695:1342004112]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
"
I also tried with adding root-ca.pem to the bottom of server and
client .pem, but the same bum. Do you have any idea at this point?
Why doesn't stunnel man page mentions a single word 'ln' or 'link'?
Thanks for attention.
On Thursday 19 November 2009 22:02:02 Maks Kowalik wrote:
> I've just tested (on server's end) the config you asked about.
> 3 options were tried:
> a) create directory, create links to certs, run c_rehash on it
> b) create directory, create links to certs, create links to links created
> by c_rehash on original directory
> c) create directory, create links only to links created by c_rehash on
> original directory
> And afterall all of them were successful.
> No problem with copying this to list, but my thought was that we're mailing
> about things quite basic and well described in docs and example configs...
>
> Best regards,
> Maks Kowalik
> 2009/11/19 Kārlis Repsons <repsons at gmail.com>
>
> > Thanks for your kind reply!
> > There is, however, one more thing not clear - see below.
> >
> > On Thursday 19 November 2009 19:00:04 you wrote:
> > > Dear Kārlis,
> > > I'm running few stunnels configured the in the way you wrote about. The
> > > steps to setup are quite simple:
> > > 1. create directories where you put trusted certs:
> > > on server - you copy root-ca.crt and client.crt there
> > > on client - root-ca and server.crt
> > > Remember that if you're using chroot, this directory has to be in it to
> > > make those certs available for stunnel process
> > >
> > > 2. run c_rehash on this directory
> >
> > This one. Most likely this causes the problem, because I didn't do it.
> > Should this work: make special directory for trusted certs AND link there
> > those certs and their hashes.0?
> >
> > > 3. include theese lines in your stunnels' configs:
> > > cert = /path_to_the_cert_file (server.crt or client.crt)
> > > key = /path_to_the_key_file (server.key or client.key)
> > > verify = 3
> > > CApath = /path_to_trusted_certs_directory - relative to chroot
> > > directory I hope this would help somehow.
> >
> > Yes it did.
> > May I send a copy to list?
> >
> > > Best regards,
> > > Maks Kowalik
> > > 2009/11/19 Kārlis Repsons <repsons at gmail.com>
> > >
> > > > Dear stunnel programmers and users,
> > > >
> > > > first thanks for maintaining this piece of software, which I found
> > > > useful! I would like to reach some understanding about ssl certs
> > > > usage
> >
> > so
> >
> > > > it would be
> > > > possible to make both client and server to authenticate themselves.
> >
> > Could
> >
> > > > somebody briefly tell whats to be done, if I'd like to use the
> >
> > following
> >
> > > > (at
> > > > least similar) certs setup:
> > > >
> > > > root-ca.crt
> > > > *server.crt
> > > > *client.crt
> > > > (* signed by root-ca)
> > > >
> > > > Note, that root-ca private key is not available for server nor
> > > > client. Any help appreciated...
> > > > _______________________________________________
> > > > stunnel-users mailing list
> > > > stunnel-users at mirt.net
> > > > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20091120/5ca8c157/attachment.sig>
More information about the stunnel-users
mailing list