[stunnel-users] Using stunnel for TLS with Geotrust cert?

Jon Bogaty jbogaty at classpass.com
Mon Mar 28 18:46:28 CEST 2016


And sorry for the flood, but this is somewhat important. There has to
be at least some level of verification, e.g. if mysql was connecting
bare it would still need to at least handshake and verify it's not
some random attacker connecting to the proxy. But I feel like stunnel
to stunnel would work, it's just something in the verification that I
need to fix. If I take out verification completely (e.g. delete verify
) then I can connect, although at that point so could anybody.

On Mon, Mar 28, 2016 at 12:41 PM, Jon Bogaty <jbogaty at classpass.com> wrote:
> As a follow-up:
>
> It's definitely much happier having the cafile but it's still giving
> me handshake problems regardless of the verification level. I'm using
> exactly the same certificates for both server and client and on the
> server-side getting:
>  SSL_accept: 14094416: error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
>
> And on the client-side, things like:
>  CERT: Certificate not found in local repository
>
> Which is to me peculiar, because I'm using exactly the same
> certificates, same DH, etc...
>
> Thank you for all your help with this!
>
> On Mon, Mar 28, 2016 at 11:04 AM, Jon Bogaty <jbogaty at classpass.com> wrote:
>> Ideally what I'd love to do is enable developers to be able to connect
>> their remote apps to the database proxy *without* the client-side
>> handshake, but I was honestly not aware it was possible. So the ideal
>> would be:
>>
>> Remote app connects directly via mysql driver to stunnel on port 3307
>> encrypted with TLS
>> stunnel forward the connection to the proxy on 3306
>>
>> If that is possible without maintaining a connection stunnel to
>> stunnel that would be beyond awesome, I'm just totally failing to see
>> how to accomplish it!
>>
>> One thing I did find though is the root cert for geotrust so I'm
>> running tests now to see if that helps or at least generates new info.
>> Based on your feedback I'm testing the following:
>> cert = /etc/stunnel/stunnel.pem
>> cafile = /etc/stunnel/GeoTrust_Global_CA.pem
>>
>> verify = 3
>>
>> On Mon, Mar 28, 2016 at 10:58 AM, MichaƂ Trojnara
>> <Michal.Trojnara at stunnel.org> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> On 28.03.2016 16:27, Jon Bogaty wrote:
>>>> The issue is when I setup everything on the server and try to
>>>> connect with a client I either get for "verify 2" warnings about
>>>> MiTM authentication problems, or for "verify 3" or "verify 4",
>>>> which should disable CA checking altogether to my understanding,
>>>> "Please specify CApath".
>>>
>>> Verify levels 3 and 4 do *not* disable certificate verification.
>>> Verify level 3 requires the peer certificate in your CAfile.
>>> Verify level 4 *only* requires the peer certificate.
>>>
>>> Are you sure you want to enable peer certificate (i.e. client
>>> certificate) verification in your SSL server configuration?
>>>
>>> Best regards,
>>>         Mike
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>>
>>> iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
>>> fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
>>> TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
>>> 2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
>>> t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
>>> f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
>>> mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
>>> mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
>>> nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
>>> YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
>>> b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
>>> /ru7iPZfYYWG5qyvHys9
>>> =1DFq
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users



More information about the stunnel-users mailing list