[stunnel-users] PSK, verifying the client

[Małgorzata Olszówka]

> Is it possible to verify the client using PSK?
>
> On the stunnel server I specify a PSKsecrets file with two lines in it,
> one for client01 and one for client02.  The secret is about 36
> characters long.
>
> On a client, I have a similar PSKsecrets file, but only containing the
> client01 line.
>
> Now, if I try to connect with, say, a client03, i.e., any client that
> does not have a matching line in the server's PSKsecrets file, how can I
> assure that the client connection will be rejected?
>
> What I'd like to see would be the following: any client that tries to
> connect, and does not present a PSK that is present in the server's
> PSKsecrets file, then that client's connection request is rejected, with
> an appropriate message logged.
>
> Can I do that with the current stunnel?
>

Hello Mike,
In the log messages on the server you can find some information about 
accepted or rejected connections, e.g.:

for connected client:
2017.04.06 05:23:55 LOG5[2841]: Service [PSK server] accepted connection 
from 10.10.10.11:48280
2017.04.06 05:23:55 LOG5[2841]: Key configured for PSK identity "test1"
2017.04.06 05:23:55 LOG5[2841]: Connection closed: 57 byte(s) sent to 
TLS, 0 byte(s) sent to socket

for rejected client that doesn’t have the correct secret:
2017.04.06 05:24:03 LOG3[2845]: SSL_accept: 1408F119: error:1408F119:SSL 
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2017.04.06 05:24:03 LOG5[2845]: Connection reset: 0 byte(s) sent to TLS, 
0 byte(s) sent to socket

for rejected client that doesn’t have any secret:
2017.04.06 05:24:24 LOG3[2846]: SSL_accept: 1408A0C1: error:1408A0C1:SSL 
routines:ssl3_get_client_hello:no shared cipher
2017.04.06 05:24:24 LOG5[2846]: Connection reset: 0 byte(s) sent to TLS, 
0 byte(s) sent to socket

Regards,
Małgorzata