[stunnel-users] PSK, verifying the client
Małgorzata Olszówka
Malgorzata.Olszowka at stunnel.org
Thu Apr 6 12:21:00 CEST 2017
> Is it possible to verify the client using PSK?
>
> On the stunnel server I specify a PSKsecrets file with two lines in it,
> one for client01 and one for client02. The secret is about 36
> characters long.
>
> On a client, I have a similar PSKsecrets file, but only containing the
> client01 line.
>
> Now, if I try to connect with, say, a client03, i.e., any client that
> does not have a matching line in the server's PSKsecrets file, how can I
> assure that the client connection will be rejected?
>
> What I'd like to see would be the following: any client that tries to
> connect, and does not present a PSK that is present in the server's
> PSKsecrets file, then that client's connection request is rejected, with
> an appropriate message logged.
>
> Can I do that with the current stunnel?
>
Hello Mike,
In the log messages on the server you can find some information about
accepted or rejected connections, e.g.:
for connected client:
2017.04.06 05:23:55 LOG5[2841]: Service [PSK server] accepted connection
from 10.10.10.11:48280
2017.04.06 05:23:55 LOG5[2841]: Key configured for PSK identity "test1"
2017.04.06 05:23:55 LOG5[2841]: Connection closed: 57 byte(s) sent to
TLS, 0 byte(s) sent to socket
for rejected client that doesn’t have the correct secret:
2017.04.06 05:24:03 LOG3[2845]: SSL_accept: 1408F119: error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2017.04.06 05:24:03 LOG5[2845]: Connection reset: 0 byte(s) sent to TLS,
0 byte(s) sent to socket
for rejected client that doesn’t have any secret:
2017.04.06 05:24:24 LOG3[2846]: SSL_accept: 1408A0C1: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
2017.04.06 05:24:24 LOG5[2846]: Connection reset: 0 byte(s) sent to TLS,
0 byte(s) sent to socket
Regards,
Małgorzata
More information about the stunnel-users
mailing list