[stunnel-users] Problem with the client certificate

Michael Renner michael.renner at gmx.de
Sat Dec 27 20:55:01 CET 2008


Moin,

it seems that I understood something wrong with stunnel client certificates.
First of all: until now I run stunnel 4.18 and stunnel 4.21 with debian and 
kubuntu without client certificates (with success). I use it to reach a  
proprietary application through an untrusted network.

Now, I want the clients to authenticate against the server. Therefor, as a 
quick and dirty test, I used the same stunnel.pem file at the server and at 
the client side. The configuration at the server side (where the application 
is waiting for connections, in this example it is just a script) looks like 
this:
cert = /etc/stunnel/stunnel.pem
#chroot = /var/run/stunnel/
pid = /tmp/stunnel.pid
setuid = nobody
setgid = nogroup
output = /var/log/stunnel4.log
exec = /root/stest.sh
verify = 1
[BreakOut]
accept = 192.168.0.1:443

Here is the configuration at the client side, where a browser establish a 
connection
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem
sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /stunnel4.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 0
debug = 7
output = /var/log/stunnel4/stunnel.log
client = yes
[BreakOut]
accept = 127.0.0.1:8080
connect = 192.168.0.1:443

First of all: is it right to set 'verify = 1' at the server side, and 'verify 
= 0' at the client side? It seems right to me, because the client should 
authenticate, but not the other way.

Anyhow: As soon as a connection is opened using this configuration it will 
terminate at the same second.
renner at mars:~$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

In the clients logfile I see
SSL state (connect): before/connect initialization
SSL state (connect): SSLv3 write client hello A
SSL state (connect): SSLv3 read server hello A
VERIFY IGNORE: 
depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
VERIFY OK: 
depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
VERIFY IGNORE: 
depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
VERIFY OK: 
depth=0, /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
SSL state (connect): SSLv3 read server certificate A
SSL state (connect): SSLv3 read server certificate request A
SSL state (connect): SSLv3 read server done A
SSL state (connect): SSLv3 write client certificate A
SSL state (connect): SSLv3 write client key exchange A
SSL state (connect): SSLv3 write certificate verify A
SSL state (connect): SSLv3 write change cipher spec A
SSL state (connect): SSLv3 write finished A
SSL state (connect): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert 
bad certificate
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
BreakOut finished (0 left)

And, more interesting, at the server side:

BreakOut connected from 84.57.55.105:57987
VERIFY ERROR: depth=0, error=self signed 
certificate: /C=DE/ST=Germany/L=Munich/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
SSL_accept: 140890B2: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

Is something wrong with my self signed certificate? In my first tests I used 
one that I made with tinyCA, an other was made according 
http://www.stunnel.org/faq/certs.html:
* openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
* openssl gendh 512 >> stunnel.pem
* openssl rsa -in stunnel.pem -out new.pem
* edit new.pem, merge some parts with stunnel.pem and rename it

Any hint?

Thanks
-- 
|Michael Renner      E-mail: michael.renner at gmx.de  |
|D-81541 Munich      Germany        ICQ: #112280325 |
|Germany             Don't drink as root!      ESC:wq



More information about the stunnel-users mailing list