[stunnel-users] stunnel and OCSP verification: strange behaviour

Andreas Ntaflos daff at pseudoterminal.org
Thu May 15 20:01:43 CEST 2008


Hi list, 

[My apologies, I accidentally tried to send this message to stunnel-announce 
earlier.]

I have a quick question regarding the use of stunnel with verification against 
an OCSP responder. I am using stunnel 4.20 and (for testing) 4.23 but I don't 
see any difference in the behaviour of both. 

The main problem is that stunnel accepts and establishes connections from 
clients even if those clients had their certificates revoked and the OCSP 
responder correctly informs stunnel about it.

Consider the following configuration:

foreground = yes
CAfile = /path/to/cacert.pem
cert = /path/to/stunnel_cert.pem
key = /path/to/stunnel_key.pem
debug = 7

[clientauth]
accept = localhost:43434
connect = localhost:43433
verify = 2
OCSP = http://localhost:43435

The OCSP responder runs on localhost:43435 as you can see. Client verification 
is enabled. Using openssl to manually check against the responder works fine:

openssl ocsp -issuer cacert.pem -CAfile cacert.pem -url \
  http://localhost:43435 -cert revoked_cert.pem

Response verify OK
/path/to/revoked_cert.pem: revoked
        This Update: May 15 15:38:46 2008 GMT
        Next Update: May 15 17:04:32 2008 GMT
        Revocation Time: May 15 15:38:26 2008 GMT

The relevant portion of stunnel's debug output looks like this:

[...]
Starting OCSP verification
FD 8 in non-blocking mode
connect_wait: waiting 10 seconds
connect_wait: connected
OCSP server connected
FD 8 in blocking mode
FD 8 in non-blocking mode
OCSP response received
OCSP verification passed: status=0, reason=-1208427072
VERIFY OK: depth=1, /CN=The CA/C=AT/ST=SomeState/L=SomeCity/O=The \
  Organisation/emailAddress=camaster at the-organisation.invalid
Starting OCSP verification
FD 8 in non-blocking mode
connect_wait: waiting 10 seconds
connect_wait: connected
OCSP server connected
FD 8 in blocking mode
FD 8 in non-blocking mode
OCSP response received
OCSP verification passed: status=1, reason=-1
VERIFY OK: depth=0, /C=AT/ST=SomeState/O=The Organisation/CN=this is a \
  revoked cert
SSL state (accept): SSLv3 read client certificate A
[...]

As far as I can see the OCSP verification works fine here, too, and at depth 0 
stunnel finds the certificate to have been revoked (status=1 indicates that, 
I believe). The connection, however, is not rejected.

Is there any way to have stunnel reject the connection when the client 
certificate has been revoked? Where would I configure this? The only way I 
have found yet was to patch src/verify.c but surely there must be a more 
convenient approach to this? 

On a related matter: if stunnel cannot and will not reject the connection upon 
a negative response from the OCSP, what would be the best way to script 
stunnel so that it rejects such a connection? I am asking because I am in the 
process of writing a few Python scripts that incorporate stunnel to aid in 
testing of some SSL-speaking components. Such a client component without a 
valid, non-revoked certificate must not be able to connect.

I mean what good is OCSP verification if the result of the process, i.e. the 
responders answer "the certificate is valid" or "the certificate is no longer 
valid" doesn't matter to stunnel?

Am I missing the point somewhere?

I'd appreciate any insights on this.

Kind regards,

Andreas
-- 
Andreas "daff" Ntaflos
Vienna, Austria

GPG Fingerprint: 6234 2E8E 5C81 C6CB E5EC  7E65 397C E2A8 090C A9B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080515/51954c0c/attachment.sig>


More information about the stunnel-users mailing list