[stunnel-users] Configuring stunnel to use p12 and p7b in client mode

Eduard Witteveen eduard at nergens.org
Sat Mar 14 12:26:04 CET 2009


Pierre and List, 

Thanks for the answer. Maybe i wasn't clear enough in my question:
	1 - I have a p12 and p7b file, which work in firefox and
	iexplore.
	2 - I want to setup a tunnel, so the encryption is done by
	stunnel and not by the browser(so i can 'talk' normal http for
	soap)

Removing the password sounds like a good idea, so i started with this.
However, somehow my openssl doesnt know the command pkey. (as mentioned:
http://www.openssl.org/docs/apps/pkey.html)

> $ openssl pkey
> openssl:Error: 'pkey' is an invalid command.
> openssl version
> OpenSSL 0.9.8g 19 Oct 2007
And
> openssl.exe pkey
> openssl:Error: 'pkey' is an invalid command.
> openssl version
> OpenSSL 0.9.8i 15 Sept 2008

I searched the net for the error message, but i couldnt find a solution
(i did find more questions regarding this on mailinglists)



On Thu, 2009-03-12 at 08:21 +0100, delaage.pierre at free.fr wrote:
> Selon Eduard Witteveen <eduard at nergens.org>:
> Hello,
> In such case a definitive solution is to remove password protection of the
> private key, although it is not good for your security, so be careful.
> See info at openssl.org :
> http://www.openssl.org/docs/apps/pkey.html#EXAMPLES
> 
> "...
> To remove the pass phrase on an RSA private key:
> 
>  openssl pkey -in key.pem -out keyout.pem
> ..."
> 
> and then regenerate a p12 file for your browsers.
> 
> I do not know ways to specify the password in stunnel, but I think this should
> not be a good idea.
> Anyway ie and firefox should be able to cache your password at least for a
> session, so...
> 
> Yours sincerely,
> Pierre Delaage
> 
> > Hello,
> >
> > I'm trying to get stunnel running on my local system, so it will connect
> > to the remote a host, which requires authentication with this p12
> > file(with password). I also have the chain of trust which is in the p7b
> > file.
> >
> > The reason why i want to do this, is that the remote host exposes a soap
> > interface by https, and i think it would be a good idea to tunnel the
> > communications with stunnel, so a transparant configuration can be used.
> > Also, this would mean there is no configuration needed for the browser
> > anymore, since it can connect to the localhost instead of to the
> > remoteserver.
> >
> > I've tested the p12(certificate PKCS12?) and (trust chain PKCS7?) files
> > with internet explorer and firefox. They work(i can browse the
> > remotehost), but i still have to enter the password.
> >
> > I've converted the p12 and p7b files into dem files with the following
> > commands:
> >
> > > openssl pkcs12 -in certificate.p12 -out certificate.pem
> > > Enter Import Password:
> > > MAC verified OKK
> > > Enter PEM pass phrase:
> > > Verifying - Enter PEM pass phrase
> >
> > firefox: store as PEM with chain
> > 	chain.p7b --> chain.pem
> >
> > Config:
> > > key=certificate.pem
> > > CAfile=chain.pem
> > > client=yes
> > > debug=7
> > > output=stunnel.log
> > > verify=1
> > > [http]
> > > accept=80
> > > connect=www.remoteserver.com:443
> > > TIMEOUTclose=0
> >
> > Command:
> > > sudo /usr/bin/stunnel4 stunnel.conf
> >
> > Error:
> > > 009.03.11 00:58:10 LOG5[30424:3082909360]: Threading:PTHREAD
> > > SSL:ENGINE
> > > Sockets:POLL,IPv6 Auth:LIBWRAP
> > > 2009.03.11 00:58:10 LOG6[30424:3082909360]: file ulimit = 1024 (can be
> > > changed with 'ulimit -n')
> > > 2009.03.11 00:58:10 LOG6[30424:3082909360]: poll() used - no
> > > FD_SETSIZE
> > > limit for file descriptors
> > > 2009.03.11 00:58:10 LOG5[30424:3082909360]: 500 clients allowed
> > > 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 10 in non-blocking mode
> > > 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 11 in non-blocking mode
> > > 2009.03.11 00:58:10 LOG7[30424:3082909360]: FD 12 in non-blocking mode
> > > 2009.03.11 00:58:10 LOG7[30424:3082909360]: SO_REUSEADDR option set on
> > > accept socket
> > > 2009.03.11 00:58:10 LOG7[30424:3082909360]: http bound to 0.0.0.0:80
> > > 2009.03.11 00:58:10 LOG7[30430:3082909360]: Created pid file
> > > /var/run/stunnel4.pid
> > >
> > > 2009.03.11 00:58:20 LOG7[30430:3082909360]: http accepted FD=13 from
> > > 127.0.0.1:59793
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: http started
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 13 in non-blocking mode
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: Waiting for a libwrap
> > > process
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: Acquired libwrap process
> > > #0
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: Releasing libwrap process
> > > #0
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: Released libwrap process
> > > #0
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: http permitted by libwrap
> > > from
> > > 127.0.0.1:59793
> > > 2009.03.11 00:58:20 LOG5[30430:3082738576]: http accepted connection
> > > from
> > > 127.0.0.1:59793
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: FD 14 in non-blocking mode
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: http connecting
> > > ${REMOTESERVER_IP}:443
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: waiting 10
> > > seconds
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: connect_wait: connected
> > > 2009.03.11 00:58:20 LOG5[30430:3082738576]: http connected remote
> > > server
> > > from 10.0.2.15:38710
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: Remote FD=14 initialized
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect):
> > > before/connect initialization
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
> > > write
> > > client hello A
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL state (connect): SSLv3
> > > read
> > > server hello A
> > > 2009.03.11 00:58:20 LOG4[30430:3082738576]: VERIFY ERROR: depth=0,
> > > error=unable to get local issuer certificate: ${UNIQUE NAME}
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: SSL alert (write): fatal:
> > > bad
> > > certificate
> > > 2009.03.11 00:58:20 LOG3[30430:3082738576]: SSL_connect: 14090086:
> > > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> > > verify
> > > failed
> > > 2009.03.11 00:58:20 LOG5[30430:3082738576]: Connection reset: 0 bytes
> > > sent
> > > to SSL, 0 bytes sent to socket
> > > 2009.03.11 00:58:20 LOG7[30430:3082738576]: http finished (0 left)
> > (${UNIQUE NAME} / ${REMOTESERVER_IP} were replaced)
> >
> > Tested by connecting the browser to http://127.0.0.1:80/
> >
> > How can i get stunnel to redirect http://127.0.0.1:80/ to
> > http://remoteserver:443/ and use the certificate and chain to validate
> > the connection? Any pointers would also be welcome, since i searched in
> > google but i cannot find the correct information, while one would expect
> > that this is not the first time that this is being tried.
> >
> > Thanks,
> >
> > Eduard Witteveen
> >
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at mirt.net
> > http://stunnel.mirt.net/mailman/listinfo/stunnel-users
> >
> 
> 




More information about the stunnel-users mailing list