[stunnel-users] Problem with the client certificate
Michael Renner
michael.renner at gmx.de
Wed Dec 31 18:01:02 CET 2008
On Tuesday 30 December 2008, you wrote:
> Hello,
Happy new year!
> * are the permissions correct on your files :
> - key must belong to the user and have 0600 status (read only by the user)
> - cert must belong to the user.
I think the permissions are OK. The file is owed by root and loaded at the
start
Wrote 1024 new random bytes to /root/.rnd
RAND_status claims sufficient entropy for the PRNG
PRNG seeded successfully
Certificate: /etc/stunnel/stunnelclient.pem
Certificate loaded
Key file: /etc/stunnel/stunnelclient.pem
Private key loaded
SSL context initialized for service BreakOut
> * Is the content of the cert file of this form
>
> -----BEGIN CERTIFICATE-----
> certificate data here
> -----END CERTIFICATE-----
> ?
> and the content of the key file this form
> -----BEGIN RSA PRIVATE KEY-----
> key datat here
> -----END RSA PRIVATE KEY-----
I made several files. According to http://www.stunnel.org/faq/certs.html#ToC5
I got a file with a certificate, a RSA Key and a DH section (I removed the
password for the certificate).
According to http://www.stunnel.org/examples/client_cert.html I got a
different file: it has a certificate and a RSA section and between them an
other section:
rcnyy/AbS1YPkdggJSnw+fqzg/L/QvQB6GTT5KWJzd0=
-----END RSA PRIVATE KEY-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=Germany, L=Munich, O=vbox4php, OU=Rektorat,
CN=DE/emailAddress=michael.renner at gmx.de
Validity
Not Before: Dec 28 20:37:19 2008 GMT
Not After : Dec 28 20:37:19 2009 GMT
Subject: C=DE, ST=Germany, O=vbox4php, OU=stunnel,
CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b1:05:47:7a:27:4f:19:2b:18:72:e3:3c:f6:a6:
.
.
2b:55:2d:c9:dc:96:55:14:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
TinyCA Generated Certificate
X509v3 Subject Key Identifier:
86:F6:1F:71:29:AA:A5:61:DF:B2:81:F2:34:3A:A6:9E:58:C8:6A:5E
X509v3 Authority Key Identifier:
keyid:72:68:1A:0C:9D:E9:93:81:07:E9:36:71:75:33:05:C6:70:35:01:BF
DirName:/C=DE/ST=Germany/L=Munich/O=vbox4php/OU=Rektorat/CN=DE/emailAddress=michael.renner at gmx.de
serial:BC:97:82:4E:E3:9F:FE:5A
X509v3 Issuer Alternative Name:
email:michael.renner at gmx.de
X509v3 Subject Alternative Name:
email:michael.renner at gmx.de
Signature Algorithm: sha1WithRSAEncryption
49:ef:06:aa:e5:71:b1:6e:23:87:02:9d:ce:56:e1:3b:77:5a:
.
.
41:93:92:ee:57:23:95:f3:99:62:27:6a:a4:b7:85:b4:92:86:
22:50:79:a0
-----BEGIN CERTIFICATE-----
Anyhow: it fails:
2008.12.31 17:51:07 LOG4[13056:1073809760]: VERIFY ERROR: depth=0,
error=unable to get local issuer
certificate: /C=DE/ST=Germany/O=vbox4php/OU=stunnel/CN=boulder.vbox4php.org/emailAddress=michael.renner at gmx.de
2008.12.31 17:51:07 LOG3[13056:1073809760]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
With strace I can see the the key and the cert is OK on the client side: (I
assume that it is only read once):
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] read(4, "VQQDEwJERTEkMCIGCSqGSIb3\nDQEJARY"..., 4096) = 1425
[pid 11829] read(4, "", 4096) = 0
[pid 11829] close(4) = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
17:52:56 LOG7[11829:140253752059616]: Certificate loaded
) = 68
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 902008.12.31
17:52:56 LOG7[11829:140253752059616]: Key
file: /etc/stunnel/stunnelserver.pem
) = 90
[pid 11829] open("/etc/stunnel/stunnelserver.pem", O_RDONLY) = 4
[pid 11829] fstat(4, {st_mode=S_IFREG|0600, st_size=5521, ...}) = 0
[pid 11829] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1, 0) = 0x7f8f5f13b000
[pid 11829] read(4, "-----BEGIN RSA PRIVATE KEY-----\n"..., 4096) = 4096
[pid 11829] close(4) = 0
[pid 11829] munmap(0x7f8f5f13b000, 4096) = 0
[pid 11829] write(2, "2008.12.31 17:52:56 LOG7[11829:1"..., 682008.12.31
17:52:56 LOG7[11829:140253752059616]: Private key loaded
While I see in the clients logfile:
SSL state (connect): SSLv3 flush data
SSL alert (read): fatal: bad certificate
SSL_connect: 14094412: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate
Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Strange!
One more hint?
--
|Michael Renner E-mail: michael.renner at gmx.de |
|D-81541 Munich Germany ICQ: #112280325 |
|Germany Don't drink as root! ESC:wq
More information about the stunnel-users
mailing list