[stunnel-users] ssl mutual authentication

Simon Santoro simon.santoro at gmail.com
Sun Mar 9 21:33:52 CET 2008

Hello all.
I am sure I am missing something really obvious here, but I can't get this to 

HTTP client (localhost) -> stunnel (localhost) -> HTTPS server (remote host)

I'd like to user stunnel as proxy for my HTTP requests that go to a HTTPS 
server (apache if that makes any difference) on a remote host (fresh) that 
uses a cert to authenticate the request.
I wrote this little ruby script[2] to test the request, and it works, so i am 
sure that on the server/client/cert end there is no problem.

Now I'd like to use a simple wget or w3m to get the file from the remote 
server trough stunnel, but I keep getting 
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The only difference between the ruby script and the stunnel setup is that in 
the ruby script i have two different files for the crt and the key, and with 
stunnel I joined those files together with
cat s2 at magnesium.key s2 at magnesium.crt >s2 at magnesium.pam

on localhost i run:

$ stunnel -r fresh:443 -d localhost:11443 -c -f -D 7 -c -S 0 -p 
certs/s2 at magnesium.pem -a certs/ -A certs/freshCA.crt -v 3 -P none
2008.03.09 21:21:38 LOG5[9026:3082811056]: Using 'fresh.443' as tcpwrapper 
service name
2008.03.09 21:21:38 LOG7[9026:3082811056]: RAND_status claims sufficient 
entropy for the PRNG
2008.03.09 21:21:38 LOG6[9026:3082811056]: PRNG seeded successfully
2008.03.09 21:21:38 LOG7[9026:3082811056]: Certificate: certs/s2 at magnesium.pem
Enter PEM pass phrase:
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_defaults is 0
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_dir is certs/
2008.03.09 21:21:40 LOG7[9026:3082811056]: cert_file is certs/freshCA.crt
2008.03.09 21:21:40 LOG7[9026:3082811056]: Loaded verify certificates from 
2008.03.09 21:21:40 LOG7[9026:3082811056]: Set verify directory to certs/
2008.03.09 21:21:40 LOG5[9026:3082811056]: Peer certificate location certs/
2008.03.09 21:21:40 LOG5[9026:3082811056]: stunnel 3.26 on i486-pc-linux-gnu 
PTHREAD+LIBWRAP with OpenSSL 0.9.8e 23 Feb 2007
2008.03.09 21:21:40 LOG7[9026:3082811056]: No pid file being created
2008.03.09 21:21:40 LOG5[9026:3082811056]: FD_SETSIZE=1024, file 
ulimit=1024 -> 500 clients allowed
2008.03.09 21:21:40 LOG7[9026:3082811056]: SO_REUSEADDR option set on accept 
2008.03.09 21:21:40 LOG7[9026:3082811056]: fresh.443 bound to

then, I try to connect to localhost:11443 with w3m, in the hope that my HTTP 
request is encrypted and send to fresh:443, and stunnel should check if the 
PEER certificate is correct, but all I get is:

2008.03.09 21:26:44 LOG7[9214:3082585776]: fresh.443 accepted FD=6 from
2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 started
2008.03.09 21:26:44 LOG5[9214:3082423184]: fresh.443 connected from
2008.03.09 21:26:44 LOG7[9214:3082423184]: fresh.443 connecting
2008.03.09 21:26:44 LOG7[9214:3082423184]: Remote FD=7 initialized
2008.03.09 21:26:44 LOG7[9214:3082423184]: Relying on OpenSSL RSA Blinding.
2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): before/connect 
2008.03.09 21:26:44 LOG7[9214:3082423184]: SSL state (connect): SSLv3 write 
client hello A
2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL state (connect): SSLv3 read 
server hello A
2008.03.09 21:26:45 LOG5[9214:3082423184]: VERIFY OK: depth=1, /C=IT/O=S2 
corp./CN=S2/emailAddress=s2 at fresh
2008.03.09 21:26:45 LOG4[9214:3082423184]: VERIFY ERROR ONLY MY: no cert 
for /C=IT/O=S2 corp./CN=fresh
2008.03.09 21:26:45 LOG7[9214:3082423184]: SSL alert (write): fatal: 
certificate unknown
2008.03.09 21:26:45 LOG3[9214:3082423184]: SSL_connect: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2008.03.09 21:26:45 LOG7[9214:3082423184]: fresh.443 finished (0 left)

Did I something wrong? What am I missing? Please help me, it would save me 
really a lot of work on the client side if I could get this going.



SERVER_CERT_FILE = "certs/freshCA.crt"

CERT_FILE = "certs/s2 at magnesium.crt"
CERT_FILE_KEY = "certs/s2 at magnesium.key"

require 'net/https'
https = Net::HTTP.new('fresh', 443)
https.use_ssl = true

#client certificates
https.cert = OpenSSL::X509::Certificate.new( File.read(CERT_FILE) )
https.key = OpenSSL::PKey::RSA.new( File.read(CERT_FILE_KEY), 'panza')

#server certificate
https.ca_file = SERVER_CERT_FILE

https.verify_mode = OpenSSL::SSL::VERIFY_PEER     #VERIFY_NONE

https.read_timeout = 120

https.start do |https|
  request = Net::HTTP::Get.new('/notes/test_auth')
#  request.basic_auth 's', 'x'
  response = https.request(request)
  puts response.body

More information about the stunnel-users mailing list