[stunnel-users] Still not working with client certificates

Ron Cordell ron.cordell at gmail.com
Wed Mar 24 19:57:08 CET 2010


Hello,

I'm hoping that someone can give me a hint of where to look at this issue
because I'm totally stuck and have been for a few days. When I attempt to
use sTunnel in client mode with client certificates, the SSL seems to
negotiate the certs and ciphers and then nothing else happens; the services
hang. I'm hoping that someone has some insights about something that I
haven't looked at, yet.

My setup:

Server:
Windows Server, IIS 7 running SOAP services set for SSL Required, Client
Certificate required (transport level client certificate, not SOAP message
level).

client:
Windows machine, simple web application acting as a test client for the SOAP
service.

In between:
sTunnel v4.32

Testing Scenario #1 --
Client configured to use client certificates directly against the IIS 7
service instance. This works as expected.

Testing Scenario #2 --
Server configured to not require client certificates, but require SSL.
sTunnel configured to listen on local port 8090 and forward to the IIS 7
server. This works as expected.

Testing Scenario #3 --
Server configured to require client certificates. sTunnel configured to use
client certificate as issued by a local CA in addition to the setup as
before. This does not work, but hangs.

sTunnel.conf:

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular
configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
cert = C:\certs\client-cert-for-internal-environments.pem
;key = c:\certs\test_cert.pem
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = c:\temp\stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
;[pop3s]
;accept = 995
;connect = 110
;[imaps]
;accept = 993
;connect = 143
;[ssmtp]
;accept = 465
;connect = 25
[http]
accept = 8090
;connect = 10.12.32.164:443
connect = 10.12.32.68:1443
TIMEOUTclose = 0
; vim:ft=dosini

sTunnel log:

2010.03.24 11:54:31 LOG5[5616:5992]: Reading configuration from file
stunnel.conf
2010.03.24 11:54:31 LOG7[5616:5992]: RAND_status claims sufficient entropy
for the PRNG
2010.03.24 11:54:31 LOG7[5616:5992]: PRNG seeded successfully
2010.03.24 11:54:31 LOG7[5616:5992]: Certificate:
C:\certs\client-cert-for-internal-environments.pem
2010.03.24 11:54:31 LOG7[5616:5992]: Certificate loaded
2010.03.24 11:54:31 LOG7[5616:5992]: Key file:
C:\certs\client-cert-for-internal-environments.pem
2010.03.24 11:54:38 LOG7[5616:5992]: Private key loaded
2010.03.24 11:54:38 LOG7[5616:5992]: SSL context initialized for service
http
2010.03.24 11:54:38 LOG5[5616:5992]: Configuration successful
2010.03.24 11:54:38 LOG5[5616:5992]: No limit detected for the number of
clients
2010.03.24 11:54:38 LOG7[5616:5992]: FD=176 in non-blocking mode
2010.03.24 11:54:38 LOG7[5616:5992]: Option SO_REUSEADDR set on accept
socket
2010.03.24 11:54:38 LOG7[5616:5992]: Service http bound to 0.0.0.0:8090
2010.03.24 11:54:38 LOG7[5616:5992]: Service http opened FD=176
2010.03.24 11:54:38 LOG3[5616:5992]: c:\temp\stunnel.log: Input/output error
(5)
2010.03.24 11:54:38 LOG3[5616:5992]: Unable to open output file:
c:\temp\stunnel.log
2010.03.24 11:54:38 LOG5[5616:5992]: stunnel 4.32 on x86-pc-mingw32-gnu with
OpenSSL 0.9.8l 5 Nov 2009
2010.03.24 11:54:38 LOG5[5616:5992]: Threading:WIN32 SSL:ENGINE
Sockets:SELECT,IPv6
2010.03.24 11:54:54 LOG7[5616:6192]: Service http accepted FD=436 from
127.0.0.1:56102
2010.03.24 11:54:54 LOG7[5616:6192]: Creating a new thread
2010.03.24 11:54:54 LOG7[5616:6192]: New thread created
2010.03.24 11:54:54 LOG7[5616:6696]: Service http started
2010.03.24 11:54:54 LOG7[5616:6696]: FD=436 in non-blocking mode
2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on local socket
2010.03.24 11:54:54 LOG5[5616:6696]: Service http accepted connection from
127.0.0.1:56102
2010.03.24 11:54:54 LOG7[5616:6696]: FD=456 in non-blocking mode
2010.03.24 11:54:54 LOG6[5616:6696]: connect_blocking: connecting
10.12.32.68:1443
2010.03.24 11:54:54 LOG7[5616:6696]: connect_blocking: s_poll_wait
10.12.32.68:1443: waiting 10 seconds
2010.03.24 11:54:54 LOG5[5616:6696]: connect_blocking: connected
10.12.32.68:1443
2010.03.24 11:54:54 LOG5[5616:6696]: Service http connected remote server
from 10.12.47.109:56103
2010.03.24 11:54:54 LOG7[5616:6696]: Remote FD=456 initialized
2010.03.24 11:54:54 LOG7[5616:6696]: Option TCP_NODELAY set on remote socket
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): before/connect
initialization
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client
hello A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server
hello A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server
certificate A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read server
done A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write client
key exchange A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write change
cipher spec A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 write
finished A
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 flush data
2010.03.24 11:54:54 LOG7[5616:6696]: SSL state (connect): SSLv3 read
finished A
2010.03.24 11:54:54 LOG7[5616:6696]:    1 items in the session cache
2010.03.24 11:54:54 LOG7[5616:6696]:    1 client connects (SSL_connect())
2010.03.24 11:54:54 LOG7[5616:6696]:    1 client connects that finished
2010.03.24 11:54:54 LOG7[5616:6696]:    0 client renegotiations requested
2010.03.24 11:54:54 LOG7[5616:6696]:    0 server connects (SSL_accept())
2010.03.24 11:54:54 LOG7[5616:6696]:    0 server connects that finished
2010.03.24 11:54:54 LOG7[5616:6696]:    0 server renegotiations requested
2010.03.24 11:54:54 LOG7[5616:6696]:    0 session cache hits
2010.03.24 11:54:54 LOG7[5616:6696]:    0 external session cache hits
2010.03.24 11:54:54 LOG7[5616:6696]:    0 session cache misses
2010.03.24 11:54:54 LOG7[5616:6696]:    0 session cache timeouts
2010.03.24 11:54:54 LOG6[5616:6696]: SSL connected: new session negotiated
2010.03.24 11:54:54 LOG6[5616:6696]: Negotiated ciphers: RC4-SHA SSLv3
Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

This is where things time out; nothing happens beyond this point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20100324/ce3f50f2/attachment.html>


More information about the stunnel-users mailing list