[stunnel-users] PSK, verifying the client

Mike the.lists at mgm51.com
Thu Apr 6 16:36:45 CEST 2017


On 4/6/2017 6:21 AM, Małgorzata Olszówka wrote:
>> Is it possible to verify the client using PSK?
>>
>> On the stunnel server I specify a PSKsecrets file with two lines in it,
>> one for client01 and one for client02.  The secret is about 36
>> characters long.
>>
>> On a client, I have a similar PSKsecrets file, but only containing the
>> client01 line.
>>
>> Now, if I try to connect with, say, a client03, i.e., any client that
>> does not have a matching line in the server's PSKsecrets file, how can I
>> assure that the client connection will be rejected?
>>
>> What I'd like to see would be the following: any client that tries to
>> connect, and does not present a PSK that is present in the server's
>> PSKsecrets file, then that client's connection request is rejected, with
>> an appropriate message logged.
>>
>> Can I do that with the current stunnel?
>>
> 
> Hello Mike,
> In the log messages on the server you can find some information about 
> accepted or rejected connections, e.g.:
> 
> for connected client:
> 2017.04.06 05:23:55 LOG5[2841]: Service [PSK server] accepted connection 
> from 10.10.10.11:48280
> 2017.04.06 05:23:55 LOG5[2841]: Key configured for PSK identity "test1"
> 2017.04.06 05:23:55 LOG5[2841]: Connection closed: 57 byte(s) sent to 
> TLS, 0 byte(s) sent to socket
> 
> for rejected client that doesn’t have the correct secret:
> 2017.04.06 05:24:03 LOG3[2845]: SSL_accept: 1408F119: error:1408F119:SSL 
> routines:SSL3_GET_RECORD:decryption failed or bad record mac
> 2017.04.06 05:24:03 LOG5[2845]: Connection reset: 0 byte(s) sent to TLS, 
> 0 byte(s) sent to socket
> 
> for rejected client that doesn’t have any secret:
> 2017.04.06 05:24:24 LOG3[2846]: SSL_accept: 1408A0C1: error:1408A0C1:SSL 
> routines:ssl3_get_client_hello:no shared cipher
> 2017.04.06 05:24:24 LOG5[2846]: Connection reset: 0 byte(s) sent to TLS, 
> 0 byte(s) sent to socket
> 

Thanks for the quick reply.

OK, I'm not seeing the log messages for the rejection.  So it looks like
I have some investigating to do.

One more question - what log level do you use to see those messages?
info, warning, or debug?



thx.






More information about the stunnel-users mailing list