stunnel Nenhum certificado retornou CA desconhecido

2

Eu tenho 2x stunnels baseados em Linux, 1 servidor, 1 cliente. O que estou tentando fazer é usar um cliente stunnel e, com a verificação 3, autentica o usuário com base no certificado.

Aqui estão os arquivos de configuração de cada um:

Cliente:

cert = /stunnel/client_Access_stunnel.pem
key = /stunnel/client_Access_stunnel.pem
CAfile = /stunnel/client_Access_stunnel.pem
CApath = /stunnel/cacerts/

flips=no
pid    = /var/run/stunnel-tcap.pid

; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1

output = /stunnel/stunnel.log
client = yes
;verify = 3
debug = 5
[tcap]
accept = 0.0.0.0:3701
connect = 192.168.1.4:3700

Servidor:

pid = /var/run/stunnel/server.pid

cert = /opt/quasar/cert/certs/stunnels/server.pem
key = /opt/quasar/cert/certs/stunnels/server.pem

CApath = /opt/certs/stunnels/cacerts/

; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1

; Security level
verify = 2

; Uncomment for troubleshooting purposes
debug = 7


; Log file path
output = /opt/stunnels/stunnel.log

[stunnel1]
accept = 0.0.0.0:3700
connect = 127.0.0.1:3701

O erro é:

Cliente:

2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized
2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA
2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index

Servidor:

2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data
2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/[email protected]
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA
2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

Por favor, ignore os carimbos de hora. mesmo erro vezes diferentes.

  • Eu adicionei o certificado de CA ao client_Access_stunnel.pem, inalterado.
  • Eu adicionei todos os certificados da CA no CApath
  • o certificado foi assinado pelo xca gerenciado localmente
por Mark Shine 17.11.2016 / 08:43

1 resposta

0

O CApath é usado com as opções verifyChain ou verifyPeer, não vejo nenhuma dessas opções em nenhum lugar. Observe também que "os certificados neste diretório devem ser nomeados XXXXXXXX.0, onde XXXXXXXX é o valor de hash do assunto codificado por DER do certificado." (retirado do manual do stunnel)

O que acontece quando você testa o certificado com o seguinte:

openssl verify -CApath /opt/certs/stunnels/cacerts/ server-certificate-file
    
por 28.09.2017 / 17:16