Eu tenho 2x stunnels baseados em Linux, 1 servidor, 1 cliente. O que estou tentando fazer é usar um cliente stunnel e, com a verificação 3, autentica o usuário com base no certificado.
Aqui estão os arquivos de configuração de cada um:
Cliente:
cert = /stunnel/client_Access_stunnel.pem
key = /stunnel/client_Access_stunnel.pem
CAfile = /stunnel/client_Access_stunnel.pem
CApath = /stunnel/cacerts/
flips=no
pid = /var/run/stunnel-tcap.pid
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
output = /stunnel/stunnel.log
client = yes
;verify = 3
debug = 5
[tcap]
accept = 0.0.0.0:3701
connect = 192.168.1.4:3700
Servidor:
pid = /var/run/stunnel/server.pid
cert = /opt/quasar/cert/certs/stunnels/server.pem
key = /opt/quasar/cert/certs/stunnels/server.pem
CApath = /opt/certs/stunnels/cacerts/
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
; Security level
verify = 2
; Uncomment for troubleshooting purposes
debug = 7
; Log file path
output = /opt/stunnels/stunnel.log
[stunnel1]
accept = 0.0.0.0:3700
connect = 127.0.0.1:3701
O erro é:
Cliente:
2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized
2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA
2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index
Servidor:
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data
2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/[email protected]
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA
2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
Por favor, ignore os carimbos de hora. mesmo erro vezes diferentes.
O CApath é usado com as opções verifyChain ou verifyPeer, não vejo nenhuma dessas opções em nenhum lugar. Observe também que "os certificados neste diretório devem ser nomeados XXXXXXXX.0, onde XXXXXXXX é o valor de hash do assunto codificado por DER do certificado." (retirado do manual do stunnel)
O que acontece quando você testa o certificado com o seguinte:
openssl verify -CApath /opt/certs/stunnels/cacerts/ server-certificate-file