Discussion:
[stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
(too old to reply)
David Faizulaev
2016-05-17 11:13:26 UTC
Permalink
I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM?

Additionally, I've thought about configuring Stunnel in client mode.
Here is the configuration:

[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.72:444
verify = 2
CAfile = server.pem

In this case, my application appears to successfully connect to Stunnel & send messages.
But when it tries to access it in order to collect messages, it fails:

(App in C++)
Error: socketReceive data failed (Requested: 4 bytes, Cur chunk size: 4 bytes. Progress: Got: 0 bytes, Left: 4 bytes): System Err: An unknown error occurred while accessing an unnamed file.

Thank you for your assistance.

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 2:03 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Hello Ludolf,
I've printed the content of certificate file and the lines: "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" exist.
In addition, I've compared the default certificate provided by Stunnel with the one I wish to use, they're structure is identical.
Hello David,

Please reply to the list, so others are able to comment too.

I don't know the 'default certificate provided by Stunnel'. I expect it to be depending on the distribution.

However, if there are "BEGIN/END CERTIFICATE" lines in your file, but no "BEGIN/END RSA PRIVATE KEY", then the file is in PEM format, but the key is missing. Maybe you have separate files for private key and certificate. If this is the case, you may either concatenate key and certificate to a single file or specify both files in the stunnel
key = my-private-key.pem
cert = my-certificate.pem
Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-17 13:08:33 UTC
Permalink
Latest update:
After further investigation, it became evident that Stunnel should run as client.
Therefore, I've converted my existing certs file (from my application) into a PEM file.
The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----.

But I still get an error:

2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain
2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA
2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Here is the current configuration:

[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.62:443
verify = 2
CAfile = myapp.pem

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 2:38 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM?
I don't know.

Some key/certificate repositories don't allow to export private keys.
Maybe there is a PKCS11 plug-in for OpenSSL to access the keystore.
If this is the case, you don't have to export your private key. But again, I don't know.
Post by David Faizulaev
Additionally, I've thought about configuring Stunnel in client mode.
[..]
Running stunnel in client or server mode makes no difference w.r.t. certificate and key files. As long as stunnel is not able to access your private key, the client mode won't work either.

HTH,

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-17 13:24:38 UTC
Permalink
Logs messages are generated upon connection attempt.

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:22 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
After further investigation, it became evident that Stunnel should run as client.
Therefore, I've converted my existing certs file (from my application) into a PEM file.
The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----.
2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self
signed certificate in certificate chain
CN=NextnineCA
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.62:443
verify = 2
CAfile = myapp.pem
David,

CAfile should point to a list of trusted certificates. The file(s) for your pair of certificate and key should be specified with cert=... (and key=..., if certificate and key are stored to separate files).

Are the log messages generated at stunnel startup or at connection establishment?

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-17 13:33:31 UTC
Permalink
Between each certificate block I have the following block:

Bag Attributes
friendlyName: trustcenterclass2caii
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II

possible cause?

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:31 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
Logs messages are generated upon connection attempt.
Then the server presents a certificate that can't be validated against the trusted certificates stored to the file you specified with CAfile=...

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-17 13:50:04 UTC
Permalink
Hello,

I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following:

2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:45 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
Bag Attributes
friendlyName: trustcenterclass2caii
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC
TrustCenter Class 2 CA II issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC
TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
possible cause?
No, this should be ignored as a comment.

But you instructed stunnel to check the peer's certificate against the trusted ones (verify = 2), and the certificate chain the peer presents ends with a certificate not found in the CA file.

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-17 14:01:49 UTC
Permalink
I've tried with setting the values to 3 & 4 and I get:

2016.05.17 16:52:51 LOG4[332]: CERT: Pre-verification error: self signed certificate in certificate chain
2016.05.17 16:52:51 LOG4[332]: Rejected by CERT at depth=1: CN=MyCA
2016.05.17 16:52:51 LOG3[332]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.05.17 16:52:51 LOG5[332]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 23328 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 22022 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:346: 18299 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:315: 18299 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:372: 17132 allocations

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: David Faizulaev
Sent: Tuesday, May 17, 2016 4:48 PM
To: stunnel-***@stunnel.org
Subject: RE: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

Hello,

I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following:

2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:45 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
Bag Attributes
friendlyName: trustcenterclass2caii
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC
TrustCenter Class 2 CA II issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC
TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
possible cause?
No, this should be ignored as a comment.

But you instructed stunnel to check the peer's certificate against the trusted ones (verify = 2), and the certificate chain the peer presents ends with a certificate not found in the CA file.

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
David Faizulaev
2016-05-18 07:24:52 UTC
Permalink
Do you concatenate the self-signed certificate to the current CA?

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-***@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 7:01 PM
To: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue
Post by David Faizulaev
Hello,
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to
SSL, 0 byte(s) sent to socket
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at
.\crypto\asn1\tasn_new.c:179: 11859 allocations
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at
.\crypto\asn1\asn1_lib.c:408: 11241 allocations
Strange. I never used verify = 0, but I had the understanding, stunnel should accept a connection even if the peer's certificate can't be verified.

Anyhow, what happens if you add the self-signed certificate presented by the peer to the CA file?

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:***@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-***@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Loading...