Discussion:
[stunnel-users] Using stunnel for TLS with Geotrust cert?
(too old to reply)
Jon Bogaty
2016-03-28 14:27:19 UTC
Permalink
Hey stunnel-users,
I'm having an issue both on stunnel4 and on 5 which I think is more
related to a lack of understanding of the difference between how
stunnel uses intermediate chain certs and root CA certs. I have from
Geotrust, who signs my SSL certs, an intermediate.crt which by the
stunnel docs should be catted into one stunnel.pem with the cert for
my domain and the private key.

The issue is when I setup everything on the server and try to connect
with a client I either get for "verify 2" warnings about MiTM
authentication problems, or for "verify 3" or "verify 4", which should
disable CA checking altogether to my understanding, "Please specify
CApath".

I feel like I'm missing something critical in terms of pieces. The
goal is to use stunnel as a proxy for mysql and the conf is pretty
barebones:

sslVersion = TLSv1

setuid = stunnel4
setgid = stunnel4
pid = /var/lib/stunnel4/stunnel4.pid
debug = 7
foreground = yes

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

cert = /etc/stunnel/stunnel.pem
verify = 3

[mysqls]
accept = 3307
connect = localhost:3306


It runs just fine using supervisor.

Any thoughts and how I could make the handshake work between server
and client using geotrust's intermediate crt as the CA cert, or
something similar? It contains certs down to the root level.

Thanks!
Jon
Michał Trojnara
2016-03-28 14:58:00 UTC
Permalink
Post by Jon Bogaty
The issue is when I setup everything on the server and try to
connect with a client I either get for "verify 2" warnings about
MiTM authentication problems, or for "verify 3" or "verify 4",
which should disable CA checking altogether to my understanding,
"Please specify CApath".
Verify levels 3 and 4 do *not* disable certificate verification.
Verify level 3 requires the peer certificate in your CAfile.
Verify level 4 *only* requires the peer certificate.

Are you sure you want to enable peer certificate (i.e. client
certificate) verification in your SSL server configuration?

Best regards,
Mike
Jon Bogaty
2016-03-28 15:04:41 UTC
Permalink
Ideally what I'd love to do is enable developers to be able to connect
their remote apps to the database proxy *without* the client-side
handshake, but I was honestly not aware it was possible. So the ideal
would be:

Remote app connects directly via mysql driver to stunnel on port 3307
encrypted with TLS
stunnel forward the connection to the proxy on 3306

If that is possible without maintaining a connection stunnel to
stunnel that would be beyond awesome, I'm just totally failing to see
how to accomplish it!

One thing I did find though is the root cert for geotrust so I'm
running tests now to see if that helps or at least generates new info.
Based on your feedback I'm testing the following:
cert = /etc/stunnel/stunnel.pem
cafile = /etc/stunnel/GeoTrust_Global_CA.pem

verify = 3

On Mon, Mar 28, 2016 at 10:58 AM, Michał Trojnara
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Jon Bogaty
The issue is when I setup everything on the server and try to
connect with a client I either get for "verify 2" warnings about
MiTM authentication problems, or for "verify 3" or "verify 4",
which should disable CA checking altogether to my understanding,
"Please specify CApath".
Verify levels 3 and 4 do *not* disable certificate verification.
Verify level 3 requires the peer certificate in your CAfile.
Verify level 4 *only* requires the peer certificate.
Are you sure you want to enable peer certificate (i.e. client
certificate) verification in your SSL server configuration?
Best regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
/ru7iPZfYYWG5qyvHys9
=1DFq
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Jon Bogaty
2016-03-28 16:41:14 UTC
Permalink
As a follow-up:

It's definitely much happier having the cafile but it's still giving
me handshake problems regardless of the verification level. I'm using
exactly the same certificates for both server and client and on the
server-side getting:
SSL_accept: 14094416: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

And on the client-side, things like:
CERT: Certificate not found in local repository

Which is to me peculiar, because I'm using exactly the same
certificates, same DH, etc...

Thank you for all your help with this!
Post by Jon Bogaty
Ideally what I'd love to do is enable developers to be able to connect
their remote apps to the database proxy *without* the client-side
handshake, but I was honestly not aware it was possible. So the ideal
Remote app connects directly via mysql driver to stunnel on port 3307
encrypted with TLS
stunnel forward the connection to the proxy on 3306
If that is possible without maintaining a connection stunnel to
stunnel that would be beyond awesome, I'm just totally failing to see
how to accomplish it!
One thing I did find though is the root cert for geotrust so I'm
running tests now to see if that helps or at least generates new info.
cert = /etc/stunnel/stunnel.pem
cafile = /etc/stunnel/GeoTrust_Global_CA.pem
verify = 3
On Mon, Mar 28, 2016 at 10:58 AM, Michał Trojnara
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Jon Bogaty
The issue is when I setup everything on the server and try to
connect with a client I either get for "verify 2" warnings about
MiTM authentication problems, or for "verify 3" or "verify 4",
which should disable CA checking altogether to my understanding,
"Please specify CApath".
Verify levels 3 and 4 do *not* disable certificate verification.
Verify level 3 requires the peer certificate in your CAfile.
Verify level 4 *only* requires the peer certificate.
Are you sure you want to enable peer certificate (i.e. client
certificate) verification in your SSL server configuration?
Best regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
/ru7iPZfYYWG5qyvHys9
=1DFq
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Jon Bogaty
2016-03-28 16:46:28 UTC
Permalink
And sorry for the flood, but this is somewhat important. There has to
be at least some level of verification, e.g. if mysql was connecting
bare it would still need to at least handshake and verify it's not
some random attacker connecting to the proxy. But I feel like stunnel
to stunnel would work, it's just something in the verification that I
need to fix. If I take out verification completely (e.g. delete verify
) then I can connect, although at that point so could anybody.
Post by Jon Bogaty
It's definitely much happier having the cafile but it's still giving
me handshake problems regardless of the verification level. I'm using
exactly the same certificates for both server and client and on the
SSL_accept: 14094416: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
CERT: Certificate not found in local repository
Which is to me peculiar, because I'm using exactly the same
certificates, same DH, etc...
Thank you for all your help with this!
Post by Jon Bogaty
Ideally what I'd love to do is enable developers to be able to connect
their remote apps to the database proxy *without* the client-side
handshake, but I was honestly not aware it was possible. So the ideal
Remote app connects directly via mysql driver to stunnel on port 3307
encrypted with TLS
stunnel forward the connection to the proxy on 3306
If that is possible without maintaining a connection stunnel to
stunnel that would be beyond awesome, I'm just totally failing to see
how to accomplish it!
One thing I did find though is the root cert for geotrust so I'm
running tests now to see if that helps or at least generates new info.
cert = /etc/stunnel/stunnel.pem
cafile = /etc/stunnel/GeoTrust_Global_CA.pem
verify = 3
On Mon, Mar 28, 2016 at 10:58 AM, Michał Trojnara
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Post by Jon Bogaty
The issue is when I setup everything on the server and try to
connect with a client I either get for "verify 2" warnings about
MiTM authentication problems, or for "verify 3" or "verify 4",
which should disable CA checking altogether to my understanding,
"Please specify CApath".
Verify levels 3 and 4 do *not* disable certificate verification.
Verify level 3 requires the peer certificate in your CAfile.
Verify level 4 *only* requires the peer certificate.
Are you sure you want to enable peer certificate (i.e. client
certificate) verification in your SSL server configuration?
Best regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
/ru7iPZfYYWG5qyvHys9
=1DFq
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Loading...