Configuration
stunnel 沒有證書返回未知 CA
我有 2 個基於 linux 的 stunnels,1 個伺服器,1 個客戶端。我正在嘗試做的是使用 stunnel 客戶端,並使用 verify 3 它根據證書對使用者進行身份驗證。
以下是每個的配置文件:
客戶:
cert = /stunnel/client_Access_stunnel.pem key = /stunnel/client_Access_stunnel.pem CAfile = /stunnel/client_Access_stunnel.pem CApath = /stunnel/cacerts/ flips=no pid = /var/run/stunnel-tcap.pid ; Socket parameters tuning socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 output = /stunnel/stunnel.log client = yes ;verify = 3 debug = 5 [tcap] accept = 0.0.0.0:3701 connect = 192.168.1.4:3700伺服器:
pid = /var/run/stunnel/server.pid cert = /opt/quasar/cert/certs/stunnels/server.pem key = /opt/quasar/cert/certs/stunnels/server.pem CApath = /opt/certs/stunnels/cacerts/ ; Socket parameters tuning socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 socket = l:SO_KEEPALIVE=1 socket = r:SO_KEEPALIVE=1 ; Security level verify = 2 ; Uncomment for troubleshooting purposes debug = 7 ; Log file path output = /opt/stunnels/stunnel.log [stunnel1] accept = 0.0.0.0:3700 connect = 127.0.0.1:3701錯誤是:
客戶:
2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized 2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74 2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization 2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A 2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled 2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled 2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled 2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled 2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled 2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled 2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA 2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index伺服器:
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data 2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/emailAddress=operations@n.se 2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA 2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket請忽略時間戳。相同的錯誤不同的時間。
- 我已將 CA 證書添加到 client_Access_stunnel.pem,未更改。
- 我已將所有 CA 的證書添加到 CApath
- 證書由本地管理的 xca 簽署
CApath 與 verifyChain 或 verifyPeer 選項一起使用,我在任何地方都看不到這些選項中的任何一個。另請注意“此目錄中的證書應命名為 XXXXXXXX.0,其中 XXXXXXXX 是證書的 DER 編碼主題的雜湊值。” (取自隧道手冊)
當您使用以下內容測試證書時會發生什麼:
openssl verify -CApath /opt/certs/stunnels/cacerts/ server-certificate-file