server does not send its cert?

14 Feb 2012

      Hello,

after a day of trying..

   - 2 box of *Win7 Pro x64*
   - fresh install of *stunnel 4.52*
   - keys generated with C:\Program Files (x86)\stunnel>* **.\openssl.exe
   req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem
   -keyout stunnel.pem*
   - *certs.pem* on both box contains certificate part of stunnel.pem from
   both machine

server stunnel.conf (192.168.0.52):

debug = 7
cert = stunnel.pem
verify = 2
CAfile = certs.pem
options = NO_SSLv2

[unison]
accept = 10001
connect = 127.0.0.1:10000

client stunnel.conf (192.168.0.216):

client = yes
debug = 7
cert = stunnel.pem
verify = 2
CAfile = certs.pem
options = NO_SSLv2

[unison]
client = yes
accept = 127.0.0.1:10000
connect = 192.168.0.52:10001

Test #1: *OK*

C:\Program Files (x86)\stunnel>* .\openssl verify -CAfile certs.pem
stunnel.pem*
*stunnel.pem: OK*

C:\Program Files (x86)\stunnel>* .\openssl verify -CAfile certs.pem
certs.pem*
*certs.pem: OK*

Test #2: *OK*

C:\Program Files (x86)\stunnel> *.\openssl s_server -accept 10001 -cert
stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*

vs

C:\Program Files (x86)\stunnel> *.\openssl s_client -connect
192.168.0.52:10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*

Test #3: *OK - "certificate accepted"
*

C:\Program Files (x86)\stunnel> *.\openssl s_server -accept 10001 -cert
stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*

vs

*stunnel client**
*

Test #4: *OK - "certificate accepted"
*

*stunnel server*

vs

C:\Program Files (x86)\stunnel> *.\openssl s_client -connect
192.168.0.52:10001 -cert stunnel.pem -verify 2 -CAfile certs.pem -no_ssl2*

Test #5: *FAILED*

*stunnel server*

Service unison accepted connection from 192.168.0.216:23134
2012.02.14 09:02:39 LOG3[134028:132792]: SSL_accept: 140943F2:
error:140943F2:SSL routines:*SSL3_READ_BYTES:sslv3 alert unexpected message*
2012.02.14 09:02:39 LOG5[134028:132792]: Connection reset: 0 bytes sent to
SSL, 0 bytes sent to socket*
*

vs

*stunnel client
*

2012.02.14 09:02:33 LOG5[2500:5876]: Service unison connected remote server
from 192.168.0.216:23134
2012.02.14 09:02:33 LOG7[2500:5876]: Remote FD=372 initialized
2012.02.14 09:02:33 LOG3[2500:5876]: SSL_connect: 140870E8:
error:140870E8:SSL routines:*SSL3_GET_CERTIFICATE_**REQUEST:tls client cert
req with anon cipher*
2012.02.14 09:02:33 LOG5[2500:5876]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket

After a *stunnel.conf **reload* on both box (yes, only a reload) then the
following details and differences appear:

*stunnel server* vs *openssl s_client : OK - "certificate accepted"
*

2012.02.14 09:42:02 LOG5[134236:132440]: Service unison accepted connection
from 192.168.0.216:23698
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): before/accept
initialization
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read
client hello B
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write
server hello A*
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write
certificate A*
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): *SSLv3 write
key exchange A*
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write
certificate request A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush
data
2012.02.14 09:42:02 LOG7[134236:132440]: Starting certificate verification:
depth=0, /C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc
2012.02.14 09:42:02 LOG5[134236:132440]: Certificate accepted: depth=0,
/C=HU/ST=Mazovia Province/L=Budapest/O=-/OU=client/CN=x-pc

2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read
client certificate A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read
client key exchange A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read
certificate verify A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 read
finished A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write
session ticket A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write
change cipher spec A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 write
finished A
2012.02.14 09:42:02 LOG7[134236:132440]: SSL state (accept): SSLv3 flush
data

*stunnel server* vs *stunnel client : FAILED
*

*server:*

2012.02.14 09:45:24 LOG5[134236:134552]: Service unison accepted connection
from 192.168.0.216:23752
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): before/accept
initialization
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 read
client hello B
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): *SSLv3 write
server hello A*
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): *SSLv3 write
key exchange A*
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 write
certificate request A
2012.02.14 09:45:24 LOG7[134236:134552]: SSL state (accept): SSLv3 flush
data
2012.02.14 09:45:24 LOG7[134236:134552]: SSL alert (read): fatal:
unexpected_message
2012.02.14 09:45:24 LOG3[134236:134552]: SSL_accept: 140943F2:
error:140943F2:SSL routines:*SSL3_READ_BYTES:sslv3 alert unexpected message*
2012.02.14 09:45:24 LOG5[134236:134552]: Connection reset: 0 bytes sent to
SSL, 0 bytes sent to socket
2012.02.14 09:45:24 LOG7[134236:134552]: Service unison finished (0 left)

*client:*

2012.02.14 09:45:18 LOG5[1100:7176]: Service unison connected remote server
from 192.168.0.216:23752
2012.02.14 09:45:18 LOG7[1100:7176]: Remote FD=452 initialized
2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): before/connect
initialization
2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): SSLv3 write
client hello A
2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): *SSLv3 read
server hello A*
2012.02.14 09:45:18 LOG7[1100:7176]: SSL state (connect): *SSLv3 read
server key exchange A*
2012.02.14 09:45:18 LOG7[1100:7176]: SSL alert (write): *fatal:
unexpected_message*
2012.02.14 09:45:18 LOG3[1100:7176]: SSL_connect: 140870E8:
error:140870E8:SSL routines:*SSL3_GET_CERTIFICATE_**REQUEST:tls client cert
req with anon cipher*
2012.02.14 09:45:18 LOG5[1100:7176]: Connection reset: 0 bytes sent to SSL,
0 bytes sent to socket

Please, give me some clues.

Thank you,

Laszlo

**

Keresztfalvi Laszlo

josealf＠rocketmail.com

Keresztfalvi Laszlo

Keresztfalvi Laszlo

Michal Trojnara

Keresztfalvi Laszlo

tags

participants (3)