Re: Unable to use stunnel with tin...

From: jayjwa <jayjwa@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 19 Jul 2008 10:44:30 -0400

Looks like you got an odd version of stunnel. Distros change stuff
around. Might better to start from fresh and compile the latest. I've
only used it for cURL tests, and the hardest part about it I remember
was getting the certificate written correctly.

Download here.

http://www.stunnel.org/download/stunnel/src/stunnel-4.25.tar.gz

It creates a bogus stunnel.pem on install (delete it) and an unneeded
/var/lib/stunnel directory. You can remove that. Make sure the PID dir
is user/group set to who the binary will run as. I recommend
nobody/nogroup. Start as root and it will switch.

Build & install. Next verify you can connect to the server. You'll
need a cert and key of yours.

openssl s_client -showcerts -pause -connect news.giganews.com:563 -cert /home/jayjwa/crypto/rsa-testing-crt.pem -key /home/jayjwa/crypto/rsa-testing-key.pem -CApath /var/ssl/certs
Enter pass phrase for /home/jayjwa/crypto/rsa-testing-key.pem:
CONNECTED(00000003)
depth=0 /C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=news.giganews.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=news.giganews.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=news.giganews.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=news.giganews.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDYTCCAsqgAwIBAgIDBmpvMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMDI3MjAwNDU4WhcNMDgxMDI3MjEwNDU4
WjCB6zELMAkGA1UEBhMCVVMxGjAYBgNVBAoTEW5ld3MuZ2lnYW5ld3MuY29tMTgw
NgYDVQQLEy9idXNpbmVzc3Byb2ZpbGUuZ2VvdHJ1c3QuY29tL2dldC5qc3A/R1Q1
MzYwNDU2MDExMC8GA1UECxMoU2VlIHd3dy5nZW90cnVzdC5jb20vcmVzb3VyY2Vz
L2NwcyAoYykwNjE3MDUGA1UECxMuRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0g
UXVpY2tTU0wgUHJlbWl1bShSKTEaMBgGA1UEAxMRbmV3cy5naWdhbmV3cy5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAME5bbnQfojP9CeDWUM7fwX9x6VK
hafO0qHty6YecK7n9odmfVn7hwz5tpJ/nx2ca/qyWgGezaCxsUHs5I0+TFHGuX46
1xQq1/O6dSPqul67WNQagQu1+kKFis3p0fqS2eLisOf5jz91Q3Vn6kIfAKQtnRrg
upUpzCbr7xrklmMNAgMBAAGjga4wgaswDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQW
BBSV90i+F9qrSjwLjXJ9OCttDQdSpzA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
Y3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAfBgNVHSMEGDAWgBRI
5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDQYJKoZIhvcNAQEFBQADgYEAguKS+XlalolEcor6OMmIvJ7LK+5mLUDoeR02
JYGRLikOFby5JnQFtNdoD9hZOGFNL4tbv2jnLaR64WNl1vkBPPDXx0Cs9FDVbYHg
7S0JrVGOy0drMWt8QMNWPjeXgP+770GT0u26QORTG/duCbz2+Sypv8MJdTZJpEN0
tJ3VV+Q=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL Premium(R)/CN=news.giganews.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1031 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: F2C35F0C005D0C0236C1CB54CC6CDB055EEA12B864943F9EC92291CE771CBED8
Session-ID-ctx:
Master-Key: 1FD1FA3582CAAF32421A7C2F6CC7B7FC6C415834CC6CD8C9E6AC93A966437CB7D53D555ED3432DC7FEDAE7954FD87331
Key-Arg : None
Start Time: 1216475182
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
200 News.GigaNews.Com

To connect properly, you need Giganews's certificates and CRLs from
the CA they are using. Downloadable here. There are something like 8,
in PEM format.

http://www.geotrust.com/resources/root_certificates/index.asp

CRL link is two or so down. There are 3, in DER format. Without doing
this step you can't verify and you'll get an error like so:

2008.07.19 09:41:45 LOG5[22822:3081989008]: nntps accepted connection from
192.168.10.76:44966
2008.07.19 09:41:45 LOG5[22822:3081989008]: nntps connected remote server
from 192.168.10.76:56353
2008.07.19 09:41:46 LOG4[22822:3081989008]: VERIFY ERROR: depth=0,
error=unable to get local issuer
certificate:
/C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See
www.geotrust.com/resources/cps (c)06/OU=Domain Control Val
2008.07.19 09:41:46 LOG3[22822:3081989008]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
2008.07.19 09:41:46 LOG5[22822:3081989008]: Connection reset: 0 bytes sent
to SSL, 0 bytes sent to socket

CRL's are in DER formate. They need to be in PEM.

View:

openssl crl -inform DER -noout -text -in gtglobal.crl

Convert to PEM:

openssl crl -inform DER -outform PEM -in gtglobal.crl -out gtglobal.pem

do that for all of them. Copy to crl directory. c_rehash that directory.

One hard thing about this is that most people don't have proper certs
and cert trees set up, yet secure usage requires this. (Both
cert and CRL need to be verified). I have one maintained at /var/ssl.

To save the pain of downloading 8 + 3 files and converting them to
proper format, the ones I used I stuck somewhere around here:

ftp://atr2.ath.cx/pub/file_hosting/documents/geotrust-ssl.rar

I'm known to misspell things, so check around if the exact URL is off a little.

ls /etc/stunnel/
dhparam.pem stunnel.pem vdrl-stunnel-key.pem
stunnel.conf vdrl-stunnel-crt.pem

The stunnel.pem and/or key file needs an un-passworded key, then the
certificate, then dhparams. You can use openssl binary to do
those. Try 'openssl dhparam -h' I think the command line was like
'openssl dhparam -outform PEM -out /etc/stunnel/dhparam 1024 ' for a
1024 bits one. Tack the dhparam file contents on the end of the the
cert. Notice I keep key, cert, and dhparam seperate, then just combine
them all into stunnel.pem for easy use.

The config file:

; STUNNEL
; SSL Wrapper
; Configuration File (General) as services are added
; later they can go at the bottom of this file.

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/vdrl-stunnel-crt.pem
key = /etc/stunnel/vdrl-stunnel-key.pem

; Chroot it?
;chroot = /var/empty
setuid = nobody
setgid = nogroup

; PID ( inside chroot jail, if chroot'ed )
pid = /var/run/stunnel/stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

;compression = rle

; Authentication stuff
; 1 = verify cert if exists 2 = verify cert 3 = verify against local
verify = 2

; Don't forget to c_rehash CApath
CApath = /var/ssl/certs

; It's often easier to use CAfile:
;CAfile = /var/ssl/CA/atr2-ca-crt.pem

; Don't forget to c_rehash CRLpath
CRLpath = /var/ssl/revolk

; Alternatively you can use CRLfile:
CRLfile = /var/ssl/revolk/atr2-ca-crl.pem

; debugging
;debug = 7

; Logging
output = /var/log/stunnel/stunnel.log

; Use it for client mode
client = yes

; Service-level configuration

[pop3s]
accept = 995
connect = 110

[imaps]
accept = 993
connect = 143

[ssmtp]
accept = 465
connect = 25

; Client-side configuration
[nntps]
accept = 563
connect = news.giganews.com:563

; vim:ft=dosini

Cut out or comment out the other service like ssl smtp if you don't
want that. Then start stunnel as root: 'stunnel' it should background
and start logging to the file in the config. You can tailf it if you
like. Then go to your user, start tin: ' tin -g 192.168.10.76 -p 563'
(basically connect to yourself, the interface that is binded to the
spot stunnel listens. Actually, it listens on all here, but that's
eth0 above.

ss -a | grep nntps
LISTEN 0 5 *:nntps *:*

2008.07.19 10:02:33 LOG5[23119:3084076736]: stunnel 4.25 on
i686-pc-linux-gnu with OpenSSL 0.9.8h 28 May 2008
2008.07.19 10:02:33 LOG5[23119:3084076736]: Threading:PTHREAD SSL:ENGINE
Sockets:POLL,IPv4 Auth:LIBWRAP
2008.07.19 10:02:33 LOG5[23119:3084076736]: 500 clients allowed
2008.07.19 10:04:57 LOG5[23120:3083422608]: nntps accepted connection from
192.168.10.76:60239
2008.07.19 10:04:57 LOG5[23120:3083422608]: nntps connected remote server
from 192.168.10.76:51819
2008.07.19 10:04:58 LOG5[23120:3083422608]: CRL: verification passed
2008.07.19 10:04:58 LOG5[23120:3083422608]: VERIFY OK: depth=1,
/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
2008.07.19 10:04:58 LOG5[23120:3083422608]: CRL: verification passed
2008.07.19 10:04:58 LOG5[23120:3083422608]: VERIFY OK: depth=0,
/C=US/O=news.giganews.com/OU=businessprofile.geotrust.com/get.jsp?GT53604560/OU=See
www.geotrust.com/resources/cps (c)06/OU=Domain Control Validated - QuickSSL
/Premium(R)/CN=news.giganews.com
2008.07.19 10:05:22 LOG5[23120:3083422608]: Connection closed: 74 bytes sent
/to SSL, 123 bytes sent
to socket

That's a secured connection. The actual server asks for a login, and I
don't have that, so that part is up to you. I got you to the door...

My news server I think uses giganews too, but it goes to my ISP first,
then seems to pass on the connection (I don't use news.giganews.com as
my NNTP server) without me needing a login. Not sure why it does when
I go directly.

--
[** America Is A Police State **]
"I think my eyes shall never see,
a sight as lovely as Bush,
hanging from a tree..."
http://www.hermes-press.com/police_state.htm
http://www.theregister.co.uk/2008/01/27/bush_nsa_internal/
http://www.wired.com/politics/security/news/2007/08/wiretap
http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597
AT&T Betrays America: http://www.eff.org/nsa/hepting
.

Prev by Date: Re: Command "who" Tracing login session problem.
Next by Date: svgalib: "Failed to initialize mouse"
Previous by thread: Command "who" Tracing login session problem.
Next by thread: svgalib: "Failed to initialize mouse"
Index(es):
- Date
- Thread

Relevant Pages

Re: AD and SSL
... I'm trying something similar, with a java client, but can't seem to ... I'm trying to connect to an active directory (W2K server) using ssl (with ... verify return:1 ... Server certificate ...
(microsoft.public.win2000.active_directory)
[opensuse] stunnel certificates
... I want to secure access to a databese server (Firebird). ... I want to do this with stunnel. ... #sign server certificate ...
(SuSE)
RE: [Full-Disclosure] Openssl proof of concept code? / Neoteris
... its own built-in cert and offers it up without solicitation. ... SSL connection with the server with a corrupt cert like that. ... modify a copy of openssl such that it sends a client certificate ... verify error:num=20:unable to get local issuer certificate ...
(Full-Disclosure)
RE: RPC over HTTP Certificate Issue
... There's no need to configure Exchange - whatever changes you made, ... When you installed the certificate, did you install it in the Trusted Root ... I enabled RPC over HTTP on SBS 2003 Sp1 server, ... How to Verify That World Wide Web Publishing Service Is ...
(microsoft.public.windows.server.sbs)
Re: RPC over HTTP Certificate Issue
... Re-run the CEICW and make your certificate name the same as your external server name. ... These must match to avoid security warnings. ... How to Verify That World Wide Web Publishing Service Is ...
(microsoft.public.windows.server.sbs)