I'm trying to connect to an application over stunnel 5.44 on ubuntu 18.04. I'm using a config from a setup that is working on Windows and MacOS. It seems like the client is rejecting the authorisation due to using a self-signed certificate.
Here is the redacted config:
[myapp]
client = yes
accept = 10076
connect = myserver.mydomain.com:10073
verify = 4
CAfile = /etc/stunnel/stunnel.pem
cert = /etc/stunnel/stunnel.pem
This is the log when starting stunnel:
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Clients allowed=500
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: stunnel 5.44 on x86_64-pc-linux-gnu platform
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: Compiled/running with OpenSSL 1.1.0g 2 Nov 2017
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6,SYSTEMD TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: errno: (*__errno_location ())
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: UTF-8 byte order mark not detected
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: FIPS mode disabled
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Compression disabled
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Snagged 64 random bytes from /home/eoin/.rnd
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Wrote 1024 new random bytes to /home/eoin/.rnd
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: PRNG seeded successfully
May 3 08:53:54 kerzanoserv stunnel: LOG6[ui]: Initializing service [ledbestDO]
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Ciphers: HIGH:!DH:!aNULL:!SSLv2
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: TLS options: 0x02020004 (+0x02000000, -0x00000000)
May 3 08:53:54 kerzanoserv stunnel: LOG6[ui]: Loading certificate from file: /etc/stunnel/stunnel.pem
May 3 08:53:54 kerzanoserv stunnel: LOG6[ui]: Certificate loaded from file: /etc/stunnel/stunnel.pem
May 3 08:53:54 kerzanoserv stunnel: LOG6[ui]: Loading private key from file: /etc/stunnel/stunnel.pem
May 3 08:53:54 kerzanoserv stunnel: LOG6[ui]: Private key loaded from file: /etc/stunnel/stunnel.pem
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Private key check succeeded
May 3 08:53:54 kerzanoserv stunnel: LOG5[ui]: Configuration successful
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Binding service [myapp]
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Listening file descriptor created (FD=7)
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Option SO_REUSEADDR set on accept socket
May 3 08:53:54 kerzanoserv stunnel: LOG7[ui]: Service [myapp] (FD=7) bound to 0.0.0.0:10076
May 3 08:53:54 kerzanoserv stunnel: LOG7[main]: Created pid file /var/run/stunnel4.pid
May 3 08:53:54 kerzanoserv stunnel: LOG7[cron]: Cron thread initialized
When I try to establish a websocket connection via python through this tunnel, in a way that works on windows, I get the following stunnel log:
May 3 09:29:56 kerzanoserv stunnel: LOG7[main]: Found 1 ready file descriptor(s)
May 3 09:29:56 kerzanoserv stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x0
May 3 09:29:56 kerzanoserv stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
May 3 09:29:56 kerzanoserv stunnel: LOG7[main]: Service [myapp] accepted (FD=3) from 127.0.0.1:41880
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Service [myapp] started
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
May 3 09:29:56 kerzanoserv stunnel: LOG5[0]: Service [myapp] accepted connection from 127.0.0.1:41880
May 3 09:29:56 kerzanoserv stunnel: LOG6[0]: s_connect: connecting ...:10073
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: s_connect: s_poll_wait ...:10073: waiting 10 seconds
May 3 09:29:56 kerzanoserv stunnel: LOG5[0]: s_connect: connected ...:10073
May 3 09:29:56 kerzanoserv stunnel: LOG5[0]: Service [myapp] connected remote server from 192.168.1.26:36406
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Option TCP_NODELAY set on remote socket
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Remote descriptor (FD=8) initialized
May 3 09:29:56 kerzanoserv stunnel: LOG6[0]: SNI: sending servername: myserver.mydomain.com
May 3 09:29:56 kerzanoserv stunnel: LOG6[0]: Peer certificate required
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: TLS state (connect): before SSL initialization
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Verification started at depth=0: C=PL, ST=Mazovia Province, L=Warsaw, O=Stunnel Developers, OU=Provisional CA, CN=localhost
May 3 09:29:56 kerzanoserv stunnel: LOG4[0]: CERT: Pre-verification error: self signed certificate
May 3 09:29:56 kerzanoserv stunnel: LOG4[0]: Rejected by CERT at depth=0: C=PL, ST=Mazovia Province, L=Warsaw, O=Stunnel Developers, OU=Provisional CA, CN=localhost
May 3 09:29:56 kerzanoserv stunnel: LOG7[0]: Remove session callback
May 3 09:29:57 kerzanoserv stunnel: LOG7[0]: TLS alert (write): fatal: unknown CA
May 3 09:29:57 kerzanoserv stunnel: LOG3[0]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
May 3 09:29:57 kerzanoserv stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
May 3 09:29:57 kerzanoserv stunnel: LOG7[0]: Deallocating application specific data for session connect address
May 3 09:29:57 kerzanoserv stunnel: LOG7[0]: Remote descriptor (FD=8) closed
May 3 09:29:57 kerzanoserv stunnel: LOG7[0]: Local descriptor (FD=3) closed
May 3 09:29:57 kerzanoserv stunnel: LOG7[0]: Service [myapp] finished (0 left)
I'm no expert in stunnel or certificates, so unsure what's going on. I tried to add my .pem file as a trusted certificate in /etc/ssl/certs/ but it didn't solve the problem.
This is pretty irritating and difficult to understand, could anyone help?
Many thanks, kerzane.
Here is the log output when I set verify = 0:
May 3 16:19:09 kerzanoserv stunnel: LOG7[main]: Found 1 ready file descriptor(s)
May 3 16:19:09 kerzanoserv stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x0
May 3 16:19:09 kerzanoserv stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
May 3 16:19:09 kerzanoserv stunnel: LOG7[main]: Service [myapp] accepted (FD=3) from 127.0.0.1:48238
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Service [myapp] started
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
May 3 16:19:09 kerzanoserv stunnel: LOG5[0]: Service [myapp] accepted connection from 127.0.0.1:48238
May 3 16:19:09 kerzanoserv stunnel: LOG6[0]: s_connect: connecting *:10073
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: s_connect: s_poll_wait *:10073: waiting 10 seconds
May 3 16:19:09 kerzanoserv stunnel: LOG5[0]: s_connect: connected *:10073
May 3 16:19:09 kerzanoserv stunnel: LOG5[0]: Service [myapp] connected remote server from 192.168.1.26:42764
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Option TCP_NODELAY set on remote socket
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Remote descriptor (FD=8) initialized
May 3 16:19:09 kerzanoserv stunnel: LOG6[0]: SNI: sending servername: myserver.mydomain.com
May 3 16:19:09 kerzanoserv stunnel: LOG6[0]: Peer certificate not required
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): before SSL initialization
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client hello
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server hello
May 3 16:19:09 kerzanoserv stunnel: LOG6[0]: Certificate verification disabled
May 3 16:19:09 kerzanoserv stunnel: message repeated 2 times: [ LOG6[0]: Certificate verification disabled]
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange
May 3 16:19:09 kerzanoserv stunnel: LOG6[0]: Client CA: C=PL, ST=Mazovia Province, L=Warsaw, O=Stunnel Developers, OU=Provisional CA, CN=localhost
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate request
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS read server done
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client certificate
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write certificate verify
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS state (connect): SSLv3/TLS write finished
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: TLS alert (read): fatal: unknown CA
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Remove session callback
May 3 16:19:09 kerzanoserv stunnel: LOG3[0]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
May 3 16:19:09 kerzanoserv stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Deallocating application specific data for session connect address
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Remote descriptor (FD=8) closed
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Local descriptor (FD=3) closed
May 3 16:19:09 kerzanoserv stunnel: LOG7[0]: Service [myapp] finished (0 left)