Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

1,885 views
Skip to first unread message

Ludolf Holzheid

unread,
May 17, 2016, 4:01:53 AM5/17/16
to
On Mon, 2016-05-16 16:25:04 +0000, David Faizulaev wrote:
> Hello,
>
> I've found Stunnel as a potential answer to securely moving traffic between two machines.
> But I'm having some difficulties configuring the software.
>
> I've installed it on to the client machine and configured the client to connect to 127.0.0.1:8449 while the Server to which the client needs to connect is 192.168.220.72:8447
> In the stunnel.conf I've set the following:
>
> [custom]
> accept = 127.0.0.1:8449
> connect = 192.168.220.72:8447
> cert = 220.72.cer
> TIMEOUTclose = 0
>
> Upon initializing Stunnel I get the following error:
>
> 2016.05.16 19:14:04 LOG3[main]: error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
> 2016.05.16 19:14:04 LOG3[main]: SSL_CTX_use_PrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line

David,

Stunnel doesn't like your key file.

Maybe it's not in PEM format, or it does not contain a private key.

Try to open it with a text editor. There should be lines reading
"-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----"
with some base64 coded stuff in between.

(There also should be a certificate enclosed in
"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----", but for
now, stunnel is missing the private key.)

HTH,

Ludolf

--

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:lhol...@bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann
Amtsgericht Mannheim, HRB 5796
_______________________________________________
stunnel-users mailing list
stunne...@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Ludolf Holzheid

unread,
May 17, 2016, 7:03:23 AM5/17/16
to
On Tue, 2016-05-17 08:29:17 +0000, David Faizulaev wrote:
> Hello Ludolf,
>
> I've printed the content of certificate file and the lines: "-----BEGIN CERTIFICATE-----" "-----END CERTIFICATE-----" exist.
> In addition, I've compared the default certificate provided by Stunnel with the one I wish to use, they're structure is identical.

Hello David,

Please reply to the list, so others are able to comment too.

I don't know the 'default certificate provided by Stunnel'. I expect
it to be depending on the distribution.

However, if there are "BEGIN/END CERTIFICATE" lines in your file, but
no "BEGIN/END RSA PRIVATE KEY", then the file is in PEM format, but
the key is missing. Maybe you have separate files for private key and
certificate. If this is the case, you may either concatenate key and
certificate to a single file or specify both files in the stunnel
configuration:

>> key = my-private-key.pem
>> cert = my-certificate.pem

David Faizulaev

unread,
May 17, 2016, 7:14:05 AM5/17/16
to
I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM?

Additionally, I've thought about configuring Stunnel in client mode.
Here is the configuration:

[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.72:444
verify = 2
CAfile = server.pem

In this case, my application appears to successfully connect to Stunnel & send messages.
But when it tries to access it in order to collect messages, it fails:

(App in C++)
Error: socketReceive data failed (Requested: 4 bytes, Cur chunk size: 4 bytes. Progress: Got: 0 bytes, Left: 4 bytes): System Err: An unknown error occurred while accessing an unnamed file.

Thank you for your assistance.

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

David Faizulaev

unread,
May 17, 2016, 7:16:18 AM5/17/16
to
Sorry but I've was incorrect.
The application cannot send or receive messages, I thought I was able to send messages, but I was wrong.

Ludolf Holzheid

unread,
May 17, 2016, 7:38:52 AM5/17/16
to
On Tue, 2016-05-17 11:13:26 +0000, David Faizulaev wrote:
> I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM?

I don't know.

Some key/certificate repositories don't allow to export private keys.
Maybe there is a PKCS11 plug-in for OpenSSL to access the keystore.
If this is the case, you don't have to export your private key. But
again, I don't know.

> Additionally, I've thought about configuring Stunnel in client mode.
> Here is the configuration:

> [..]

Running stunnel in client or server mode makes no difference
w.r.t. certificate and key files. As long as stunnel is not able to
access your private key, the client mode won't work either.

HTH,

David Faizulaev

unread,
May 17, 2016, 9:09:25 AM5/17/16
to
Latest update:
After further investigation, it became evident that Stunnel should run as client.
Therefore, I've converted my existing certs file (from my application) into a PEM file.
The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----.

But I still get an error:

2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain
2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA
2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Here is the current configuration:

[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.62:443
verify = 2
CAfile = myapp.pem

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-us...@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 2:38 PM
To: stunne...@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

Ludolf Holzheid

unread,
May 17, 2016, 9:22:14 AM5/17/16
to
On Tue, 2016-05-17 13:08:33 +0000, David Faizulaev wrote:
> Latest update:
> After further investigation, it became evident that Stunnel should run as client.
> Therefore, I've converted my existing certs file (from my application) into a PEM file.
> The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----.
>
> But I still get an error:
>
> 2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain
> 2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA
> 2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
>
> Here is the current configuration:
>
> [custom]
> client = yes
> accept = 127.0.0.1:8449
> connect = 192.168.220.62:443
> verify = 2
> CAfile = myapp.pem

David,

CAfile should point to a list of trusted certificates. The file(s)
for your pair of certificate and key should be specified with
cert=... (and key=..., if certificate and key are stored to separate
files).

Are the log messages generated at stunnel startup or at connection
establishment?

David Faizulaev

unread,
May 17, 2016, 9:25:17 AM5/17/16
to
Logs messages are generated upon connection attempt.

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-us...@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:22 PM
To: stunne...@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

Ludolf Holzheid

unread,
May 17, 2016, 9:31:11 AM5/17/16
to
On Tue, 2016-05-17 13:24:38 +0000, David Faizulaev wrote:
> Logs messages are generated upon connection attempt.

Then the server presents a certificate that can't be validated against
the trusted certificates stored to the file you specified with
CAfile=...

David Faizulaev

unread,
May 17, 2016, 9:34:07 AM5/17/16
to
Between each certificate block I have the following block:

Bag Attributes
friendlyName: trustcenterclass2caii
2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II

possible cause?

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-us...@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:31 PM
To: stunne...@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

Ludolf Holzheid

unread,
May 17, 2016, 9:45:32 AM5/17/16
to
On Tue, 2016-05-17 13:33:31 +0000, David Faizulaev wrote:
> Between each certificate block I have the following block:
>
> Bag Attributes
> friendlyName: trustcenterclass2caii
> 2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
> subject=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
> issuer=/C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 CA/CN=TC TrustCenter Class 2 CA II
>
> possible cause?

No, this should be ignored as a comment.

But you instructed stunnel to check the peer's certificate against the
trusted ones (verify = 2), and the certificate chain the peer presents
ends with a certificate not found in the CA file.

David Faizulaev

unread,
May 17, 2016, 9:50:45 AM5/17/16
to
Hello,

I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following:

2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations
2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-us...@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 4:45 PM
To: stunne...@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

David Faizulaev

unread,
May 17, 2016, 10:02:28 AM5/17/16
to
I've tried with setting the values to 3 & 4 and I get:

2016.05.17 16:52:51 LOG4[332]: CERT: Pre-verification error: self signed certificate in certificate chain
2016.05.17 16:52:51 LOG4[332]: Rejected by CERT at depth=1: CN=MyCA
2016.05.17 16:52:51 LOG3[332]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2016.05.17 16:52:51 LOG5[332]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 23328 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 22022 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:346: 18299 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\a_object.c:315: 18299 allocations
2016.05.17 16:52:51 LOG4[332]: Possible memory leak at .\crypto\asn1\asn1_lib.c:372: 17132 allocations

Ludolf Holzheid

unread,
May 17, 2016, 12:02:05 PM5/17/16
to
On Tue, 2016-05-17 13:50:04 +0000, David Faizulaev wrote:
> Hello,
>
> I've tried changing the value of 'verify' to 0 & 1, in both cases I get the following:
>
> 2016.05.17 16:40:25 LOG3[285]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
> 2016.05.17 16:40:25 LOG5[285]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
> 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\tasn_new.c:179: 11859 allocations
> 2016.05.17 16:40:25 LOG4[285]: Possible memory leak at .\crypto\asn1\asn1_lib.c:408: 11241 allocations

Strange. I never used verify = 0, but I had the understanding,
stunnel should accept a connection even if the peer's certificate
can't be verified.

Anyhow, what happens if you add the self-signed certificate presented
by the peer to the CA file?

David Faizulaev

unread,
May 18, 2016, 3:25:35 AM5/18/16
to
Do you concatenate the self-signed certificate to the current CA?

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-us...@stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 7:01 PM
To: stunne...@stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

Ludolf Holzheid

unread,
May 18, 2016, 6:57:23 AM5/18/16
to
On Wed, 2016-05-18 07:24:52 +0000, David Faizulaev wrote:
> Do you concatenate the self-signed certificate to the current CA?

This self-signed certificate /is/ the current CA certificate, as it is
the root of the peer's certificate chain and you trust it.

0 new messages