stunnel-证书验证

tag-icon tag-icon security ssl ssl-certificate python stunnel
stunnel-证书验证

我有 stunnel 为 Redis 提供 SSL。我有以下配置:

[redis]
CAfile= /etc/stunnel/ca.crt
accept = 636
cert = /etc/stunnel/server1.crt
connect = localhost:6379
key = /etc/stunnel/server1.key
verify = 2

我使用 openssl 生成所有密钥和证书:

# generate ca    
openssl req -new -x509 \
            -keyout "/etc/stunnel/ca.crt" \
            -out "/etc/stunnel/ca.key" \
            -days 365 \
            -passout "pass:123456" \
            -subj "$subj"

然后我通过生成密钥openssl genrsa -des3 然后我通过生成 csr 。然后我通过openssl req -new -key生成签名证书并指向然后 我通过解密密钥openssl x509 -reqCACAkeyca.crtca.keyopenssl rsa

上述过程重复两次,以生成服务器和客户端密钥对。服务器进入 stunnel 配置,客户端进入 python 应用程序:

r = redis.Redis(host='localhost', ssl=True, port=636, db=0, ssl_certfile='client.crt', ssl_keyfile='client.key')

尝试运行 python 脚本时我得到:

redis.exceptions.ConnectionError: Error 1 connecting to localhost:636. [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590).

在隧道日志中:

2017.09.16 09:11:00 LOG6[9]: Peer certificate required
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): before/accept initialization
2017.09.16 09:11:00 LOG7[9]: SNI: no virtual services defined
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 read client hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write key exchange A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate request A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server done A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 flush data
2017.09.16 09:11:00 LOG7[9]: Verification started at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG4[9]: CERT: Pre-verification error: self signed certificate
2017.09.16 09:11:00 LOG4[9]: Rejected by CERT at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG7[9]: SSL alert (write): fatal: unknown CA
2017.09.16 09:11:00 LOG3[9]: SSL_accept: 140360B2: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
2017.09.16 09:11:00 LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

这种行为对我来说不清楚:

  • stunnel 配置中的 verify = 2 应将客户端的 CA 与其信任的 CA 进行比较
  • stunnel 将 CAfile 设置为 CA,它对服务器密钥和客户端密钥进行了签名
  • stunnel 说它是自签名证书并且 CA 未知

此外,openssl verify -CAfile=ca.crt <filename>对于服务器和客户端来说都是可以的。

答案1

redis.exceptions.ConnectionError: Error 1 connecting to localhost:636. [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590).

您的客户端无法验证 CA 的证书。因此,请将其存储在系统的证书存储中或配置您的客户端以接受它。

在服务器上执行相同操作。

相关内容