我有 2 个基于 Linux 的 stunnel,1 个服务器,1 个客户端。我想做的是使用 stunnel 客户端,并通过 verify 3 根据证书对用户进行身份验证。
以下是每个的配置文件:
客户:
cert = /stunnel/client_Access_stunnel.pem
key = /stunnel/client_Access_stunnel.pem
CAfile = /stunnel/client_Access_stunnel.pem
CApath = /stunnel/cacerts/
flips=no
pid = /var/run/stunnel-tcap.pid
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
output = /stunnel/stunnel.log
client = yes
;verify = 3
debug = 5
[tcap]
accept = 0.0.0.0:3701
connect = 192.168.1.4:3700
服务器:
pid = /var/run/stunnel/server.pid
cert = /opt/quasar/cert/certs/stunnels/server.pem
key = /opt/quasar/cert/certs/stunnels/server.pem
CApath = /opt/certs/stunnels/cacerts/
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
; Security level
verify = 2
; Uncomment for troubleshooting purposes
debug = 7
; Log file path
output = /opt/stunnels/stunnel.log
[stunnel1]
accept = 0.0.0.0:3700
connect = 127.0.0.1:3701
错误是:
客户:
2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized
2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA
2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index
服务器:
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data
2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/[email protected]
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA
2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
请忽略时间戳。不同时间出现同样的错误。
- 我已将 CA 证书添加到 client_Access_stunnel.pem,未作任何更改。
- 我已将所有 CA 的证书添加到 CApath
- 证书由 xca 本地管理签署
答案1
CApath 与 verifyChain 或 verifyPeer 选项一起使用,我没有在任何地方看到这两个选项中的任何一个设置。另请注意“此目录中的证书应命名为 XXXXXXXX.0,其中 XXXXXXXX 是证书的 DER 编码主题的哈希值。” (摘自隧道手册)
当您使用以下内容测试证书时会发生什么:
openssl verify -CApath /opt/certs/stunnels/cacerts/ server-certificate-file