Home > other >  Ensuring TLSv1.2 in stunnel?
Ensuring TLSv1.2 in stunnel?

Time:11-02

Please bear with me as I might lack some understanding on creating certificates to achieve a TLS connection.

I am trying to establish a connection with TLSv1.2 encrypted from client to server. I have created my own CA certificate and CSR on client-side and proceeded to sign the client.

On client side after generating CSR and signing it with the CA cert:

  • client-cert.pem
  • client-csr.pem
  • client-key.pem

Commands used:

  • openssl req -nodes -newkey rsa:4096 -keyout client-key.pem -out client-csr.pem
  • openssl verify -CAfile ca-cert.pem client-cert.pem

On server-side, i also created a CSR and signed it with my own CA:

  • server-cert.pem
  • server-key.pem

On server-side, after I create the CA cert and sign the client cert:

  • ca-cert.pem
  • ca-cert.srl
  • ca-key.pem

Commands used:

  • openssl req -x509 -newkey rsa:4096 -days 3650 -keyout ca-key.pem -out ca-cert.pem
  • openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
  • openssl verify -CAfile ca-cert.pem client-cert.pem

So on my nginx side, I had configured it this way. (stream connection)

server {
  listen 10043;
  proxy_ssl on;
  proxy_ssl_protocols TLSv1.2;
  proxy_ssl_session_reuse on;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
  ssl_certificate /etc/nginx/certs/tls_certs/client-cert.pem;
  ssl_certificate_key /etc/nginx/certs/tls_certs/client-key.pem;
  ssl_dhparam /etc/nginx/certs/tls_certs/dhparam.pem;
  access_log /var/log/nginx/lpe-ing.log proxy;
  proxy_pass 123.456.789.123:12345;
}

At my server endpoint, it is using stunnel & I am not sure how to configure the CA certs.

cert = server-cert.pem
key = server-key.pem
CAfile = ca-cert.pem
verify = 3
sslVersion = all
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1

[ABC-1]
accept = 12345
connect = localhost:11881
  1. Is my config wrong?
  2. Am I missing any more config on both server and client end?
  3. If i turned off verify, verify = 0, then i am able to connect.

I am getting this error from stunnel when i do this 'openssl s_client -connect localhost:10043 -tls1_2'

CONNECTED(00000003)
write:errno=104

stunnel logs:

2021.11.01 08:17:05 LOG3[14538:140387789453056]: SSL_accept: 140890C7: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

CodePudding user response:

I'm not familiar with Nginx configuration, so I don't know if you got it right. But I can tell what you're doing wrong in your test. You've successfully tested that an unauthenticated client is not allowed to connect. OpenSSL errors aren't always clear, but in this case, the message from the server is reasonably clear:

ssl3_get_client_certificate:peer did not return a certificate

You've configured the server to require client authentication. But the client did not send a certificate, so no client authentication can happen, and the server refused the connection attempt by closing the connection. (TLS client authentication works this way: the client sends a certificate, then it sends a signature that proves that it knows the corresponding private key.) The error on the client is “connection reset by peer”.

You need to pass the signed certificate and the private key to your client.

openssl s_client -connect localhost:10043 -tls1_2 -cert client_cert.pem -key client_key.pem
  • Related