Stunnel.org  
   
Home
About
News
Faq
Examples
Download
Patches
Support
Related
<Examples>
Client Certificates Tips

Tips for doing client cert authentication

Below is a copy of a document provided by Lincoln Yeoh (lylyeoh at mecomb com)

You should also check out the Stunnel Certs FAQ for more detailed descriptions of bits.


Seems like a number of people are having problems doing this. I actually signed on to this list to find out, but I figured it out by the time I got on :).

Covers: Unix server <-> Windows/Unix client.

Does not cover: Windows server <-> windows/unix client. But do you really want to use windows servers for this..

In this example we will be creating an SSL telnet server on a Linux machine.

First I created a "Not a CA" certificate (it is illegal operate as an unlicensed CA in my country so...)

openssl req -config ./openssl.cnf -new -days 365 -newkey rsa:1024 -x509 -keyout notacakey.pem -out notacacert.pem

IMPORTANT!!! YOU MUST NOT SKIP THE FOLLOWING STEP.

copy notacacert to /usr/local/ssl/certs/notacacert.pem and run /usr/local/ssl/bin/c_rehash

(Don't bother with subsequent steps if you can't do the previous mandatory step ;) ) (I believe something is hardwired to /usr/local/ssl/certs/ dunno what is equiv in windows)

Then I created a server request
openssl req -nodes -config ./openssl.cnf -new -days 365 -newkey rsa:1024 -keyout ssltelnetserverkey.pem -out ssltelnetserverreq.pem

Then I signed it
openssl ca -config ./openssl.cnf -policy policy_anything -out ssltelnetservercert.pem -infiles ssltelnetserverreq.pem

Then I stuck the key and the cert together
cat ssltelnetserverkey.pem ssltelnetservercert.pem> stunnelserver.pem

(The following reformatting of the PEM file may no longer be necessary. It seemed to work at the unix server side without the formatting)

**reformat the PEM file

Then I edited stunnelserver.pem and removed the text stuff and formatted it so that it was as per stunnel docs

e.g.

-----BEGIN RSA PRIVATE KEY-----
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
..
rmg3HtUk3xr3pvQjLMEOasC6DvOlbIGfy47x38cFI/o=
-----END RSA PRIVATE KEY-----
  <--- blank line here
-----BEGIN CERTIFICATE-----
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
..
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
-----END CERTIFICATE-----
  <--- blank line here

I then did a similar thing for the client certificate, **END reformat the PEM file (no longer necessary???)

Placed the corresponding stunnel.pem (e.g. clientcert.pem ) in the client directory.

I ran the server (no forking debug mode )
stunnel -p stunnelserver.pem -v 2 -l /usr/sbin/in.telnetd -d 2323 -f -D 7

(nondebug mode) stunnel -p stunnelserver.pem -v 2 -l /usr/sbin/in.telnetd -d 2323

I ran the client end
stunnel.exe -c -p clientcert.pem -d 127.0.0.1:23 -r myserver.mydomain:2323
(Do NOT put a -v 2 !)

Then telnet localhost at client computer to test it.

I'm not sure where to put cacert.pem if server is windows machine, possibly the stunnel working directory itself. Anyone would like to confirm this?

-v TRUSTED CERTS ONLY CONFIG.

If you want to use the -v 3 option where only certificates in a particular directory are accepted do this:

Put the relevant client certs in a trusted directory e.g. cp stunnelclient.pem /usr/local/stunnel/certs/trusted IMPORTANT! After you put stunnelclient.pem there you MUST run c_rehash /usr/local/stunnel/certs/trusted (Believe me, do it!)

stunnel -p stunnelserver.pem -v 3 -a /usr/local/stunnel/certs/trusted -l /usr/sbin/in.telnetd -d 2323 -f -D 7

**What's this c_rehash thingy? I dunno exactly but c_rehash creates a symbolic (hash of cert I think) link to the actual cert. And I think stunnel uses that to find the relevant certificate. Without that it's very unlikely to work (there is a remote chance that you might just name your cert exactly the same name as the hash then it works ;) ).

It's probably a good way to find a cert without sifting through every one, however it is unfortunate it wasn't documented in the stunnel docs when I was reading them. It's probably in the openssl docs, however that's not really helpful to us using stunnel (I mean how would we know that it uses that part of openssl? ).

I'm wondering if there is a way to do this with just self-signed certs - No "ca" stuff. Possible if I run c_rehash on the self signed certs and stick em in the trusted directory? Will try that if I have time.

Anyone know what is the c_rehash equivalent on a windows PC?

Cheerio!

Link.