Stunnel/Certificates

From charlesreid1

Certificates in Stunnel

The official stunnel howto has some useful (but confusing) information about certificates: https://www.stunnel.org/howto.html

Client Certificates

Using stunnel in client mode (i.e., stunnel is not acting as an SSL server) means you (the client) probably don't need to present a valid certificate (to the server). While stunnel always requires a certificate (a pem file) to run, a dummy certificate is generated when stunnel is installed, and that dummy pem file can be used by the client since the server will probably not ask the client to present this certificate.

Generating a client SSL certificate is the same process as generating a server SSL certificate. See below, or "Generating stunnel certificate and private key" section of the stunnel howto: https://www.stunnel.org/howto.html

Server Certificates

The server will need a private key and an SSL certificate.

Generating a signed SSL certificate with LetsEncrypt: see LetsEncrypt

Generating a self-signed SSL certificate with openssl: RaspberryPi/SSH Stunnel#Generate Private Keys and Certificates for SSL

Controlling both server and client

Using stunnel in a situation where you control both the client and the server gives you two options:

  • Skip verification of certificates
  • Verify certificates against locally installed certificates

To turn on verification, see Stunnel/Certificates#Verification section below.

Controlling server only

Using stunnel in a situation where you do not control the client gives you three options:

  • Skip verification of certificates (not recommended if there is no authentication involved with the traffic being passed to stunnel, since a malicious actor could intercept and decrypt traffic)
  • Ask clients to install your certificate authority into their OpenSSL installation, so that they can verify the certificate
  • Verify certificates against pre-installed, "pre-trusted" root certificates (e.g., Verisign)

Verification

By default, stunnel does not verify SSL certificates, so clients will accept whatever SSL certificate they get from the server (or an attacker pretending to be the server).

To turn on verification, set the verify option in the stunnel config file.. 

    verify = 1
        Verify the certificate, if present.
            If no certificate is presented by the remote end, accept the connection.
            If a certificate is presented, then
                If the certificate valid, it will log which certificate is being used, and continue the connection.
                If the certificate is invalid, it will drop the connection. 

    verify = 2
        Require and verify certificates

        Stunnel will require and verify certificates for every SSL connection. If no certificate or an invalid certificate is presented, then it will drop the connection. 

    verify = 3
        Require and verify certificates against locally installed certificates.

Installing Certificate Authority

A self-signed certificate is the same as the certificate authority. To install an SSL certificate, see the OpenSSL guide to installing other people's certificates: http://www.gagravarr.org/writing/openssl-certs/others.shtml

The short version:

  • If you are installing the certificate on a Mac, you will need to add it through the Keychain Access app
  • If you are installing the certificate on Linux, you will need the .pem CA file, which you will put into a file named with the certificate's own hash

Installing certificate authority on mac

Start by obtaining the CA fingerprint from a trusted source. Calculate the fingerprint for the certificate and ensure it matches: 

 openssl x509 -noout -fingerprint -in ca-certificate-file

Example: 

$ openssl x509 -noout -fingerprint -in stunnel.fullchain.pem
SHA1 Fingerprint=A9:BB:D8:A7:0C:3D:C0:99:4B:A6:FF:84:29:4C:4E:D2:B7:61:46:2D

If they match, you are ready to install it. Open Keychain Acces.app to add the certificate to the Mac keychain.

The CA file needs to be in PKCS12 format (yet another annoying decision to do weird non-standard things by apple engineers). Turn an X509 .der or .pem format into PKCS12 format using this command: 

$ openssl pkcs12 -export -in pem-certificate-and-key-file -out certkey.p12

If the key and certificate files are separate: 

$ openssl pkcs12 -export -in pem-certificate-file -inkey pem-key-file -out certkey.p12

If only doing this with a certificate, 

$ openssl pkcs12 -export -in pem-certificate-file -nokeys -nodes -out cert.p12

Example: 

$ openssl pkcs12 -export -in stunnel.fullchain.pem -inkey stunnel.key.pem -out certkey.p12
Enter Export Password:
Verifying - Enter Export Password:

OS X requires a password on the key file. I left it empty, and it seemed to be okay with that.

Now open Keychain Access.app. On the left side, pick System. Then pick File > Import Items. Import the.p12 file. You should see new entries that include the name of the certificate authority that signed the certificate.

Pick "Trust Always" when importing.

Testing installed certificate authority on Mac

$ openssl verify -CApath /System/Library/OpenSSL/certs stunnel.fullchain.pem

where stnnel.fullchain.pem is the certificate signed by the SSL certificate just added to the Keychain Access app. I had issues: 

$ openssl verify -CApath /System/Library/OpenSSL/certs stunnel.fullchain.pem
stunnel.fullchain.pem: /CN=reidmachine.party
error 20 at 0 depth lookup:unable to get local issuer certificate

from manpage of verify(1ssl): 

   2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
       the issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

Am giving up on verification step on Mac.

Installing certificate authority on linux

Start by obtaining the CA fingerprint from a trusted source. Calculate the fingerprint for the certificate and ensure it matches: 

 openssl x509 -noout -fingerprint -in ca-certificate-file

If they match, you are ready to install it. These commands will move the .pem CA file to the openssl directory, and will create a symbolic link to the .pem CA file with a filename equal to the certificate's hash, plus a .0 at the end: 

$ cd /etc/ssl/
$ mv ~/my_ca.pem .
$ ln -s my_ca.pem `openssl x509 -hash -noout -in my_ca.pem`.0

Testing installed certificate authority on Linux

Now test the certificate authority by checking a certificate that has been signed by the CA: 

$ openssl verify -CApath /etc/ssl/certs server-certificate-file

Refs

http://www.gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl

http://www.gagravarr.org/writing/openssl-certs/errors.shtml

http://pjhartlieb.blogspot.com/2011/10/pki-standards-and-some-stunnel-basics.html

http://tldp.org/HOWTO/SSL-Certificates-HOWTO/

http://bencane.com/2014/02/18/sending-redis-traffic-through-an-ssl-tunnel-with-stunnel/

https://security.stackexchange.com/questions/112665/sharing-private-key-stunnel?rq=1



SSH9999Success.png
stunnel
secure tunnel - create secure encrypted connections on any port to wrap any protocol


Stunnel  · Category:Stunnel


Using:

Client: Stunnel/Client

Server: Stunnel/Server

Stunnel Over Docker: Stunnel/Docker

Certificates: Stunnel/Certificates


Protocols:

Stunnel/Rsync  · Stunnel/SSH  · Stunnel/Scp  · Stunnel/HTTP  · Stunnel/OpenVPN


Other Links:

RaspberryPi/Headless  · RaspberryPi/Reverse SSH

Category:Stunnel  · Category:SSH  · Category:Networking


Flags  · Template:StunnelFlag  · e



Retrieved from "https://charlesreid1.com/w/index.php?title=Stunnel/Certificates&oldid=17060"