Re: Client keys (yeah I know it's a FAQ, but I have tried everything)

> One thing I do have to mention is that freeBSD does not have the CA.sh or the
> c_hash files installed.

c_hash usually gets installed in something like /usr/local/ssl/misc.
Here it is in it's entirety:

# print out the hash values
#

for i in $*
do
        h=`openssl x509 -hash -noout -in $i`
        echo "$h.0 => $i"
done

...

> # cat stunnel.conf
> cert = /usr/local/etc/stunnel/stunnel.pem
> chroot = /var/tmp/stunnel
> pid = /stunnel.pid
> setuid = stunnel
> setgid = stunnel
> verify = 3
> CApath = /trusted
> debug = 7
> output = /var/log/stunnel.log
> 
> [RDPoverSSL]
> accept  = 3390
> connect = 3389
> TIMEOUTclose = 0

Looks good so far

> 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: FD=9, DIR=read
> 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: ok
> 2003.12.03 11:56:27 LOG4[7118:134750208]: VERIFY ERROR: depth=0, error=self
> signed certificate: /C=NL/ST=Noord Holland/L=Amsterdam/O=L&W Client/OU=Client
> 2003.12.03 11:56:27 LOG7[7118:134750208]: SSL alert (write): fatal: bad
> certificate
> 2003.12.03 11:56:27 LOG3[7118:134750208]: SSL_accept: 140890B2:
> error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
> returned
> 2003.12.03 11:56:27 LOG7[7118:134750208]: RDPoverSSL finished (0 left)

Can you try running stunnel under strace?  On my linux box, I can see
what files it tries to open using

        strace -eopen stunnel stunnel.conf

(though restricting to 'open' might not be appropriate - OpenSSL may
try to do an fstat/access/etc first, so you should check for all
similar things.)

And is /trusted inside the chroot or not?


--
Brian Hatch                  "Even though you feel
   Systems and                comfortable in the clothes
   Security Engineer          you normally wear, at least
http://www.ifokr.org/bri/     wash them now and then."
                             -- Bree
Every message PGP signed

pgpWUB9c75nPe.pgp
Description: PGP signature