|
|
Re: Client keys (yeah I know it's a FAQ, but I have tried everything): msg#00009network.stunnel.user
strace the server process you mean? I have freeBSD, whilst strace is installed, I have only been able to get it to grab a trace once. I can use truss (freebsd's equivilent) but I do not know how to regain control of stdin so that I can enter the passphrase. any suggestions? -D Quoting Brian Hatch <bri@xxxxxxxxxxx>: > > > > One thing I do have to mention is that freeBSD does not have the CA.sh or > the > > c_hash files installed. > > c_hash usually gets installed in something like /usr/local/ssl/misc. > Here it is in it's entirety: > > # print out the hash values > # > > for i in $* > do > h=`openssl x509 -hash -noout -in $i` > echo "$h.0 => $i" > done > > ... > > > # cat stunnel.conf > > cert = /usr/local/etc/stunnel/stunnel.pem > > chroot = /var/tmp/stunnel > > pid = /stunnel.pid > > setuid = stunnel > > setgid = stunnel > > verify = 3 > > CApath = /trusted > > debug = 7 > > output = /var/log/stunnel.log > > > > [RDPoverSSL] > > accept = 3390 > > connect = 3389 > > TIMEOUTclose = 0 > > Looks good so far > > > 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: FD=9, DIR=read > > 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: ok > > 2003.12.03 11:56:27 LOG4[7118:134750208]: VERIFY ERROR: depth=0, error=self > > signed certificate: /C=NL/ST=Noord Holland/L=Amsterdam/O=L&W > Client/OU=Client > > 2003.12.03 11:56:27 LOG7[7118:134750208]: SSL alert (write): fatal: bad > > certificate > > 2003.12.03 11:56:27 LOG3[7118:134750208]: SSL_accept: 140890B2: > > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate > returned > > 2003.12.03 11:56:27 LOG7[7118:134750208]: RDPoverSSL finished (0 left) > > Can you try running stunnel under strace? On my linux box, I can see > what files it tries to open using > > strace -eopen stunnel stunnel.conf > > (though restricting to 'open' might not be appropriate - OpenSSL may > try to do an fstat/access/etc first, so you should check for all > similar things.) > > And is /trusted inside the chroot or not? > > > -- > Brian Hatch "Even though you feel > Systems and comfortable in the clothes > Security Engineer you normally wear, at least > http://www.ifokr.org/bri/ wash them now and then." > -- Bree > Every message PGP signed > |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Client keys (yeah I know it's a FAQ, but I have tried everything): 00009, Brian Hatch |
|---|---|
| Next by Date: | Re: Client keys (yeah I know it's a FAQ, but I have tried everything): 00009, Brian Hatch |
| Previous by Thread: | Re: Client keys (yeah I know it's a FAQ, but I have tried everything)i: 00009, Brian Hatch |
| Next by Thread: | Re: Client keys (yeah I know it's a FAQ, but I have tried everything): 00009, Brian Hatch |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |