Re: Client keys (yeah I know it's a FAQ, but I have tried everything)

Figured it out..  Here are the files that the parent opens.
This is not even when a connection happens because the parent forks (probably
for the chroot)

open("/var/run/ld-elf.so.hints",0x0,00)          = 4 (0x4)
open("/usr/lib/libwrap.so.3",0x0,010)            = 4 (0x4)
open("/usr/lib/libutil.so.3",0x0,010)            = 4 (0x4)
open("/usr/lib/libssl.so.3",0x0,010)             = 4 (0x4)
open("/usr/lib/libcrypto.so.3",0x0,010)          = 4 (0x4)
open("/usr/lib/libc_r.so.5",0x0,010)             = 4 (0x4)
open("/usr/lib/libc.so.5",0x0,010)               = 4 (0x4)
open("/usr/local/etc/stunnel/stunnel.conf",0x0,00) = 6 (0x6)
open("/var/log/stunnel.log",0x209,0640)          = 6 (0x6)
open("/etc/localtime",0x0,00)                    = 7 (0x7)
open("/root/.rnd",0x0,00)                        = 7 (0x7)
open("/root/.rnd",0x601,0666)                    = 7 (0x7)
open("/dev/urandom",0x8104,00)                   ERR#31 'Too many links'
open("/dev/random",0x8104,00)                    = 8 (0x8)
open("/usr/local/etc/stunnel/stunnel.pem",0x0,00) = 7 (0x7)
open("/usr/local/etc/stunnel/stunnel.pem",0x0,00) = 7 (0x7)
open("/dev/tty",0x0,00)                          = 8 (0x8)
open("/dev/tty",0x601,0666)                      = 9 (0x9)


Quoting Brian Hatch <bri@xxxxxxxxxxx>:

>
>
> > One thing I do have to mention is that freeBSD does not have the CA.sh or
> the
> > c_hash files installed.
>
> c_hash usually gets installed in something like /usr/local/ssl/misc.
> Here it is in it's entirety:
>
> # print out the hash values
> #
>
> for i in $*
> do
>         h=`openssl x509 -hash -noout -in $i`
>       echo "$h.0 => $i"
> done
>
> ...
>
> > # cat stunnel.conf
> > cert = /usr/local/etc/stunnel/stunnel.pem
> > chroot = /var/tmp/stunnel
> > pid = /stunnel.pid
> > setuid = stunnel
> > setgid = stunnel
> > verify = 3
> > CApath = /trusted
> > debug = 7
> > output = /var/log/stunnel.log
> >
> > [RDPoverSSL]
> > accept  = 3390
> > connect = 3389
> > TIMEOUTclose = 0
>
> Looks good so far
>
> > 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: FD=9, DIR=read
> > 2003.12.03 11:56:27 LOG7[7118:134750208]: waitforsocket: ok
> > 2003.12.03 11:56:27 LOG4[7118:134750208]: VERIFY ERROR: depth=0, error=self
> > signed certificate: /C=NL/ST=Noord Holland/L=Amsterdam/O=L&W
> Client/OU=Client
> > 2003.12.03 11:56:27 LOG7[7118:134750208]: SSL alert (write): fatal: bad
> > certificate
> > 2003.12.03 11:56:27 LOG3[7118:134750208]: SSL_accept: 140890B2:
> > error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
> returned
> > 2003.12.03 11:56:27 LOG7[7118:134750208]: RDPoverSSL finished (0 left)
>
> Can you try running stunnel under strace?  On my linux box, I can see
> what files it tries to open using
>
>       strace -eopen stunnel stunnel.conf
>
> (though restricting to 'open' might not be appropriate - OpenSSL may
> try to do an fstat/access/etc first, so you should check for all
> similar things.)
>
> And is /trusted inside the chroot or not?
>
>
> --
> Brian Hatch                  "Even though you feel
>    Systems and                comfortable in the clothes
>    Security Engineer          you normally wear, at least
> http://www.ifokr.org/bri/     wash them now and then."
>                              -- Bree
> Every message PGP signed
>