2

I'm trying to set up stunnel to provide secure access to an nntp server. Following the instructions here I created a self-signed key and certificate. The commands I ran were:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

My stunnel configuration has these options:

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
chroot = /usr/local/var/lib/stunnel/
; Chroot jail can be escaped if setuid option is not used
setuid = nobody
setgid = nogroup

; PID is created inside the chroot jail
pid = /stunnel.pid

; Debugging stuff (may useful for troubleshooting)
;debug = 7
output = /stunnel.log

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/var/lib/stunnel/server.crt
key = /usr/local/var/lib/stunnel/server.key

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

[nntps]
accept  = 563
connect = 119

When I start stunnel (providing my passphrase) and try to connect with Thunderbird, Thunderbird sits "Connecting..." and I get these error messages in stunnel.log:

2013.04.17 13:40:36 LOG5[30290:3074012864]: stunnel 4.56 on i686-pc-linux-gnu platform
2013.04.17 13:40:36 LOG5[30290:3074012864]: Compiled/running with OpenSSL 1.0.1 14 Mar 2012
2013.04.17 13:40:36 LOG5[30290:3074012864]: Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
2013.04.17 13:40:36 LOG5[30290:3074012864]: Reading configuration from file /etc/stunnel/news.conf
2013.04.17 13:40:36 LOG5[30290:3074012864]: FIPS mode is disabled
2013.04.17 13:40:39 LOG5[30290:3074012864]: Configuration successful
2013.04.17 13:40:51 LOG5[30291:3073764160]: Service [nntps] accepted connection from    97.79.58.17:57054
2013.04.17 13:40:51 LOG5[30291:3073764160]: connect_blocking: connected 127.0.0.1:119
2013.04.17 13:40:51 LOG5[30291:3073764160]: Service [nntps] connected remote server from 127.0.0.1:46866
2013.04.17 13:40:51 LOG3[30291:3073764160]: SSL_read: 14094418: error:14094418:SSL    routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2013.04.17 13:40:51 LOG5[30291:3073764160]: Connection reset: 95 byte(s) sent to SSL, 0     byte(s) sent to socket

I'm stumped. Help?

Edit: elsewhere it was suggested that I add sslVersion=SSLv3 to my stunnel config but this didn't seem to have any effect.

skyler
  • 465
  • 3
  • 7
  • 17

1 Answers1

1

"tlsv1 alert unknown ca" sounds pretty clear to me. stunnel cannot check the certificate of the other side because the configured CA does not match the one which signed the certificate. Or no CA is configured at all. You need an entry like this:

CAfile = /etc/stunnel/CA.crt

Or CApath instead (more complicated; just if you need more than one CA).

Hauke Laging
  • 5,157
  • 2
  • 23
  • 40
  • Since I'm using a self-signed certificate, where do I get the CA file from? – skyler Apr 17 '13 at 14:05
  • 1
    I guess you can either use the certificate itself as CA or disable certificate checking (by removing the `verify` option). – Hauke Laging Apr 17 '13 at 14:18
  • I set CAfile = /usr/local/var/lib/stunnel/server.crt but received the same error. "verify" was commented-out before, but I set it to "0" and then to "1" but I still get the same error. Any other suggestions? I may have misunderstood you. – skyler Apr 17 '13 at 14:38
  • @skyler No, that's what I meant. Perhaps the message refers to the problem in the opposite direction? Is the server configured to validate client certificates? Do you have `client = yes` in the client config? Do you have `cert =` in the client config? If so you may coemment it out. – Hauke Laging Apr 17 '13 at 14:42
  • No, `client` isn't specified for anything, and `cert` is only specified for the key I've generated, in the top-level config. – skyler Apr 17 '13 at 15:05
  • @skyler I guess `client = yes` must be set on one of the systems and on that system you can (at least for testing) disable the `cert` setting. – Hauke Laging Apr 17 '13 at 15:17
  • The client I'm testing from is Thunderbird, a news reader. I suppose I can set up another instance of stunnel for testing. – skyler Apr 17 '13 at 15:38
  • @skyler Sorry, I misread that (because we use stunnel-stunnel connections I had a wrong expectation). You need not install a second stunnel for testing. You can test (even from the same system) using `openssl s_client -connect 1.2.3.4:563`. And you should comment out `CAfile`. – Hauke Laging Apr 18 '13 at 19:16