1

I have stunnel to provide SSL for Redis. I have the following configuration:

[redis]
CAfile= /etc/stunnel/ca.crt
accept = 636
cert = /etc/stunnel/server1.crt
connect = localhost:6379
key = /etc/stunnel/server1.key
verify = 2

I generate all of the keys and certificates with openssl:

# generate ca    
openssl req -new -x509 \
            -keyout "/etc/stunnel/ca.crt" \
            -out "/etc/stunnel/ca.key" \
            -days 365 \
            -passout "pass:123456" \
            -subj "$subj"

Then I am generating key via openssl genrsa -des3 Then I am generating csr via openssl req -new -key. Then I am generating signed certificate via openssl x509 -req with CA and CAkey pointing to ca.crt and ca.key Then I am decrypting the key via openssl rsa

The above procedure happens 2 times to generate server and client keypair. Server goes to stunnel config, and client goes to python application:

r = redis.Redis(host='localhost', ssl=True, port=636, db=0, ssl_certfile='client.crt', ssl_keyfile='client.key')

While trying to run python script I get:

redis.exceptions.ConnectionError: Error 1 connecting to localhost:636. [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590).

At the stunnel logs:

2017.09.16 09:11:00 LOG6[9]: Peer certificate required
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): before/accept initialization
2017.09.16 09:11:00 LOG7[9]: SNI: no virtual services defined
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 read client hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write key exchange A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate request A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server done A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 flush data
2017.09.16 09:11:00 LOG7[9]: Verification started at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG4[9]: CERT: Pre-verification error: self signed certificate
2017.09.16 09:11:00 LOG4[9]: Rejected by CERT at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG7[9]: SSL alert (write): fatal: unknown CA
2017.09.16 09:11:00 LOG3[9]: SSL_accept: 140360B2: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
2017.09.16 09:11:00 LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket

This behaviour is unclear to me:

  • verify = 2 at stunnel config should compare CA of the client to the ones it trusts
  • stunnel has CAfile set to CA, which signed both server key and client key
  • stunnel says it is self-signed certificate and CA is unknown

Also, openssl verify -CAfile=ca.crt <filename> is OK for both server and client.

Rahul
  • 119
  • 1
  • 2

1 Answers1

1
redis.exceptions.ConnectionError: Error 1 connecting to localhost:636. [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590).

Your client can't validate the CA's certificate. So either store it in the system's certificate store or configure your client to accept it.

Do the same on the server.

sebix
  • 4,175
  • 2
  • 25
  • 45
  • No, the problem is server-side, as changing verify to 0 solves the issue, but it is not acceptable, as it turns off security. python lib just prints server response – Rahul Sep 17 '17 at 08:20