我有2x stunnels linux based,1 server,1 client。 我想要做的是使用stunnel客户端,并使用验证3,它根据证书对用户进行身份验证。
以下是每个的配置文件:
客户端:
cert = /stunnel/client_Access_stunnel.pem
key = /stunnel/client_Access_stunnel.pem
CAfile = /stunnel/client_Access_stunnel.pem
CApath = /stunnel/cacerts/
flips=no
pid = /var/run/stunnel-tcap.pid
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
output = /stunnel/stunnel.log
client = yes
;verify = 3
debug = 5
[tcap]
accept = 0.0.0.0:3701
connect = 192.168.1.4:3700
服务器:
pid = /var/run/stunnel/server.pid
cert = /opt/quasar/cert/certs/stunnels/server.pem
key = /opt/quasar/cert/certs/stunnels/server.pem
CApath = /opt/certs/stunnels/cacerts/
; Socket parameters tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
; Security level
verify = 2
; Uncomment for troubleshooting purposes
debug = 7
; Log file path
output = /opt/stunnels/stunnel.log
[stunnel1]
accept = 0.0.0.0:3700
connect = 127.0.0.1:3701
错误是:
客户:
2016.11.16 12:55:10 LOG7[77]: Remote descriptor (FD=11) initialized
2016.11.16 12:55:10 LOG6[77]: SNI: sending servername: 192.168.104.74
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): before/connect initialization
2016.11.16 12:55:10 LOG7[77]: SSL state (connect): SSLv2/v3 write client hello A
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[78]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG6[77]: Certificate verification disabled
2016.11.16 12:55:10 LOG7[77]: SSL alert (read): fatal: unknown CA
2016.11.16 12:55:10 LOG3[77]: SSL_connect: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
2016.11.16 12:55:10 LOG5[77]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2016.11.16 12:55:10 LOG7[77]: Deallocating application specific data for addr index
服务器:
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): before/accept initialization
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 read client hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write server hello A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 write certificate request A
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL state (accept): SSLv3 flush data
2016.11.16 11:55:17 LOG4[36384:140097622492928]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=UK/ST=London/L=London/O=org/OU=OP/CN=client/emailAddress=operations@n.se
2016.11.16 11:55:17 LOG7[36384:140097622492928]: SSL alert (write): fatal: unknown CA
2016.11.16 11:55:17 LOG3[36384:140097622492928]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2016.11.16 11:55:17 LOG5[36384:140097622492928]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
请忽略时间戳。相同的错误不同的时间。