stunnel unable to get issuer certificate (от пользователя в chroot)

Для новичков как вообще в Linux, так и в конкретной теме, к которой относится вопрос.

Модератор: Bizdelnick

Ответить
Аватара пользователя
sgfault
Сообщения: 586
Статус: -
Контактная информация:

stunnel unable to get issuer certificate

Сообщение sgfault »

Вот сертификат icq, который возвращает s_client:

Код: Выделить всё

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 93176 (0x16bf8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
        Validity
            Not Before: May 16 11:00:58 2012 GMT
            Not After : Aug 16 22:09:10 2017 GMT
        Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8:
                    a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24:
                    88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c:
                    6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e:
                    43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5:
                    33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b:
                    37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c:
                    9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39:
                    9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c:
                    61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06:
                    53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9:
                    9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6:
                    a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c:
                    e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db:
                    a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25:
                    3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa:
                    84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8:
                    f2:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:*.icq.com, DNS:icq.com
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl

            X509v3 Subject Key Identifier:
                4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36
            X509v3 Basic Constraints: critical
                CA:FALSE
            Authority Information Access:
                CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt

    Signature Algorithm: sha1WithRSAEncryption
         20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5:
         5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a:
         5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6:
         c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4:
         3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d:
         78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab:
         0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1:
         0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60:
         75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5:
         82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1:
         bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58:
         17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99:
         fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b:
         6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce:
         41:01:b5:92
-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT
IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER
MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT
B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg
N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE
1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw
HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym
o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX
qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud
IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t
ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv
dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo
W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw
AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG
SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0
gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm
H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS
ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N
2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI
NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS
-----END CERTIFICATE-----


Этот сертификат подписан 'GeoTrust SSL CA'. И сертификата последнего в дебиане нет. Я его добавил отсюда https://knowledge.geotrust.com/support/know...t&id=AR1423:

Код: Выделить всё

$ ls -l /etc/ssl/certs/GeoTrust_SSL_CA.pem
-rw-r--r-- 1 root root 1416 11月 15 20:27 /etc/ssl/certs/GeoTrust_SSL_CA.pem
$ openssl x509 -text -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 145104 (0x236d0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Validity
            Not Before: Feb 19 22:39:26 2010 GMT
            Not After : Feb 18 22:39:26 2020 GMT
        Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:90:b3:80:c1:e4:e5:46:ad:70:60:3d:ba:e5:14:
                    dd:9e:8a:5e:8b:75:5a:e6:ca:6d:41:a5:23:e8:39:
                    85:26:7a:a7:55:77:9a:48:a1:92:7e:3a:1e:1a:f1:
                    27:ab:a3:4c:39:cc:cb:3d:47:af:81:ae:16:6a:5c:
                    37:ef:45:41:fd:fb:9a:97:3c:a0:43:9d:c6:df:17:
                    21:d1:8a:a2:56:c2:03:49:84:12:81:3e:c9:0a:54:
                    60:66:b9:8c:54:e4:f9:e6:f9:94:f1:e0:5f:75:11:
                    f2:29:b9:e4:86:a2:b1:89:ad:a6:1e:83:29:63:b2:
                    f0:54:1c:85:0b:7a:e7:e1:2e:0d:af:a4:bd:cd:e7:
                    b1:5a:d7:8c:05:5a:0e:4b:73:28:8b:75:5d:34:d8:
                    77:0b:e1:74:62:e2:71:30:62:d8:bc:8a:05:e5:31:
                    63:4a:54:89:6a:33:78:a7:4e:55:24:1d:97:ef:1a:
                    e4:12:c6:0f:30:18:b4:34:4d:e1:d8:23:3b:21:5b:
                    2d:30:19:25:0e:74:f7:a4:21:4b:a0:a4:20:c9:6c:
                    cd:98:56:c0:f2:a8:5f:3e:26:75:a0:0d:f8:36:88:
                    8a:2c:5a:7d:67:30:a9:0f:d1:99:70:2e:78:e1:51:
                    26:af:55:7a:24:be:8c:39:0d:77:9d:de:02:c3:0c:
                    bd:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
            X509v3 Authority Key Identifier:
                keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.geotrust.com/crls/gtglobal.crl

            Authority Information Access:
                OCSP - URI:http://ocsp.geotrust.com

    Signature Algorithm: sha1WithRSAEncryption
         d4:ef:53:84:e8:1a:bd:a1:8b:04:c0:a9:f5:5f:a1:10:78:45:
         5d:b2:57:6a:4e:24:cb:65:4e:31:97:91:9a:d4:24:f8:e2:27:
         66:70:31:9c:c1:62:54:06:e7:97:1d:3a:9a:c0:a4:29:48:0a:
         af:24:c7:a8:c4:9a:54:c1:7c:4c:78:4c:2b:68:2c:5d:17:a6:
         54:78:4c:46:e2:80:c3:1f:38:71:12:d2:d7:53:e3:54:85:50:
         b8:02:cb:ee:63:3a:f8:56:89:4d:55:bb:2e:c0:c8:18:77:86:
         31:0b:0b:70:f0:7e:35:83:a4:2a:13:64:56:67:34:5d:16:5f:
         73:ac:7b:06:24:da:4f:50:6d:2a:ab:d0:4d:53:41:c2:8e:bb:
         71:03:49:29:86:18:cf:21:42:4c:74:62:51:15:c5:6f:a8:ef:
         c4:27:e5:1b:33:dd:5a:88:d7:7f:12:d1:a7:61:25:1f:d5:e0:
         dc:1d:cf:1a:10:d8:a0:cb:5f:8c:fa:0c:e5:bf:71:ff:e5:5d:
         44:1d:a6:3e:87:47:fa:1a:4e:83:83:12:3f:88:66:95:98:79:
         9a:85:eb:02:47:cd:25:e3:f2:06:04:4e:99:ca:5c:a0:6e:7a:
         bb:dd:a3:90:1a:45:33:ef:bf:3e:d2:04:c4:b6:e0:2a:85:65:
         41:3e:10:d4
$ openssl x509 -hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
5e5a5bcb
$ ls -l /etc/ssl/certs/5e5a5bcb.0
lrwxrwxrwx 1 root root 19 11月 15 20:28 /etc/ssl/certs/5e5a5bcb.0 -> GeoTrust_SSL_CA.pem


Теперь verify для icq работает

Код: Выделить всё

$ openssl  verify -x509_strict -issuer_checks -verbose -purpose sslserver icq.pem
icq.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
error 29 at 0 depth lookup:subject issuer mismatch
OK


И stunnel от рута тоже работает

Код: Выделить всё

2012.11.15 23:43:49 LOG7[11261:3073694528]: Clients allowed=500
2012.11.15 23:43:49 LOG5[11261:3073694528]: stunnel 4.53 on i486-pc-linux-gnu platform
2012.11.15 23:43:49 LOG5[11261:3073694528]: Compiled/running with OpenSSL 1.0.1c 10 May 2012
2012.11.15 23:43:49 LOG5[11261:3073694528]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2012.11.15 23:43:49 LOG5[11261:3073694528]: Reading configuration from file /etc/stunnel/oscaricq.conf
2012.11.15 23:43:49 LOG6[11261:3073694528]: Compression enabled: 2 algorithm(s)
2012.11.15 23:43:49 LOG7[11261:3073694528]: Snagged 64 random bytes from /dev/urandom
2012.11.15 23:43:49 LOG7[11261:3073694528]: PRNG seeded successfully
2012.11.15 23:43:50 LOG6[11261:3073694528]: Initializing service section [oscaricq]
2012.11.15 23:43:50 LOG7[11261:3073694528]: Verify directory set to /etc/ssl/certs
2012.11.15 23:43:50 LOG7[11261:3073694528]: Added /etc/ssl/certs revocation lookup directory
2012.11.15 23:43:50 LOG7[11261:3073694528]: Added /etc/ssl/crls revocation lookup directory
2012.11.15 23:43:50 LOG7[11261:3073694528]: SSL options set: 0x01000004
2012.11.15 23:43:50 LOG5[11261:3073694528]: Configuration successful
2012.11.15 23:43:50 LOG7[11261:3073694528]: Service [oscaricq] (FD=14) bound to 127.0.0.1:5190
2012.11.15 23:43:50 LOG7[11267:3073694528]: Created pid file /var/run/stunnel4-oscaricq.pid

2012.11.15 23:44:08 LOG7[11267:3073694528]: Service [oscaricq] accepted (FD=5) from 127.0.0.1:56367
2012.11.15 23:44:08 LOG7[11267:3077802864]: Service [oscaricq] started
2012.11.15 23:44:08 LOG7[11267:3077802864]: Waiting for a libwrap process
2012.11.15 23:44:08 LOG7[11267:3077802864]: Acquired libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Releasing libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Released libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Service [oscaricq] permitted by libwrap from 127.0.0.1:56367
2012.11.15 23:44:08 LOG5[11267:3077802864]: Service [oscaricq] accepted connection from 127.0.0.1:56367
2012.11.15 23:44:10 LOG6[11267:3077802864]: connect_blocking: connecting 205.188.210.214:443
2012.11.15 23:44:10 LOG7[11267:3077802864]: connect_blocking: s_poll_wait 205.188.210.214:443: waiting 10 seconds
2012.11.15 23:44:10 LOG5[11267:3077802864]: connect_blocking: connected 205.188.210.214:443
2012.11.15 23:44:10 LOG5[11267:3077802864]: Service [oscaricq] connected remote server from 192.168.2.13:39692
2012.11.15 23:44:10 LOG7[11267:3077802864]: Remote socket (FD=16) initialized
2012.11.15 23:44:10 LOG7[11267:3077802864]: SNI: host name: slogin.icq.com
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O
=ICQ LLC/CN=*.icq.com
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*
.icq.com
2012.11.15 23:44:10 LOG6[11267:3077802864]: SSL connected: new session negotiated
2012.11.15 23:44:10 LOG6[11267:3077802864]: Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption)
2012.11.15 23:44:10 LOG6[11267:3077802864]: Compression: null, expansion: null
2012.11.15 23:44:11 LOG7[11267:3077802864]: Socket closed on read
2012.11.15 23:44:11 LOG7[11267:3077802864]: Sending close_notify alert
2012.11.15 23:44:11 LOG6[11267:3077802864]: SSL_shutdown successfully sent close_notify alert
2012.11.15 23:44:11 LOG7[11267:3077802864]: SSL closed on SSL_read
2012.11.15 23:44:11 LOG7[11267:3077802864]: Sent socket write shutdown
2012.11.15 23:44:11 LOG5[11267:3077802864]: Connection closed: 172 byte(s) sent to SSL, 353 byte(s) sent to socket
2012.11.15 23:44:11 LOG7[11267:3077802864]: Remote socket (FD=16) closed
2012.11.15 23:44:11 LOG7[11267:3077802864]: Local socket (FD=5) closed
2012.11.15 23:44:11 LOG7[11267:3077802864]: Service [oscaricq] finished (0 left)

конфиг

Код: Выделить всё

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
;chroot = /var/lib/stunnel4/
;; Chroot jail can be escaped if setuid option is not used
;setuid = stunnel4
;setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4-oscaricq.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /var/log/stunnel-oscaricq.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /etc/ssl/certs
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
CRLpath = /etc/ssl/crls

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; SSL client mode services
[oscaricq]
client = yes
accept = 127.0.0.1:5190
connect = slogin.icq.com:443
delay = yes
verify = 2

; vim:ft=dosini


но в chroot-е и, соответственно, от пользователя (stunnel4) он уже не работает:

Код: Выделить всё

2012.11.15 23:47:07 LOG7[11346:3074079552]: Clients allowed=500
2012.11.15 23:47:07 LOG5[11346:3074079552]: stunnel 4.53 on i486-pc-linux-gnu platform
2012.11.15 23:47:07 LOG5[11346:3074079552]: Compiled/running with OpenSSL 1.0.1c 10 May 2012
2012.11.15 23:47:07 LOG5[11346:3074079552]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2012.11.15 23:47:07 LOG5[11346:3074079552]: Reading configuration from file /etc/stunnel/oscaricq.conf
2012.11.15 23:47:07 LOG6[11346:3074079552]: Compression enabled: 2 algorithm(s)
2012.11.15 23:47:07 LOG7[11346:3074079552]: Snagged 64 random bytes from /dev/urandom
2012.11.15 23:47:07 LOG7[11346:3074079552]: PRNG seeded successfully
2012.11.15 23:47:08 LOG6[11346:3074079552]: Initializing service section [oscaricq]
2012.11.15 23:47:08 LOG7[11346:3074079552]: Verify directory set to /etc/ssl/certs
2012.11.15 23:47:08 LOG7[11346:3074079552]: Added /etc/ssl/certs revocation lookup directory
2012.11.15 23:47:08 LOG7[11346:3074079552]: Added /etc/ssl/crls revocation lookup directory
2012.11.15 23:47:08 LOG7[11346:3074079552]: SSL options set: 0x01000004
2012.11.15 23:47:08 LOG5[11346:3074079552]: Configuration successful
2012.11.15 23:47:08 LOG7[11346:3074079552]: Service [oscaricq] (FD=14) bound to 127.0.0.1:5190
2012.11.15 23:47:08 LOG7[11352:3074079552]: Created pid file /var/run/stunnel4-oscaricq.pid

2012.11.15 23:47:29 LOG7[11352:3074079552]: Service [oscaricq] accepted (FD=5) from 127.0.0.1:56373
2012.11.15 23:47:29 LOG7[11352:3078187888]: Service [oscaricq] started
2012.11.15 23:47:29 LOG7[11352:3078187888]: Waiting for a libwrap process
2012.11.15 23:47:29 LOG7[11352:3078187888]: Acquired libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Releasing libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Released libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Service [oscaricq] permitted by libwrap from 127.0.0.1:56373
2012.11.15 23:47:29 LOG5[11352:3078187888]: Service [oscaricq] accepted connection from 127.0.0.1:56373
2012.11.15 23:47:30 LOG6[11352:3078187888]: connect_blocking: connecting 205.188.210.214:443
2012.11.15 23:47:30 LOG7[11352:3078187888]: connect_blocking: s_poll_wait 205.188.210.214:443: waiting 10 seconds
2012.11.15 23:47:31 LOG5[11352:3078187888]: connect_blocking: connected 205.188.210.214:443
2012.11.15 23:47:31 LOG5[11352:3078187888]: Service [oscaricq] connected remote server from 192.168.2.13:39698
2012.11.15 23:47:31 LOG7[11352:3078187888]: Remote socket (FD=16) initialized
2012.11.15 23:47:31 LOG7[11352:3078187888]: SNI: host name: slogin.icq.com
2012.11.15 23:47:31 LOG7[11352:3078187888]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:47:31 LOG4[11352:3078187888]: CERT: Verification error: unable to get issuer certificate
2012.11.15 23:47:31 LOG4[11352:3078187888]: Certificate check failed: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:47:31 LOG3[11352:3078187888]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012.11.15 23:47:31 LOG5[11352:3078187888]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2012.11.15 23:47:31 LOG7[11352:3078187888]: Remote socket (FD=16) closed
2012.11.15 23:47:31 LOG7[11352:3078187888]: Local socket (FD=5) closed
2012.11.15 23:47:31 LOG7[11352:3078187888]: Service [oscaricq] finished (0 left)


Конфиг

Код: Выделить всё

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
chroot = /var/lib/stunnel4/
;; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4-oscaricq.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /var/log/stunnel-oscaricq.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /etc/ssl/certs
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
CRLpath = /etc/ssl/crls

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; SSL client mode services
[oscaricq]
client = yes
accept = 127.0.0.1:5190
connect = slogin.icq.com:443
delay = yes
verify = 2

; vim:ft=dosini


И chroot:

Код: Выделить всё

# find /var/lib/stunnel4/ -name '5e5a5bcb.0'
/var/lib/stunnel4/etc/ssl/certs/5e5a5bcb.0
# find /var/lib/stunnel4/ -lname 'GeoTrust_SSL_CA.pem'
/var/lib/stunnel4/etc/ssl/certs/5e5a5bcb.0


те сертификат есть, но он его почему-то не находит.

Upd1.
Вот цепочка сертификатов:

Код: Выделить всё

$ openssl verify /etc/ssl/certs/GeoTrust_SSL_CA.pem
/etc/ssl/certs/GeoTrust_SSL_CA.pem: OK
$ openssl x509 -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2c543cd1
$ ls -l /etc/ssl/certs/2c543cd1.0
lrwxrwxrwx 1 root root 22 11月 15 19:50 /etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem
$ openssl x509 -subject -issuer  -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem
subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA


Upd2.
Обновлена цепочка выше.

Upd3.
Соответственно, в chroot-е эти CA сертификаты тоже есть

Код: Выделить всё

$ ls -l /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0
lrwxrwxrwx 1 root root 22 11月 15 19:50 /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem
$ ls -lL /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0
-rw-r--r-- 1 root root 1216  6月 23 21:40 /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0
Спасибо сказали:
Аватара пользователя
sgfault
Сообщения: 586
Статус: -
Контактная информация:

Re: stunnel unable to get issuer certificate

Сообщение sgfault »

Хм.. CAfile вместо CApath в конфиге stunnel-а работает (первый - GeoTrust SSL CA, второй - GeoTrust Global CA):

Код: Выделить всё

$ cat /var/lib/stunnel4/etc/ssl/certs/geotrust.pem
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

конфиг

Код: Выделить всё

; **************************************************************************
; * Global options                                                         *
; **************************************************************************

; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
chroot = /var/lib/stunnel4/
;; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4-oscaricq.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib

; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /var/log/stunnel-oscaricq.log

; **************************************************************************
; * Service defaults may also be specified in individual service sections  *
; **************************************************************************

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /etc/ssl/certs
CAfile = /etc/ssl/certs/geotrust.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
CRLpath = /etc/ssl/crls

; Disable support for insecure SSLv2 protocol
options = NO_SSLv2

; **************************************************************************
; * Service definitions (remove all services for inetd mode)               *
; **************************************************************************

; SSL client mode services
[oscaricq]
client = yes
accept = 127.0.0.1:5190
connect = slogin.icq.com:443
delay = yes
verify = 2

; vim:ft=dosini

и лог

Код: Выделить всё

2012.11.16 00:33:05 LOG7[12322:3073465152]: Clients allowed=500
2012.11.16 00:33:05 LOG5[12322:3073465152]: stunnel 4.53 on i486-pc-linux-gnu platform
2012.11.16 00:33:05 LOG5[12322:3073465152]: Compiled/running with OpenSSL 1.0.1c 10 May 2012
2012.11.16 00:33:05 LOG5[12322:3073465152]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2012.11.16 00:33:05 LOG5[12322:3073465152]: Reading configuration from file /etc/stunnel/oscaricq.conf
2012.11.16 00:33:05 LOG6[12322:3073465152]: Compression enabled: 2 algorithm(s)
2012.11.16 00:33:05 LOG7[12322:3073465152]: Snagged 64 random bytes from /dev/urandom
2012.11.16 00:33:05 LOG7[12322:3073465152]: PRNG seeded successfully
2012.11.16 00:33:06 LOG6[12322:3073465152]: Initializing service section [oscaricq]
2012.11.16 00:33:06 LOG7[12322:3073465152]: Loaded verify certificates from /etc/ssl/certs/geotrust.pem
2012.11.16 00:33:06 LOG7[12322:3073465152]: Loaded /etc/ssl/certs/geotrust.pem revocation lookup file
2012.11.16 00:33:06 LOG7[12322:3073465152]: Added /etc/ssl/crls revocation lookup directory
2012.11.16 00:33:06 LOG7[12322:3073465152]: SSL options set: 0x01000004
2012.11.16 00:33:06 LOG5[12322:3073465152]: Configuration successful
2012.11.16 00:33:06 LOG7[12322:3073465152]: Service [oscaricq] (FD=14) bound to 127.0.0.1:5190
2012.11.16 00:33:06 LOG7[12328:3073465152]: Created pid file /var/run/stunnel4-oscaricq.pid
2012.11.16 00:33:24 LOG7[12328:3073465152]: Service [oscaricq] accepted (FD=5) from 127.0.0.1:56516
2012.11.16 00:33:24 LOG7[12328:3077573488]: Service [oscaricq] started
2012.11.16 00:33:24 LOG7[12328:3077573488]: Waiting for a libwrap process
2012.11.16 00:33:24 LOG7[12328:3077573488]: Acquired libwrap process #0
2012.11.16 00:33:24 LOG7[12328:3077573488]: Releasing libwrap process #0
2012.11.16 00:33:24 LOG7[12328:3077573488]: Released libwrap process #0
2012.11.16 00:33:24 LOG7[12328:3077573488]: Service [oscaricq] permitted by libwrap from 127.0.0.1:56516
2012.11.16 00:33:24 LOG5[12328:3077573488]: Service [oscaricq] accepted connection from 127.0.0.1:56516
2012.11.16 00:33:26 LOG6[12328:3077573488]: connect_blocking: connecting 205.188.210.214:443
2012.11.16 00:33:26 LOG7[12328:3077573488]: connect_blocking: s_poll_wait 205.188.210.214:443: waiting 10 seconds
2012.11.16 00:33:26 LOG5[12328:3077573488]: connect_blocking: connected 205.188.210.214:443
2012.11.16 00:33:26 LOG5[12328:3077573488]: Service [oscaricq] connected remote server from 192.168.2.13:39841
2012.11.16 00:33:26 LOG7[12328:3077573488]: Remote socket (FD=16) initialized
2012.11.16 00:33:26 LOG7[12328:3077573488]: SNI: host name: slogin.icq.com
2012.11.16 00:33:26 LOG7[12328:3077573488]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.16 00:33:26 LOG5[12328:3077573488]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.16 00:33:26 LOG7[12328:3077573488]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.16 00:33:26 LOG5[12328:3077573488]: Certificate accepted: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.16 00:33:26 LOG7[12328:3077573488]: Starting certificate verification: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
2012.11.16 00:33:26 LOG5[12328:3077573488]: Certificate accepted: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
2012.11.16 00:33:27 LOG6[12328:3077573488]: SSL connected: new session negotiated
2012.11.16 00:33:27 LOG6[12328:3077573488]: Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption)
2012.11.16 00:33:27 LOG6[12328:3077573488]: Compression: null, expansion: null
2012.11.16 00:33:27 LOG7[12328:3077573488]: Socket closed on read
2012.11.16 00:33:27 LOG7[12328:3077573488]: Sending close_notify alert
2012.11.16 00:33:27 LOG6[12328:3077573488]: SSL_shutdown successfully sent close_notify alert
2012.11.16 00:33:27 LOG7[12328:3077573488]: SSL closed on SSL_read
2012.11.16 00:33:27 LOG7[12328:3077573488]: Sent socket write shutdown
2012.11.16 00:33:27 LOG5[12328:3077573488]: Connection closed: 172 byte(s) sent to SSL, 353 byte(s) sent to socket
2012.11.16 00:33:27 LOG7[12328:3077573488]: Remote socket (FD=16) closed
2012.11.16 00:33:27 LOG7[12328:3077573488]: Local socket (FD=5) closed
2012.11.16 00:33:27 LOG7[12328:3077573488]: Service [oscaricq] finished (0 left)


Но почему же не работает CApath? Здесь ведь должно быть что-то очень простое..
Спасибо сказали:
Аватара пользователя
sgfault
Сообщения: 586
Статус: -
Контактная информация:

Re: stunnel unable to get issuer certificate

Сообщение sgfault »

Дааа, я идиот. Я знал это :happy: Здесь должно было быть что-то элементарное, и так оно и было. Ответ был под носом:

Код: Выделить всё

# ls -l /etc/ssl/certs/GeoTrust_Global_CA.pem
lrwxrwxrwx 1 root root 57 Oct  5 16:56 /etc/ssl/certs/GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt

/usr/share/ca-certificates не было в chroot-е (/etc/ssl/certs монтировалось (bind) в chroot, и, соответственно, пути симлинков оставались такими же).


В любом случае, тут была древняя тема месяц уже не работают линуксовые icq клиенты про неработающий icq. И там было написано, что в squeeze в pidgin-е не работает SSL из-за изменившихся адресов серверов, и было предложено решение через stunnel. Так вот, спустя полтора года, я должен добавить, что решение, хоть и предоставляет шифрование, не проверяет сертификаты (в stunnel по умолчанию verify=0). Те является небезопасным. Сейчас squeeze у меня уже нет, поэтому проверить эти "поправки" на нем я не могу, но для wheezy достаточно установить сертификат GeoTrust SSL CA, как описано в первом посте (этой темы). После этого, если с путями все правильно, в stunnel должна заработать опция 'verify=2', которая проверяет сертификаты. Примеры конфигов (рабочих) тоже выше.

Upd.
Как обычно, полное прохождение доступно здесь icq through stunnel: enable certificate verification.
Спасибо сказали:
Ответить