Код: Выделить всё
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 93176 (0x16bf8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: May 16 11:00:58 2012 GMT
Not After : Aug 16 22:09:10 2017 GMT
Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8:
a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24:
88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c:
6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e:
43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5:
33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b:
37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c:
9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39:
9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c:
61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06:
53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9:
9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6:
a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c:
e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db:
a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25:
3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa:
84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8:
f2:65
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.icq.com, DNS:icq.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl
X509v3 Subject Key Identifier:
4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt
Signature Algorithm: sha1WithRSAEncryption
20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5:
5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a:
5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6:
c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4:
3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d:
78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab:
0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1:
0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60:
75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5:
82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1:
bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58:
17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99:
fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b:
6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce:
41:01:b5:92
-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT
IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER
MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT
B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg
N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE
1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw
HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym
o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX
qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud
IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t
ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv
dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo
W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw
AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG
SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0
gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm
H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS
ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N
2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI
NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS
-----END CERTIFICATE-----
Этот сертификат подписан 'GeoTrust SSL CA'. И сертификата последнего в дебиане нет. Я его добавил отсюда https://knowledge.geotrust.com/support/know...t&id=AR1423:
Код: Выделить всё
$ ls -l /etc/ssl/certs/GeoTrust_SSL_CA.pem
-rw-r--r-- 1 root root 1416 11月 15 20:27 /etc/ssl/certs/GeoTrust_SSL_CA.pem
$ openssl x509 -text -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 145104 (0x236d0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Feb 19 22:39:26 2010 GMT
Not After : Feb 18 22:39:26 2020 GMT
Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:90:b3:80:c1:e4:e5:46:ad:70:60:3d:ba:e5:14:
dd:9e:8a:5e:8b:75:5a:e6:ca:6d:41:a5:23:e8:39:
85:26:7a:a7:55:77:9a:48:a1:92:7e:3a:1e:1a:f1:
27:ab:a3:4c:39:cc:cb:3d:47:af:81:ae:16:6a:5c:
37:ef:45:41:fd:fb:9a:97:3c:a0:43:9d:c6:df:17:
21:d1:8a:a2:56:c2:03:49:84:12:81:3e:c9:0a:54:
60:66:b9:8c:54:e4:f9:e6:f9:94:f1:e0:5f:75:11:
f2:29:b9:e4:86:a2:b1:89:ad:a6:1e:83:29:63:b2:
f0:54:1c:85:0b:7a:e7:e1:2e:0d:af:a4:bd:cd:e7:
b1:5a:d7:8c:05:5a:0e:4b:73:28:8b:75:5d:34:d8:
77:0b:e1:74:62:e2:71:30:62:d8:bc:8a:05:e5:31:
63:4a:54:89:6a:33:78:a7:4e:55:24:1d:97:ef:1a:
e4:12:c6:0f:30:18:b4:34:4d:e1:d8:23:3b:21:5b:
2d:30:19:25:0e:74:f7:a4:21:4b:a0:a4:20:c9:6c:
cd:98:56:c0:f2:a8:5f:3e:26:75:a0:0d:f8:36:88:
8a:2c:5a:7d:67:30:a9:0f:d1:99:70:2e:78:e1:51:
26:af:55:7a:24:be:8c:39:0d:77:9d:de:02:c3:0c:
bd:1f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Authority Key Identifier:
keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.geotrust.com/crls/gtglobal.crl
Authority Information Access:
OCSP - URI:http://ocsp.geotrust.com
Signature Algorithm: sha1WithRSAEncryption
d4:ef:53:84:e8:1a:bd:a1:8b:04:c0:a9:f5:5f:a1:10:78:45:
5d:b2:57:6a:4e:24:cb:65:4e:31:97:91:9a:d4:24:f8:e2:27:
66:70:31:9c:c1:62:54:06:e7:97:1d:3a:9a:c0:a4:29:48:0a:
af:24:c7:a8:c4:9a:54:c1:7c:4c:78:4c:2b:68:2c:5d:17:a6:
54:78:4c:46:e2:80:c3:1f:38:71:12:d2:d7:53:e3:54:85:50:
b8:02:cb:ee:63:3a:f8:56:89:4d:55:bb:2e:c0:c8:18:77:86:
31:0b:0b:70:f0:7e:35:83:a4:2a:13:64:56:67:34:5d:16:5f:
73:ac:7b:06:24:da:4f:50:6d:2a:ab:d0:4d:53:41:c2:8e:bb:
71:03:49:29:86:18:cf:21:42:4c:74:62:51:15:c5:6f:a8:ef:
c4:27:e5:1b:33:dd:5a:88:d7:7f:12:d1:a7:61:25:1f:d5:e0:
dc:1d:cf:1a:10:d8:a0:cb:5f:8c:fa:0c:e5:bf:71:ff:e5:5d:
44:1d:a6:3e:87:47:fa:1a:4e:83:83:12:3f:88:66:95:98:79:
9a:85:eb:02:47:cd:25:e3:f2:06:04:4e:99:ca:5c:a0:6e:7a:
bb:dd:a3:90:1a:45:33:ef:bf:3e:d2:04:c4:b6:e0:2a:85:65:
41:3e:10:d4
$ openssl x509 -hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
5e5a5bcb
$ ls -l /etc/ssl/certs/5e5a5bcb.0
lrwxrwxrwx 1 root root 19 11月 15 20:28 /etc/ssl/certs/5e5a5bcb.0 -> GeoTrust_SSL_CA.pem
Теперь verify для icq работает
Код: Выделить всё
$ openssl verify -x509_strict -issuer_checks -verbose -purpose sslserver icq.pem
icq.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 29 at 0 depth lookup:subject issuer mismatch
C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
error 29 at 0 depth lookup:subject issuer mismatch
OK
И stunnel от рута тоже работает
Код: Выделить всё
2012.11.15 23:43:49 LOG7[11261:3073694528]: Clients allowed=500
2012.11.15 23:43:49 LOG5[11261:3073694528]: stunnel 4.53 on i486-pc-linux-gnu platform
2012.11.15 23:43:49 LOG5[11261:3073694528]: Compiled/running with OpenSSL 1.0.1c 10 May 2012
2012.11.15 23:43:49 LOG5[11261:3073694528]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2012.11.15 23:43:49 LOG5[11261:3073694528]: Reading configuration from file /etc/stunnel/oscaricq.conf
2012.11.15 23:43:49 LOG6[11261:3073694528]: Compression enabled: 2 algorithm(s)
2012.11.15 23:43:49 LOG7[11261:3073694528]: Snagged 64 random bytes from /dev/urandom
2012.11.15 23:43:49 LOG7[11261:3073694528]: PRNG seeded successfully
2012.11.15 23:43:50 LOG6[11261:3073694528]: Initializing service section [oscaricq]
2012.11.15 23:43:50 LOG7[11261:3073694528]: Verify directory set to /etc/ssl/certs
2012.11.15 23:43:50 LOG7[11261:3073694528]: Added /etc/ssl/certs revocation lookup directory
2012.11.15 23:43:50 LOG7[11261:3073694528]: Added /etc/ssl/crls revocation lookup directory
2012.11.15 23:43:50 LOG7[11261:3073694528]: SSL options set: 0x01000004
2012.11.15 23:43:50 LOG5[11261:3073694528]: Configuration successful
2012.11.15 23:43:50 LOG7[11261:3073694528]: Service [oscaricq] (FD=14) bound to 127.0.0.1:5190
2012.11.15 23:43:50 LOG7[11267:3073694528]: Created pid file /var/run/stunnel4-oscaricq.pid
2012.11.15 23:44:08 LOG7[11267:3073694528]: Service [oscaricq] accepted (FD=5) from 127.0.0.1:56367
2012.11.15 23:44:08 LOG7[11267:3077802864]: Service [oscaricq] started
2012.11.15 23:44:08 LOG7[11267:3077802864]: Waiting for a libwrap process
2012.11.15 23:44:08 LOG7[11267:3077802864]: Acquired libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Releasing libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Released libwrap process #0
2012.11.15 23:44:08 LOG7[11267:3077802864]: Service [oscaricq] permitted by libwrap from 127.0.0.1:56367
2012.11.15 23:44:08 LOG5[11267:3077802864]: Service [oscaricq] accepted connection from 127.0.0.1:56367
2012.11.15 23:44:10 LOG6[11267:3077802864]: connect_blocking: connecting 205.188.210.214:443
2012.11.15 23:44:10 LOG7[11267:3077802864]: connect_blocking: s_poll_wait 205.188.210.214:443: waiting 10 seconds
2012.11.15 23:44:10 LOG5[11267:3077802864]: connect_blocking: connected 205.188.210.214:443
2012.11.15 23:44:10 LOG5[11267:3077802864]: Service [oscaricq] connected remote server from 192.168.2.13:39692
2012.11.15 23:44:10 LOG7[11267:3077802864]: Remote socket (FD=16) initialized
2012.11.15 23:44:10 LOG7[11267:3077802864]: SNI: host name: slogin.icq.com
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:44:10 LOG7[11267:3077802864]: Starting certificate verification: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O
=ICQ LLC/CN=*.icq.com
2012.11.15 23:44:10 LOG5[11267:3077802864]: Certificate accepted: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*
.icq.com
2012.11.15 23:44:10 LOG6[11267:3077802864]: SSL connected: new session negotiated
2012.11.15 23:44:10 LOG6[11267:3077802864]: Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption)
2012.11.15 23:44:10 LOG6[11267:3077802864]: Compression: null, expansion: null
2012.11.15 23:44:11 LOG7[11267:3077802864]: Socket closed on read
2012.11.15 23:44:11 LOG7[11267:3077802864]: Sending close_notify alert
2012.11.15 23:44:11 LOG6[11267:3077802864]: SSL_shutdown successfully sent close_notify alert
2012.11.15 23:44:11 LOG7[11267:3077802864]: SSL closed on SSL_read
2012.11.15 23:44:11 LOG7[11267:3077802864]: Sent socket write shutdown
2012.11.15 23:44:11 LOG5[11267:3077802864]: Connection closed: 172 byte(s) sent to SSL, 353 byte(s) sent to socket
2012.11.15 23:44:11 LOG7[11267:3077802864]: Remote socket (FD=16) closed
2012.11.15 23:44:11 LOG7[11267:3077802864]: Local socket (FD=5) closed
2012.11.15 23:44:11 LOG7[11267:3077802864]: Service [oscaricq] finished (0 left)
конфиг
Код: Выделить всё
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
;chroot = /var/lib/stunnel4/
;; Chroot jail can be escaped if setuid option is not used
;setuid = stunnel4
;setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4-oscaricq.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /var/log/stunnel-oscaricq.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /etc/ssl/certs
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
CRLpath = /etc/ssl/crls
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; SSL client mode services
[oscaricq]
client = yes
accept = 127.0.0.1:5190
connect = slogin.icq.com:443
delay = yes
verify = 2
; vim:ft=dosini
но в chroot-е и, соответственно, от пользователя (stunnel4) он уже не работает:
Код: Выделить всё
2012.11.15 23:47:07 LOG7[11346:3074079552]: Clients allowed=500
2012.11.15 23:47:07 LOG5[11346:3074079552]: stunnel 4.53 on i486-pc-linux-gnu platform
2012.11.15 23:47:07 LOG5[11346:3074079552]: Compiled/running with OpenSSL 1.0.1c 10 May 2012
2012.11.15 23:47:07 LOG5[11346:3074079552]: Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
2012.11.15 23:47:07 LOG5[11346:3074079552]: Reading configuration from file /etc/stunnel/oscaricq.conf
2012.11.15 23:47:07 LOG6[11346:3074079552]: Compression enabled: 2 algorithm(s)
2012.11.15 23:47:07 LOG7[11346:3074079552]: Snagged 64 random bytes from /dev/urandom
2012.11.15 23:47:07 LOG7[11346:3074079552]: PRNG seeded successfully
2012.11.15 23:47:08 LOG6[11346:3074079552]: Initializing service section [oscaricq]
2012.11.15 23:47:08 LOG7[11346:3074079552]: Verify directory set to /etc/ssl/certs
2012.11.15 23:47:08 LOG7[11346:3074079552]: Added /etc/ssl/certs revocation lookup directory
2012.11.15 23:47:08 LOG7[11346:3074079552]: Added /etc/ssl/crls revocation lookup directory
2012.11.15 23:47:08 LOG7[11346:3074079552]: SSL options set: 0x01000004
2012.11.15 23:47:08 LOG5[11346:3074079552]: Configuration successful
2012.11.15 23:47:08 LOG7[11346:3074079552]: Service [oscaricq] (FD=14) bound to 127.0.0.1:5190
2012.11.15 23:47:08 LOG7[11352:3074079552]: Created pid file /var/run/stunnel4-oscaricq.pid
2012.11.15 23:47:29 LOG7[11352:3074079552]: Service [oscaricq] accepted (FD=5) from 127.0.0.1:56373
2012.11.15 23:47:29 LOG7[11352:3078187888]: Service [oscaricq] started
2012.11.15 23:47:29 LOG7[11352:3078187888]: Waiting for a libwrap process
2012.11.15 23:47:29 LOG7[11352:3078187888]: Acquired libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Releasing libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Released libwrap process #0
2012.11.15 23:47:29 LOG7[11352:3078187888]: Service [oscaricq] permitted by libwrap from 127.0.0.1:56373
2012.11.15 23:47:29 LOG5[11352:3078187888]: Service [oscaricq] accepted connection from 127.0.0.1:56373
2012.11.15 23:47:30 LOG6[11352:3078187888]: connect_blocking: connecting 205.188.210.214:443
2012.11.15 23:47:30 LOG7[11352:3078187888]: connect_blocking: s_poll_wait 205.188.210.214:443: waiting 10 seconds
2012.11.15 23:47:31 LOG5[11352:3078187888]: connect_blocking: connected 205.188.210.214:443
2012.11.15 23:47:31 LOG5[11352:3078187888]: Service [oscaricq] connected remote server from 192.168.2.13:39698
2012.11.15 23:47:31 LOG7[11352:3078187888]: Remote socket (FD=16) initialized
2012.11.15 23:47:31 LOG7[11352:3078187888]: SNI: host name: slogin.icq.com
2012.11.15 23:47:31 LOG7[11352:3078187888]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:47:31 LOG4[11352:3078187888]: CERT: Verification error: unable to get issuer certificate
2012.11.15 23:47:31 LOG4[11352:3078187888]: Certificate check failed: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
2012.11.15 23:47:31 LOG3[11352:3078187888]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2012.11.15 23:47:31 LOG5[11352:3078187888]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2012.11.15 23:47:31 LOG7[11352:3078187888]: Remote socket (FD=16) closed
2012.11.15 23:47:31 LOG7[11352:3078187888]: Local socket (FD=5) closed
2012.11.15 23:47:31 LOG7[11352:3078187888]: Service [oscaricq] finished (0 left)
Конфиг
Код: Выделить всё
; **************************************************************************
; * Global options *
; **************************************************************************
; A copy of some devices and system files is needed within the chroot jail
; Chroot conflicts with configuration file reload and many other features
; Remember also to update the logrotate configuration.
chroot = /var/lib/stunnel4/
;; Chroot jail can be escaped if setuid option is not used
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /var/run/stunnel4-oscaricq.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
; Debugging stuff (may useful for troubleshooting)
debug = 7
output = /var/log/stunnel-oscaricq.log
; **************************************************************************
; * Service defaults may also be specified in individual service sections *
; **************************************************************************
; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
CApath = /etc/ssl/certs
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
CRLpath = /etc/ssl/crls
; Disable support for insecure SSLv2 protocol
options = NO_SSLv2
; **************************************************************************
; * Service definitions (remove all services for inetd mode) *
; **************************************************************************
; SSL client mode services
[oscaricq]
client = yes
accept = 127.0.0.1:5190
connect = slogin.icq.com:443
delay = yes
verify = 2
; vim:ft=dosini
И chroot:
Код: Выделить всё
# find /var/lib/stunnel4/ -name '5e5a5bcb.0'
/var/lib/stunnel4/etc/ssl/certs/5e5a5bcb.0
# find /var/lib/stunnel4/ -lname 'GeoTrust_SSL_CA.pem'
/var/lib/stunnel4/etc/ssl/certs/5e5a5bcb.0
те сертификат есть, но он его почему-то не находит.
Upd1.
Вот цепочка сертификатов:
Код: Выделить всё
$ openssl verify /etc/ssl/certs/GeoTrust_SSL_CA.pem
/etc/ssl/certs/GeoTrust_SSL_CA.pem: OK
$ openssl x509 -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2c543cd1
$ ls -l /etc/ssl/certs/2c543cd1.0
lrwxrwxrwx 1 root root 22 11月 15 19:50 /etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem
$ openssl x509 -subject -issuer -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem
subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Upd2.
Обновлена цепочка выше.
Upd3.
Соответственно, в chroot-е эти CA сертификаты тоже есть
Код: Выделить всё
$ ls -l /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0
lrwxrwxrwx 1 root root 22 11月 15 19:50 /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem
$ ls -lL /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0
-rw-r--r-- 1 root root 1216 6月 23 21:40 /var/lib/stunnel4/etc/ssl/certs/2c543cd1.0