I have stunnel to provide SSL for Redis. I have the following configuration:
[redis]
CAfile= /etc/stunnel/ca.crt
accept = 636
cert = /etc/stunnel/server1.crt
connect = localhost:6379
key = /etc/stunnel/server1.key
verify = 2
I generate all of the keys and certificates with openssl:
# generate ca
openssl req -new -x509 \
-keyout "/etc/stunnel/ca.crt" \
-out "/etc/stunnel/ca.key" \
-days 365 \
-passout "pass:123456" \
-subj "$subj"
Then I am generating key via openssl genrsa -des3
Then I am generating csr via openssl req -new -key
.
Then I am generating signed certificate via openssl x509 -req
with CA
and CAkey
pointing to ca.crt
and ca.key
Then I am decrypting the key via openssl rsa
The above procedure happens 2 times to generate server and client keypair.
Server goes to stunnel config, and client goes to python application:
r = redis.Redis(host='localhost', ssl=True, port=636, db=0, ssl_certfile='client.crt', ssl_keyfile='client.key')
While trying to run python script I get:
redis.exceptions.ConnectionError: Error 1 connecting to localhost:636. [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590).
At the stunnel logs:
2017.09.16 09:11:00 LOG6[9]: Peer certificate required
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): before/accept initialization
2017.09.16 09:11:00 LOG7[9]: SNI: no virtual services defined
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 read client hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server hello A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write key exchange A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write certificate request A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 write server done A
2017.09.16 09:11:00 LOG7[9]: SSL state (accept): SSLv3 flush data
2017.09.16 09:11:00 LOG7[9]: Verification started at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG4[9]: CERT: Pre-verification error: self signed certificate
2017.09.16 09:11:00 LOG4[9]: Rejected by CERT at depth=0: C=US, O="MyO", OU=MyOU, CN=redis
2017.09.16 09:11:00 LOG7[9]: SSL alert (write): fatal: unknown CA
2017.09.16 09:11:00 LOG3[9]: SSL_accept: 140360B2: error:140360B2:SSL routines:ACCEPT_SR_CERT:no certificate returned
2017.09.16 09:11:00 LOG5[9]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
This behaviour is unclear to me:
- verify = 2 at stunnel config should compare CA of the client to the ones it trusts
- stunnel has CAfile set to CA, which signed both server key and client key
- stunnel says it is self-signed certificate and CA is unknown
Also, openssl verify -CAfile=ca.crt <filename>
is OK for both server and client.
Best Answer
Your client can't validate the CA's certificate. So either store it in the system's certificate store or configure your client to accept it.
Do the same on the server.