From: 		Lincoln Yeoh <lylyeoh@mecomb.com>
To:		stunnel-users@mike.daewoo.com.pl
Date: 		2000.02.23 04:33
Subject: 	Stunnel: tips for doing client cert authentication.

Seems like a number of people are having problems doing this. I actually signed on to this list to find out, but I figured it out by the time I got on :).

***Stunnel client certificate authentication.
Covers: Unix server <-> Windows/Unix client. 
Does not cover: Windows server <-> windows/unix client. But do you really want to use windows servers for this..

In this example we will be creating an SSL telnet server on a Linux machine.

First I created a "Not a CA" certificate (it is illegal operate as an unlicensed CA in my country so...) 

openssl req -config ./openssl.cnf -new -days 365 -newkey rsa:1024 -x509 -keyout notacakey.pem -out notacacert.pem

IMPORTANT!!! YOU MUST NOT SKIP THE FOLLOWING STEP. 

copy notacacert to /usr/local/ssl/certs/notacacert.pem 
 and run 
/usr/local/ssl/bin/c_rehash 

(Don't bother with subsequent steps if you can't do the previous mandatory step ;) )
(I believe something is hardwired to /usr/local/ssl/certs/ dunno what is equiv in windows)

Then I created a server request
openssl req -nodes -config ./openssl.cnf -new -days 365 -newkey rsa:1024 -keyout ssltelnetserverkey.pem -out ssltelnetserverreq.pem

Then I signed it
openssl ca -config ./openssl.cnf -policy policy_anything -out ssltelnetservercert.pem -infiles ssltelnetserverreq.pem

Then I stuck the key and the cert together
cat ssltelnetserverkey.pem ssltelnetservercert.pem > stunnelserver.pem

(The following reformatting of the PEM file may no longer be necessary. It seemed to work at the unix server side without the formatting)
**reformat the PEM file
Then I edited stunnelserver.pem and removed the text stuff and formatted it
so that it was as per stunnel docs
e.g.
-----BEGIN RSA PRIVATE KEY-----
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
..<removed for brevity and privacy ;) >
rmg3HtUk3xr3pvQjLMEOasC6DvOlbIGfy47x38cFI/o=
-----END RSA PRIVATE KEY-----
  <--- blank line here
-----BEGIN CERTIFICATE-----
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
..<snipped>
gYkCgYEAxg0QMmxmbpQ24S/7mmp01jH53pel0N5hiPujCYs4eI/iszF3yUMMnu4H
-----END CERTIFICATE-----  
  <--- blank line here

I then did a similar thing for the client certificate,
**END reformat the PEM file (no longer necessary???)

Placed the corresponding stunnel.pem  (e.g. clientcert.pem ) in the client
directory.

I ran the server
(no forking debug mode )
stunnel -p stunnelserver.pem -v 2 -l /usr/sbin/in.telnetd -d 2323 -f -D 7
(nondebug mode)
stunnel -p stunnelserver.pem -v 2 -l /usr/sbin/in.telnetd -d 2323

I ran the client end
stunnel.exe -c -p clientcert.pem -d 127.0.0.1:23 -r myserver.mydomain:2323
(Do NOT put a -v 2 !)

Then telnet localhost at client computer to test it.

I'm not sure where to put cacert.pem if server is windows machine, possibly
the stunnel working directory itself. Anyone would like to confirm this?

-v TRUSTED CERTS ONLY CONFIG.
If you want to use the -v 3 option where only certificates in a particular directory are accepted do this:

Put the relevant client certs in a trusted directory 
e.g.
cp stunnelclient.pem /usr/local/stunnel/certs/trusted

IMPORTANT! After you put stunnelclient.pem there you MUST run 
c_rehash /usr/local/stunnel/certs/trusted 
(Believe me, do it!)

stunnel -p stunnelserver.pem -v 3 -a /usr/local/stunnel/certs/trusted -l /usr/sbin/in.telnetd -d 2323 -f -D 7

**What's this c_rehash thingy?
I dunno exactly but c_rehash creates a symbolic (hash of cert I think)
link to the actual cert. And I think stunnel uses that to find the
relevant certificate. Without that it's very unlikely to work (there is a remote chance that you might just name your cert exactly the same name as the hash then it works ;) ). 

It's probably a good way to find a cert without sifting through every one,
however it is unfortunate it wasn't documented in the stunnel docs when I
was reading them. It's probably in the openssl docs, however that's not
really helpful to us using stunnel (I mean how would we know that it uses that
part of openssl? ).

I'm wondering if there is a way to do this with just self-signed certs - No "ca" stuff. Possible if I run c_rehash on the self signed certs and stick em in the trusted directory? Will try that if I have time.

Anyone know what is the c_rehash equivalent on a windows PC?

Cheerio!
Link.