DISCLAIMER. English language used here only for compatibility (ASCII only), so any suggestions about my bad grammar (and not only it) will be greatly appreciated.

пятница, 16 ноября 2012 г.

icq through stunnel: enable certificate verification.

Suggested earlier (see This icq..) config for running icq
(pidgin) through stunnel is insecure! Though it provides encryption, it does
not verify certificates, because stunnel's default is 'verify=0'.

So, here is how to fix it, but for debian wheezy.


First let's obtain icq server certificate:

    $ openssl s_client -CApath /etc/ssl/certs -no_ssl2 -connect slogin.icq.com:443
{{{
    depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
       i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
     1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
    MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
    IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT
    IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER
    MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT
    B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
    ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg
    N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE
    1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw
    HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym
    o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX
    qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud
    IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV
    HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t
    ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv
    dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo
    W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw
    AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG
    SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0
    gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm
    H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS
    ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N
    2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI
    NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS
    -----END CERTIFICATE-----
    subject=/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
    issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2350 bytes and written 646 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
 Protocol  : TLSv1
 Cipher    : AES256-SHA
 Session-ID: 0A46A932CAC9CBE1538DFDBD0468BCEF8477AD38107619B541847345E0C4F9A1
 Session-ID-ctx: 
 Master-Key: A13FB34C8C89F8BE6A71AB43BEDC9C17BCD60D202A4AC0D08D842499D5C6C35A6E5CD153C79708BB5E10E84180B59864
 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket:
 0000 - 90 7c 82 27 8a 55 1e c6-e0 e6 f8 02 92 02 87 87   .|.'.U..........
 0010 - 38 99 60 ef 42 6b 61 1f-b9 b3 94 97 ea 70 2f fd   8.`.Bka......p/.
 0020 - 22 70 54 3f 1a 42 78 79-09 2c 01 04 b2 f5 98 17   "pT?.Bxy.,......
 0030 - db 97 de 8b 63 74 e2 60-8e dd 16 ef 43 9e f2 75   ....ct.`....C..u
 0040 - 44 04 51 60 7c 36 ac bb-70 39 d8 58 05 8b 46 dc   D.Q`|6..p9.X..F.
 0050 - 6a 8f d7 15 53 bb 03 be-ad 72 ff 89 8b 85 b4 65   j...S....r.....e
 0060 - e7 2f 43 7e bc 1d d8 6e-1b 3e 24 67 84 49 f9 cb   ./C~...n.>$g.I..
 0070 - c1 41 93 ca 98 e2 3f b9-b5 20 c9 95 d5 40 8b 44   .A....?.. ...@.D
 0080 - b1 92 c0 4c c7 3f 25 bc-f5 60 15 db 74 70 83 94   ...L.?%..`..tp..
 0090 - 4e 5c f2 f5 6d bc 7a aa-26 22 6f 41 12 b6 bf ab   N\..m.z.&"oA....

 Start Time: 1353063260
 Timeout   : 300 (sec)
 Verify return code: 21 (unable to verify the first certificate)
    ---
}}}

here it is in text form:

    $ openssl x509 -text -noout -in icq.pem
{{{
    Certificate:
 Data:
     Version: 3 (0x2)
     Serial Number: 93176 (0x16bf8)
 Signature Algorithm: sha1WithRSAEncryption
     Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
     Validity
  Not Before: May 16 11:00:58 2012 GMT
  Not After : Aug 16 22:09:10 2017 GMT
     Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com
     Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
      Public-Key: (2048 bit)
      Modulus:
   00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8:
   a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24:
   88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c:
   6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e:
   43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5:
   33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b:
   37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c:
   9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39:
   9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c:
   61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06:
   53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9:
   9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6:
   a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c:
   e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db:
   a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25:
   3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa:
   84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8:
   f2:65
      Exponent: 65537 (0x10001)
     X509v3 extensions:
  X509v3 Authority Key Identifier: 
      keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A

  X509v3 Key Usage: critical
      Digital Signature, Key Encipherment, Data Encipherment
  X509v3 Extended Key Usage: 
      TLS Web Server Authentication, TLS Web Client Authentication
  X509v3 Subject Alternative Name: 
      DNS:*.icq.com, DNS:icq.com
  X509v3 CRL Distribution Points: 

      Full Name:
        URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl

  X509v3 Subject Key Identifier: 
      4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36
  X509v3 Basic Constraints: critical
      CA:FALSE
  Authority Information Access: 
      CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt

 Signature Algorithm: sha1WithRSAEncryption
      20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5:
      5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a:
      5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6:
      c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4:
      3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d:
      78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab:
      0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1:
      0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60:
      75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5:
      82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1:
      bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58:
      17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99:
      fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b:
      6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce:
      41:01:b5:92
}}}

and now let's try to verify it:

    $ openssl verify -CApath /etc/ssl/certs icq.pem
    icq.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
    error 20 at 0 depth lookup:unable to get local issuer certificate

So, something is missing in the certificate chain. Let's try to follow it
step-by-step.

    $ openssl x509 -issuer -issuer_hash -noout -in icq.pem  
    issuer= /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    5e5a5bcb
    $ find /etc/ssl/certs -name 5e5a5bcb.0
    $

Certificate for "GeoTrust SSL CA" is missing. It can be obtained from geotrust
site

    knowledge.geotrust.com/id=SO15169

or  

    knowledge.geotrust.com/id=AR1423

Missing certificate is the one named "GT_SecondaryIntermediate_TrueBusinessID_EnterpriseSSL":

    $ openssl x509 -subject -subject_hash -noout -in GT_SecondaryIntermediate_TrueBusinessID_EnterpriseSSL.pem 
    subject= /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    5e5a5bcb

Now i can install it into /etc/ssl/certs. It should be referenced (either
renamed or by symlink) by subject hash ending with '.0' in order for openssl
to find it (and certificate should be redable by 'other', so user 'stunnel4'
can read it):

    $ ls -l /etc/ssl/certs/5e5a5bcb.0 
    lrwxrwxrwx 1 root root 19 11月 15 20:28 /etc/ssl/certs/5e5a5bcb.0 -> GeoTrust_SSL_CA.pem
    $ ls -l /etc/ssl/certs/GeoTrust_SSL_CA.pem
    -rw-r--r-- 1 root root 1416 11月 15 20:27 /etc/ssl/certs/GeoTrust_SSL_CA.pem

Let's check certificate chain further:

    $ openssl x509 -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_SSL_CA.pem 
    issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2c543cd1
    $ ls -l /etc/ssl/certs/2c543cd1.0
    lrwxrwxrwx 1 root root 22 11月 15 19:50 /etc/ssl/certs/2c543cd1.0 -> GeoTrust_Global_CA.pem
    $ ls -l /etc/ssl/certs/GeoTrust_Global_CA.pem
    lrwxrwxrwx 1 root root 57 10月  5 16:56 /etc/ssl/certs/GeoTrust_Global_CA.pem -> /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
    $ openssl x509 -subject -issuer -issuer_hash -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem
    subject= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    issuer= /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2c543cd1

So, all other certificates are present. The last certificate
(GeoTrust_Global_CA.pem) is self-signed root CA certificate. I can check this
by looking for CA:TRUE in text dump

    $ openssl x509  -text -noout -in /etc/ssl/certs/GeoTrust_Global_CA.pem
{{{
    Certificate:
 Data:
     Version: 3 (0x2)
     Serial Number: 144470 (0x23456)
 Signature Algorithm: sha1WithRSAEncryption
     Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
     Validity
  Not Before: May 21 04:00:00 2002 GMT
  Not After : May 21 04:00:00 2022 GMT
     Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
     Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
      Public-Key: (2048 bit)
      Modulus:
   00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
   3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
   43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
   bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
   60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
   ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
   2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
   80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
   15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
   d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
   d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
   5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
   19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
   9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
   fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
   eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
   36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
   e4:f9
      Exponent: 65537 (0x10001)
     X509v3 extensions:
  X509v3 Basic Constraints: critical
      CA:TRUE
  X509v3 Subject Key Identifier: 
      C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
  X509v3 Authority Key Identifier: 
      keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

 Signature Algorithm: sha1WithRSAEncryption
      35:e3:29:6a:e5:2f:5d:54:8e:29:50:94:9f:99:1a:14:e4:8f:
      78:2a:62:94:a2:27:67:9e:d0:cf:1a:5e:47:e9:c1:b2:a4:cf:
      dd:41:1a:05:4e:9b:4b:ee:4a:6f:55:52:b3:24:a1:37:0a:eb:
      64:76:2a:2e:2c:f3:fd:3b:75:90:bf:fa:71:d8:c7:3d:37:d2:
      b5:05:95:62:b9:a6:de:89:3d:36:7b:38:77:48:97:ac:a6:20:
      8f:2e:a6:c9:0c:c2:b2:99:45:00:c7:ce:11:51:22:22:e0:a5:
      ea:b6:15:48:09:64:ea:5e:4f:74:f7:05:3e:c7:8a:52:0c:db:
      15:b4:bd:6d:9b:e5:c6:b1:54:68:a9:e3:69:90:b6:9a:a5:0f:
      b8:b9:3f:20:7d:ae:4a:b5:b8:9c:e4:1d:b6:ab:e6:94:a5:c1:
      c7:83:ad:db:f5:27:87:0e:04:6c:d5:ff:dd:a0:5d:ed:87:52:
      b7:2b:15:02:ae:39:a6:6a:74:e9:da:c4:e7:bc:4d:34:1e:a9:
      5c:4d:33:5f:92:09:2f:88:66:5d:77:97:c7:1d:76:13:a9:d5:
      e5:f1:16:09:11:35:d5:ac:db:24:71:70:2c:98:56:0b:d9:17:
      b4:d1:e3:51:2b:5e:75:e8:d5:d0:dc:4f:34:ed:c2:05:66:80:
      a1:cb:e6:33
}}}

So, now i can retry to verify icq.pem:

    $ openssl verify -CApath /etc/ssl/certs icq.pem
    icq.pem: OK

and retry to connect with s_client:

    $ openssl s_client -no_ssl2 -CApath /etc/ssl/certs -connect slogin.icq.com:443
{{{
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
    verify return:1
    depth=0 serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
    verify return:1
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
       i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
     1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
    MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
    IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT
    IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER
    MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT
    B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
    ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg
    N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE
    1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw
    HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym
    o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX
    qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud
    IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV
    HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t
    ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv
    dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo
    W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw
    AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG
    SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0
    gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm
    H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS
    ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N
    2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI
    NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS
    -----END CERTIFICATE-----
    subject=/serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
    issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2350 bytes and written 646 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
 Protocol  : TLSv1
 Cipher    : AES256-SHA
 Session-ID: D83D7835F45FEC6BFFDA7FEA5584BE344771457F27447318AE448FD030D838F4
 Session-ID-ctx: 
 Master-Key: 2AB4312122BB75F8507F060A438546C7679E257472B6CB3C362A9A3D2E113569D0A8D362A1F3797A22104E12B8F1B820
 Key-Arg   : None
 PSK identity: None
 PSK identity hint: None
 SRP username: None
 TLS session ticket:
 0000 - 90 7c 82 27 8a 55 1e c6-e0 e6 f8 02 92 02 87 87   .|.'.U..........
 0010 - ff 94 d2 2f 96 76 05 bf-bf 40 31 27 9a 9e e1 f2   .../.v...@1'....
 0020 - 5f 58 83 c3 e5 f8 20 e5-23 ac 44 fd 6f dd b7 47   _X.... .#.D.o..G
 0030 - 0c b5 24 2e ff 2f 7c 7d-7b d7 fd 96 71 3a 9c b0   ..$../|}{...q:..
 0040 - df da 83 0d 9d f8 57 8b-a1 db 92 79 5a c3 ff ab   ......W....yZ...
 0050 - d8 47 4a 98 25 a7 e6 a8-02 aa fd c5 2f 63 6a 12   .GJ.%......./cj.
 0060 - aa 6e 18 b5 a5 f4 6d 8b-8e 7f ec 05 31 af 1d b4   .n....m.....1...
 0070 - 6e bb 1b 26 12 b1 75 f4-32 3c 8d 58 85 20 74 3e   n..&..u.2<.X. t>
 0080 - ed b0 c4 1d 66 62 5b 78-07 58 e5 f2 20 7d 2c d6   ....fb[x.X.. },.
 0090 - 6c 52 4a f0 f4 8a fb 5e-45 68 76 4a f6 24 ec 50   lRJ....^EhvJ.$.P

 Start Time: 1353064478
 Timeout   : 300 (sec)
 Verify return code: 0 (ok)
    ---
}}}

Since all is ok, now it's time to fix stunnel's config. Actually, i only need
a few things:
    - set CApath correctly.
    - set 'verify=2'.
    - Ensure, that CApath and _all_ pathes referenced by symlinks from it are
      accessible under stunnel's chroot.

Here is config:

    $ cat /etc/stunnel/oscaricq.conf
{{{
    ; **************************************************************************
    ; * Global options                                                         *
    ; **************************************************************************

    ; A copy of some devices and system files is needed within the chroot jail
    ; Chroot conflicts with configuration file reload and many other features
    ; Remember also to update the logrotate configuration.
    chroot = /var/lib/stunnel4/
    ; Chroot jail can be escaped if setuid option is not used
    setuid = stunnel4
    setgid = stunnel4
    ; PID is created inside the chroot jail
    pid = /var/run/stunnel4-oscaricq.pid

    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    compression = zlib

    ; Debugging stuff (may useful for troubleshooting)
    debug = 7
    output = /var/log/stunnel-oscaricq.log

    ; **************************************************************************
    ; * Service defaults may also be specified in individual service sections  *
    ; **************************************************************************

    ; Authentication stuff needs to be configured to prevent MITM attacks
    ; It is not enabled by default!
    verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    CApath = /etc/ssl/certs
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    CRLpath = /etc/ssl/crls

    ; Disable support for insecure SSLv2 protocol
    options = NO_SSLv2

    ; **************************************************************************
    ; * Service definitions (remove all services for inetd mode)               *
    ; **************************************************************************

    ; SSL client mode services
    [oscaricq]
    client = yes
    accept = 127.0.0.1:5190
    connect = slogin.icq.com:443
    delay = yes

    ; vim:ft=dosini
}}}

and here is mount binds for stunnel:

    $ grep /etc/fstab -estunnel4
    /etc/ssl/certs                  /var/lib/stunnel4/etc/ssl/certs                 none    bind                    0 0
    /etc/ssl/crls                   /var/lib/stunnel4/etc/ssl/crls                  none    bind                    0 0
    /usr/share/ca-certificates      /var/lib/stunnel4/usr/share/ca-certificates     none    bind                    0 0
    /var/log/stunnel4               /var/lib/stunnel4/var/log                       none    bind                    0 0
    /var/run/stunnel4               /var/lib/stunnel4/var/run                       none    bind                    0 0

Only two of them required: bind of '/etc/ssl/certs' and bind of
'/usr/share/ca-certificates'. Then if all done right, after starting stunnel
and connecting to icq (for pidgin config see This icq.."),
log should have something like:

    # tail -f /var/log/stunnel4/stunnel-oscaricq.log
{{{
    2012.11.16 15:38:00 LOG7[9931:3073583936]: Service [oscaricq] accepted (FD=3) from 127.0.0.1:33082
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Service [oscaricq] started
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Waiting for a libwrap process
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Acquired libwrap process #0
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Releasing libwrap process #0
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Released libwrap process #0
    2012.11.16 15:38:00 LOG7[9931:3077692272]: Service [oscaricq] permitted by libwrap from 127.0.0.1:33082
    2012.11.16 15:38:00 LOG5[9931:3077692272]: Service [oscaricq] accepted connection from 127.0.0.1:33082
    2012.11.16 15:38:01 LOG6[9931:3077692272]: connect_blocking: connecting 64.12.201.159:443
    2012.11.16 15:38:01 LOG7[9931:3077692272]: connect_blocking: s_poll_wait 64.12.201.159:443: waiting 10 seconds
    2012.11.16 15:38:01 LOG5[9931:3077692272]: connect_blocking: connected 64.12.201.159:443
    2012.11.16 15:38:01 LOG5[9931:3077692272]: Service [oscaricq] connected remote server from 192.168.2.13:56501
    2012.11.16 15:38:01 LOG7[9931:3077692272]: Remote socket (FD=14) initialized
    2012.11.16 15:38:01 LOG7[9931:3077692272]: SNI: host name: slogin.icq.com
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=2, /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=1, /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Starting certificate verification: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
    2012.11.16 15:38:02 LOG5[9931:3077692272]: Certificate accepted: depth=0, /serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o/C=US/ST=Delaware/L=Wilmington/O=ICQ LLC/CN=*.icq.com
    2012.11.16 15:38:02 LOG6[9931:3077692272]: SSL connected: new session negotiated
    2012.11.16 15:38:02 LOG6[9931:3077692272]: Negotiated TLSv1/SSLv3 ciphersuite: RC4-SHA (128-bit encryption)
    2012.11.16 15:38:02 LOG6[9931:3077692272]: Compression: null, expansion: null
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Socket closed on read
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Sending close_notify alert
    2012.11.16 15:38:02 LOG6[9931:3077692272]: SSL_shutdown successfully sent close_notify alert
    2012.11.16 15:38:02 LOG7[9931:3077692272]: SSL closed on SSL_read
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Sent socket write shutdown
    2012.11.16 15:38:02 LOG5[9931:3077692272]: Connection closed: 172 byte(s) sent to SSL, 353 byte(s) sent to socket
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Remote socket (FD=14) closed
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Local socket (FD=3) closed
    2012.11.16 15:38:02 LOG7[9931:3077692272]: Service [oscaricq] finished (0 left)
}}}

That's all, i think.

Комментариев нет:

Отправить комментарий