Is it possible to verify the client using PSK?
On the stunnel server I specify a PSKsecrets file with two lines in it,
one for client01 and one for client02. The secret is about 36
characters long.
On a client, I have a similar PSKsecrets file, but only containing the
client01 line.
Now, if I try to connect with, say, a client03, i.e., any client that
does not have a matching line in the server's PSKsecrets file, how can I
assure that the client connection will be rejected?
What I'd like to see would be the following: any client that tries to
connect, and does not present a PSK that is present in the server's
PSKsecrets file, then that client's connection request is rejected, with
an appropriate message logged.
Can I do that with the current stunnel?
Hello Mike,
In the log messages on the server you can find some information about
accepted or rejected connections, e.g.:
for connected client:
2017.04.06 05:23:55 LOG5[2841]: Service [PSK server] accepted connection
from 10.10.10.11:48280
2017.04.06 05:23:55 LOG5[2841]: Key configured for PSK identity "test1"
2017.04.06 05:23:55 LOG5[2841]: Connection closed: 57 byte(s) sent to
TLS, 0 byte(s) sent to socket
for rejected client that doesn’t have the correct secret:
2017.04.06 05:24:03 LOG3[2845]: SSL_accept: 1408F119: error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
2017.04.06 05:24:03 LOG5[2845]: Connection reset: 0 byte(s) sent to TLS,
0 byte(s) sent to socket
for rejected client that doesn’t have any secret:
2017.04.06 05:24:24 LOG3[2846]: SSL_accept: 1408A0C1: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher
2017.04.06 05:24:24 LOG5[2846]: Connection reset: 0 byte(s) sent to TLS,
0 byte(s) sent to socket
Regards,
Małgorzata
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
