On 4/6/2017 6:21 AM, Małgorzata Olszówka wrote: >> Is it possible to verify the client using PSK? >> >> On the stunnel server I specify a PSKsecrets file with two lines in it, >> one for client01 and one for client02. The secret is about 36 >> characters long. >> >> On a client, I have a similar PSKsecrets file, but only containing the >> client01 line. >> >> Now, if I try to connect with, say, a client03, i.e., any client that >> does not have a matching line in the server's PSKsecrets file, how can I >> assure that the client connection will be rejected? >> >> What I'd like to see would be the following: any client that tries to >> connect, and does not present a PSK that is present in the server's >> PSKsecrets file, then that client's connection request is rejected, with >> an appropriate message logged. >> >> Can I do that with the current stunnel? >> > > Hello Mike, > In the log messages on the server you can find some information about > accepted or rejected connections, e.g.: > > for connected client: > 2017.04.06 05:23:55 LOG5[2841]: Service [PSK server] accepted connection > from 10.10.10.11:48280 > 2017.04.06 05:23:55 LOG5[2841]: Key configured for PSK identity "test1" > 2017.04.06 05:23:55 LOG5[2841]: Connection closed: 57 byte(s) sent to > TLS, 0 byte(s) sent to socket > > for rejected client that doesn’t have the correct secret: > 2017.04.06 05:24:03 LOG3[2845]: SSL_accept: 1408F119: error:1408F119:SSL > routines:SSL3_GET_RECORD:decryption failed or bad record mac > 2017.04.06 05:24:03 LOG5[2845]: Connection reset: 0 byte(s) sent to TLS, > 0 byte(s) sent to socket > > for rejected client that doesn’t have any secret: > 2017.04.06 05:24:24 LOG3[2846]: SSL_accept: 1408A0C1: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher > 2017.04.06 05:24:24 LOG5[2846]: Connection reset: 0 byte(s) sent to TLS, > 0 byte(s) sent to socket >
Thanks for the quick reply. OK, I'm not seeing the log messages for the rejection. So it looks like I have some investigating to do. One more question - what log level do you use to see those messages? info, warning, or debug? thx. _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
