search

woman-lifefreedom / sslsockspro

GNU General Public License v3.0
3 stars 1 forks source link

SSLSocks Pro app not work with cert/keys authentication #1

Closed Quixefx closed 1 year ago

Quixefx commented 1 year ago

Hello. I've encountered an issue where I can't authenticate with an SSLSocks Pro android app using generated certificates and keys. I have a stunnel server installed that is configured with generated server root cert/key files (server.key/server.crt <-> server_cert.pem), and clients cert/key files (client_cert.pem/client_key.pem). All .crt, .key, *.pem files contain certificates/keys in the usual format, encoded in base64. Stunnel obfuscate OpenVPN connections.

My /etc/stunnel/stunnel.conf on server:

pid = /etc/stunnel/stunnel.pid
debug = info
output = /var/log/stunnel4/stunnel.log
setuid = stunnel4
setgid = stunnel4
socket = l:TCP_NODELAY=1
ciphers = ECDHE-RSA-AES128-GCM-SHA256
foreground = yes

[openvpn]
accept = 0.0.0.0:443
connect = 127.0.0.1:1194
sslVersion = TLSv1.2
verifyPeer = yes
cert = /etc/stunnel/certs/server.crt
key = /etc/stunnel/certs/server.key
CAfile = /etc/stunnel/certs/clients.pem

In SSLSocks Pro android app i have this config stunnel.conf:

remark = obfuscation
ovpn_profile = user02
ovpn_run = yes

client = yes
foreground = yes
socket = r:TCP_NODELAY=1
[openvpn]
sni = bing.com
accept = 127.0.0.1:1194
connect = <my_server_ip>:443
verifyPeer = yes
cert = client1_cert.pem
key = client1_key.pem
CAfile = server_cert.pem

Files client1_cert.pem, client1_key.pem, server_cert.pem i'm imported in app SSLSocks Pro with CERTS/KEYS tab according to this instruction

The problem is that with this client configuration, the SSLSocks Pro application with certificates authentication fails to connect to the Stunnel server due to errors (full log below): ...TLS alert (read): fatal: handshake failure... ...SSL_connect: ../openssl/ssl/record/rec_layer_s3.c:1563: error:14094410:SSL....

Here is the output of the log file on the SSLSocks Pro application client when i'm trying to connect OpenVPN:

(Spoiler) application client connection log ``` 2023.09.01 08:04:16 LOG6[ui]: Initializing inetd mode configuration 2023.09.01 08:04:16 LOG7[ui]: Clients allowed=1000 2023.09.01 08:04:16 LOG5[ui]: stunnel 5.67 on aarch64-unknown-linux-android platform 2023.09.01 08:04:16 LOG5[ui]: Compiled/running with OpenSSL 1.1.1t-dev xx XXX xxxx 2023.09.01 08:04:16 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2023.09.01 08:04:16 LOG7[ui]: errno: (*__errno()) 2023.09.01 08:04:16 LOG6[ui]: Initializing inetd mode configuration 2023.09.01 08:04:16 LOG5[ui]: Reading configuration from file /data/data/link.infra.sslsockspro/files/stunnel_service/config.conf 2023.09.01 08:04:16 LOG5[ui]: UTF-8 byte order mark not detected 2023.09.01 08:04:16 LOG5[ui]: FIPS mode disabled 2023.09.01 08:04:16 LOG6[ui]: Compression disabled 2023.09.01 08:04:16 LOG7[ui]: No PRNG seeding was required 2023.09.01 08:04:16 LOG6[ui]: Initializing service [openvpn] 2023.09.01 08:04:16 LOG6[ui]: stunnel default security level set: 2 2023.09.01 08:04:16 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2023.09.01 08:04:16 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.09.01 08:04:16 LOG7[ui]: TLS options: 0x2100004 (+0x0, -0x0) 2023.09.01 08:04:16 LOG6[ui]: Session resumption enabled 2023.09.01 08:04:16 LOG7[ui]: No certificate or private key specified 2023.09.01 08:04:16 LOG4[ui]: Service [openvpn] needs authentication to prevent MITM attacks 2023.09.01 08:04:16 LOG6[ui]: DH initialization skipped: client section 2023.09.01 08:04:16 LOG7[ui]: ECDH initialization 2023.09.01 08:04:16 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.09.01 08:04:16 LOG5[ui]: Configuration successful 2023.09.01 08:04:16 LOG7[ui]: Deallocating deployed section defaults 2023.09.01 08:04:16 LOG7[ui]: Binding service [openvpn] 2023.09.01 08:04:16 LOG7[ui]: Listening file descriptor created (FD=87) 2023.09.01 08:04:16 LOG7[ui]: Setting accept socket options (FD=87) 2023.09.01 08:04:16 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2023.09.01 08:04:16 LOG6[ui]: Service [openvpn] (FD=87) bound to 127.0.0.1:1194 2023.09.01 08:04:16 LOG7[ui]: No pid file being created 2023.09.01 08:04:16 LOG7[cron]: Cron thread initialized 2023.09.01 08:04:16 LOG6[cron]: Executing cron jobs 2023.09.01 08:04:16 LOG6[cron]: Cron jobs completed in 0 seconds 2023.09.01 08:04:16 LOG7[cron]: Waiting 86400 seconds 2023.09.01 08:04:17 LOG7[ui]: Found 1 ready file descriptor(s) 2023.09.01 08:04:17 LOG7[ui]: FD=69 events=0x2001 revents=0x0 2023.09.01 08:04:17 LOG7[ui]: FD=87 events=0x2001 revents=0x1 2023.09.01 08:04:17 LOG7[ui]: Service [openvpn] accepted (FD=73) from 127.0.0.1:38453 2023.09.01 08:04:17 LOG7[0]: Service [openvpn] started 2023.09.01 08:04:17 LOG7[0]: Setting local socket options (FD=73) 2023.09.01 08:04:17 LOG7[0]: Option TCP_NODELAY set on local socket 2023.09.01 08:04:17 LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:38453 2023.09.01 08:04:17 LOG6[0]: s_connect: connecting :443 2023.09.01 08:04:17 LOG7[0]: s_connect: s_poll_wait :443: waiting 10 seconds 2023.09.01 08:04:17 LOG7[0]: FD=79 events=0x2001 revents=0x0 2023.09.01 08:04:17 LOG7[0]: FD=91 events=0x2005 revents=0x0 2023.09.01 08:04:17 LOG5[0]: s_connect: connected :443 2023.09.01 08:04:17 LOG5[0]: Service [openvpn] connected remote server from :46522 2023.09.01 08:04:17 LOG7[0]: Setting remote socket options (FD=91) 2023.09.01 08:04:17 LOG7[0]: Option TCP_NODELAY set on remote socket 2023.09.01 08:04:17 LOG7[0]: Remote descriptor (FD=91) initialized 2023.09.01 08:04:17 LOG6[0]: SNI: sending servername: bing.com 2023.09.01 08:04:17 LOG6[0]: Peer certificate not required 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): before SSL initialization 2023.09.01 08:04:17 LOG7[0]: Initializing application specific data for session authenticated 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client hello 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server hello 2023.09.01 08:04:17 LOG6[0]: Certificate verification disabled 2023.09.01 08:04:17 LOG6[0]: Certificate verification disabled 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server key exchange 2023.09.01 08:04:17 LOG6[0]: Client CA: CN=client1 2023.09.01 08:04:17 LOG6[0]: Client CA: CN=client2 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server certificate request 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS read server done 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client certificate 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write client key exchange 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write change cipher spec 2023.09.01 08:04:17 LOG7[0]: TLS state (connect): SSLv3/TLS write finished 2023.09.01 08:04:18 LOG7[0]: TLS alert (read): fatal: handshake failure 2023.09.01 08:04:18 LOG3[0]: SSL_connect: ../openssl/ssl/record/rec_layer_s3.c:1563: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure 2023.09.01 08:04:18 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2023.09.01 08:04:18 LOG7[0]: Deallocating application specific data for session connect address 2023.09.01 08:04:18 LOG7[0]: Remote descriptor (FD=91) closed 2023.09.01 08:04:18 LOG7[0]: Local descriptor (FD=73) closed 2023.09.01 08:04:18 LOG7[0]: Service [openvpn] finished (0 left) 2023.09.01 08:04:18 LOG7[ui]: No pid file to remove 2023.09.01 08:04:18 LOG7[ui]: Terminating the cron thread 2023.09.01 08:04:18 LOG6[ui]: Terminating 1 service thread(s) 2023.09.01 08:04:18 LOG6[ui]: Service threads terminated 2023.09.01 08:04:18 LOG7[ui]: Unbinding service [openvpn] 2023.09.01 08:04:18 LOG7[ui]: Service [openvpn] closed (FD=87) 2023.09.01 08:04:18 LOG7[ui]: Service [openvpn] closed ```

The log says that the android application does not see any files and it says that certificate verification is disabled. Why is this happening?

At the same time, if i'm view the connection log on the stunnel server side (/var/log/stunnel4/stunnel.log), it remains completely empty. New client connections are not registered.

If I use exactly the same client configuration on another Stunnel GUI for Windows client, then the connection using ovpn + stunnel with this certificates and keys is successfully established and works.

If on the server side I disable in the config the mandatory requirement to provide certificates and keys (I delete the verifyPeer = yes line) and on the android client delete all lines related to specifying certificates and keys such a connection via client SSLSocks Pro is successfully established and working. Connection with verification of certificates/keys does not work.

Quixefx commented 1 year ago

@woman-lifefreedom

woman-lifefreedom commented 1 year ago

Hi, Thank you for you message. I have not tested this feature yet, but I think you have to enter the path correctly:

cert = /data/user/0/link.infra.sslsocks/files/.pem key = /data/user/0/link.infra.sslsocks/files/.pem

I plan to integrate everything in a unified config file, so you wouldn't need to import the key separately. Some parts of the work regarding the database management is already done.