Closed Quixefx closed 1 year ago
@woman-lifefreedom
Hi, Thank you for you message. I have not tested this feature yet, but I think you have to enter the path correctly:
cert = /data/user/0/link.infra.sslsocks/files/.pem key = /data/user/0/link.infra.sslsocks/files/.pem
I plan to integrate everything in a unified config file, so you wouldn't need to import the key separately. Some parts of the work regarding the database management is already done.
Hello. I've encountered an issue where I can't authenticate with an SSLSocks Pro android app using generated certificates and keys. I have a stunnel server installed that is configured with generated server root cert/key files (server.key/server.crt <-> server_cert.pem), and clients cert/key files (client_cert.pem/client_key.pem). All .crt, .key, *.pem files contain certificates/keys in the usual format, encoded in base64. Stunnel obfuscate OpenVPN connections.
My /etc/stunnel/stunnel.conf on server:
In SSLSocks Pro android app i have this config stunnel.conf:
Files client1_cert.pem, client1_key.pem, server_cert.pem i'm imported in app SSLSocks Pro with CERTS/KEYS tab according to this instruction
The problem is that with this client configuration, the SSLSocks Pro application with certificates authentication fails to connect to the Stunnel server due to errors (full log below):
...TLS alert (read): fatal: handshake failure...
...SSL_connect: ../openssl/ssl/record/rec_layer_s3.c:1563: error:14094410:SSL...
.Here is the output of the log file on the SSLSocks Pro application client when i'm trying to connect OpenVPN:
(Spoiler) application client connection log
``` 2023.09.01 08:04:16 LOG6[ui]: Initializing inetd mode configuration 2023.09.01 08:04:16 LOG7[ui]: Clients allowed=1000 2023.09.01 08:04:16 LOG5[ui]: stunnel 5.67 on aarch64-unknown-linux-android platform 2023.09.01 08:04:16 LOG5[ui]: Compiled/running with OpenSSL 1.1.1t-dev xx XXX xxxx 2023.09.01 08:04:16 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI 2023.09.01 08:04:16 LOG7[ui]: errno: (*__errno()) 2023.09.01 08:04:16 LOG6[ui]: Initializing inetd mode configuration 2023.09.01 08:04:16 LOG5[ui]: Reading configuration from file /data/data/link.infra.sslsockspro/files/stunnel_service/config.conf 2023.09.01 08:04:16 LOG5[ui]: UTF-8 byte order mark not detected 2023.09.01 08:04:16 LOG5[ui]: FIPS mode disabled 2023.09.01 08:04:16 LOG6[ui]: Compression disabled 2023.09.01 08:04:16 LOG7[ui]: No PRNG seeding was required 2023.09.01 08:04:16 LOG6[ui]: Initializing service [openvpn] 2023.09.01 08:04:16 LOG6[ui]: stunnel default security level set: 2 2023.09.01 08:04:16 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 2023.09.01 08:04:16 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 2023.09.01 08:04:16 LOG7[ui]: TLS options: 0x2100004 (+0x0, -0x0) 2023.09.01 08:04:16 LOG6[ui]: Session resumption enabled 2023.09.01 08:04:16 LOG7[ui]: No certificate or private key specified 2023.09.01 08:04:16 LOG4[ui]: Service [openvpn] needs authentication to prevent MITM attacks 2023.09.01 08:04:16 LOG6[ui]: DH initialization skipped: client section 2023.09.01 08:04:16 LOG7[ui]: ECDH initialization 2023.09.01 08:04:16 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 2023.09.01 08:04:16 LOG5[ui]: Configuration successful 2023.09.01 08:04:16 LOG7[ui]: Deallocating deployed section defaults 2023.09.01 08:04:16 LOG7[ui]: Binding service [openvpn] 2023.09.01 08:04:16 LOG7[ui]: Listening file descriptor created (FD=87) 2023.09.01 08:04:16 LOG7[ui]: Setting accept socket options (FD=87) 2023.09.01 08:04:16 LOG7[ui]: Option SO_REUSEADDR set on accept socket 2023.09.01 08:04:16 LOG6[ui]: Service [openvpn] (FD=87) bound to 127.0.0.1:1194 2023.09.01 08:04:16 LOG7[ui]: No pid file being created 2023.09.01 08:04:16 LOG7[cron]: Cron thread initialized 2023.09.01 08:04:16 LOG6[cron]: Executing cron jobs 2023.09.01 08:04:16 LOG6[cron]: Cron jobs completed in 0 seconds 2023.09.01 08:04:16 LOG7[cron]: Waiting 86400 seconds 2023.09.01 08:04:17 LOG7[ui]: Found 1 ready file descriptor(s) 2023.09.01 08:04:17 LOG7[ui]: FD=69 events=0x2001 revents=0x0 2023.09.01 08:04:17 LOG7[ui]: FD=87 events=0x2001 revents=0x1 2023.09.01 08:04:17 LOG7[ui]: Service [openvpn] accepted (FD=73) from 127.0.0.1:38453 2023.09.01 08:04:17 LOG7[0]: Service [openvpn] started 2023.09.01 08:04:17 LOG7[0]: Setting local socket options (FD=73) 2023.09.01 08:04:17 LOG7[0]: Option TCP_NODELAY set on local socket 2023.09.01 08:04:17 LOG5[0]: Service [openvpn] accepted connection from 127.0.0.1:38453 2023.09.01 08:04:17 LOG6[0]: s_connect: connectingThe log says that the android application does not see any files and it says that certificate verification is disabled. Why is this happening?
At the same time, if i'm view the connection log on the stunnel server side (/var/log/stunnel4/stunnel.log), it remains completely empty. New client connections are not registered.
If I use exactly the same client configuration on another Stunnel GUI for Windows client, then the connection using ovpn + stunnel with this certificates and keys is successfully established and works.
If on the server side I disable in the config the mandatory requirement to provide certificates and keys (I delete the
verifyPeer = yes
line) and on the android client delete all lines related to specifying certificates and keys such a connection via client SSLSocks Pro is successfully established and working. Connection with verification of certificates/keys does not work.