Getting a SSL connection to work with STUNNEL/Win32

Question

The service I need to connect to has provided me three files and I'm trying to figure out what I need to create the Cert=xxx.PEM file that STUNNEL needs

I have a "keystore.jks" file. Dumping that with keytool says it's a "Private key entry"

I have a "truststore.jks" file. Dumping that says it's a "trusted certificate entry". The alias is "server"

I also have a "xyz.cer" file. That seems to be a X.509 certificate

I've got OPENSSL and a Java program called "KeytoolUI".

Bottom line is I have a bunch of files and tools and with not much knowledge of SSL I feel like I can't see the wood for the trees. Do I need all those files? The existing PEM files I have for other services just have a "Certificate" section and a "RSA Private key" section.

Any advice appreciated. Thanks!

Answer 1

It sounds like your provider has provided your keypair (for client side authentication) as a java keystore, and (I'm guessing) the remote server's public certificate or CA certificate in PEM format.

That's some fairly heavy guesswork, but it's strange that they've sent you a private key if you aren't doing client side auth. (Let's hope they haven't sent you the private key for their server!).

As far as I'm aware, stunnel only uses PEM certificates, so you will need to convert your JKS files into two PEM files (one for the private key, one for the public certificate). One way to do this is to convert the JKS to a PKCS#12 (aka PFX) file using keytool, and then use OpenSSL to convert the PKCS#12 files into PEM private key/certificate files.

Once you have these two files, use them with the key and cert options in stunnel.conf.

For the final (mystery) PEM certificate that you have, I'm going to guess (again) that this is the remote CA, and therefore that you should configure this against the CAfile parameter in stunnel.conf. (If it's appropriate for you to post details here, edit to include output from openssl x509 -in <filename> -text to provide more clues).

Answer 2

No answer I'm afraid. In the end I got the company to just send me a PEM file.

I did find quite an authoritative looking tutorial here

http://www.herongyang.com/crypto/Migrating_Keys_keytool_to_OpenSSL_2.html

The problem is for somebody who doesn't do this everyday getting a bunch of free/open source software from various sources to work together. You can find scripts to do this on various sites, but when you run them, you'll see Java tracebacks, complaints about LIBEAY32.DLL missing ordinals, etc., etc.

If you get the exact right versions of KEYTOOL, OPENSSL, etc.,, installed in the correct place, with the exact right JRE version and all the other DLLs, the PATH correct, and all the stars exactly lined up you'll be fine. Until then it's just an exercise in frustration.

Answer 3

Have a look at this article: http://www.securityfocus.com/infocus/1677

You may not really be interested in securing VNC or RDP sessions over stunnel, but the tutorial worked for me.