Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry Ignashkin2019-09-20 23:35:00
OpenSSL
Dmitry Ignashkin, 2019-09-20 23:35:00

Openssl + GOST + Stunnel+int223.zakupk.gov.ru. How to setup?

Greetings.
Friends, comrades, I completely despaired of finding a solution myself, so I present it in the hope of help or at least moral support.
The essence of the problem, or rather the task, comes down to setting up a two-way TLS connection with the EIS server (int223.zakupki.gov.ru).
Excerpt from the setup instructions :


The TLS cryptographic protocol is used. The connection is established via the TLS protocol in the mode of two-way authentication with additional verification of the electronic signature certificate (hereinafter referred to as the ES).

So there is a certificate, it is valid and is in the chain of certificates that are presented on their website. (you won’t believe it, I went to zakupki.gov.ru, and there is a notification about routine maintenance
in the period from 22:00 09/20/2019 to 12:00 09/31/2019
today...)
Well, okay, that's not the point.
So, I decided to raise two-way TLS via sTunnel on CentOS 7.
To work correctly with such systems, support for GOST 2012 encryption in openssl is required. Moreover, in the version of openssl 1.0.x, this thing was included in the box, but starting from the version of openssl 1.1.x it is no longer there, and against this background, someone wrote such a repository on the github to build this very support.
Collected this business under version OpenSSL 1.1.1d. I did this with almost no problems.
Next, you need to configure sTunnel, which will essentially proxy traffic through itself, encrypting it through openssl with this very GOST.
Here is the sTunnel config
foreground = yes
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
pid = /usr/local/etc/stunnel/stunnel.pid
output = /usr/local/etc/stunnel/stunnel.log
debug = 7
verify = 2
engine = gost

CAfile = /usr/local/etc/stunnel/certs/ca.pem
cert = /usr/local/etc/stunnel/certs/cl.pem

[zakupki]
client = yes
accept = 127.0.0.1:1000
connect = int223.zakupki.gov.ru:443
ciphers = GOST2001-GOST89-GOST89
TIMEOUTclose = 0

And of course it does not start with this output:
[ ] Clients allowed=500
[.] stunnel 5.55 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.1.1d  10 Sep 2019
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[.] Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[ ] Enabling support for engine "gost"
[.] UI set for engine #1 (gost)
[ ] Initializing engine #1 (gost)
[ ] Engine #1 (gost) initialized
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [zakupki]
[ ] Ciphers: GOST2001-GOST89-GOST89
[ ] TLSv1.3 ciphersuites: TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Loading certificate from file: /usr/local/etc/stunnel/certs/cl.pem
[ ] Certificate loaded from file: /usr/local/etc/stunnel/certs/cl.pem
[ ] Loading private key from file: /usr/local/etc/stunnel/certs/cl.pem
[!] error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
[!] SSL_CTX_use_PrivateKey_file: crypto/pem/pem_lib.c:745: error:0909006C:PEM routines:get_name:no start line
[!] Service [zakupki]: Failed to initialize TLS context
[ ] Deallocating section defaults

As can be seen from the config, stunnel is used as a client to connect to the procurement server, BUT it requires a private key from me, which is not needed for this connection. Well, the service itself does not start and nicherta does not work.
Okay, I think, I'll leave stunnel alone, I'll go and torture openssl.
# openssl s_client -connect zakupki.gov.ru:443 -CAfile ca.pem -cert cl.pem

and I get:
unable to load client certificate private key file
140265341962048:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY

Pretty much the same.
All this history is needed to send POST requests to the int223.zakupki.gov.ru server.
What are the options for setting up such integration, perhaps there are some other schemes or a different approach?
I still can’t figure out if any cryptopro is needed for this (not a word about this in the instructions)?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
S
Sergey Savostin2019-03-25 16:43:32
Is there an example of a multi-threaded HTTP client on OpenSSL? 1Reply
B
b4rret2019-04-16 12:21:00
Why does an OpenSSL error occur when using curl? 1Reply
S
sumrakx2019-05-03 14:50:14
How to fix OpenSSL error in ruby ​​project? 1Reply
A
Alexey Zhivotovsky2017-02-20 19:19:28
How to compile on Freebsd nginx with new version of openssl? 2Reply
V
Vasya2019-07-19 17:45:14
What is the problem with OpenSSL pfx unpacking? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question