stunnel on iphone for certificate authentication
Mobile Safari and the programs I have seen on the iPhone don’t understand certificate-based client authentication. This is a problem that I don’t think they will fix since most enterprises don’t have a fully functional PKI and are still stuck with just passwords or one time password tokens.
However, my employer uses certificates to authenticate users when connecting from the internet to certain messaging services like Outlook Web Access (OWA) or Communicator Web Access (CWA).
Since iDialog uses the CWA connector to access Office Communicator, the only way I can connect to my work with that program is to force client authentication through a proxy.
I hope that apple will implement native support for the client certificate authenticated SSL connections in a future revision of the OS, so that App vendors can get this functionality for free.
Warning: I don’t advise using this process. It is complex and could result in the compromise of your user certificate. This information is provided for reference only.
This is a complex and technical process that puts an copy of your private key on the file system of the iPhone.
Requirements:
- Jailbroken iPhone
- Client certificate in pkcs12 (export from IE or Firefox) named backup.p12
- Stunnel, OpenSSH, and Toggle SSH for iPhone from Cydia
- Change root and mobile user passwords on iPhone
Steps:
Break the client cert into two parts, cert.pem and key.pem:
# convert from the pkcs12 file to pem # use nokeys to get just the cert openssl pkcs12 -in backup.p12 -nodes -nokeys -out cert.pem # use nocerts to get just the key openssl pkcs12 -in backup.p12 -nodes -nocerts -out key.pem
Create a CA file by pulling the certificate chain from your server with openssl s_client and saving the certs to a PEM file. This must be all the certs that will verify your target server. Save this file as ca.pem.
Create an stunnel.conf file with the following settings but insert your server name in the last section at the very bottom:
; Certificate/key is needed in server mode and optional in client mode cert = cert.pem key = key.pem ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; PID is created in a var location pid = /var/run/stunnel.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 ; Authentication stuff verify = 3 ;use a CAfile based on the certs that your server presents CAfile = ca.pem ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log foreground = yes ; Use it for client mode client = yes ; Service-level configuration [https] accept = 80 connect = your.ssl.server.tld:443 TIMEOUTclose = 0
Copy these four files to /usr/etc/stunnel on the iPhone with scp as the root user.
Test this configuration by running stunnel from the iPhone over SSH:
/usr/bin/stunnel /usr/etc/stunnel.conf
If this all works, then create grab the stunnel.plist file from Kurt’s Weblog and modify it to launch your stunnel in /usr/bin/.
原文:http://blog.endurancetrails.com/2010/01/stunnel-on-iphone-for-certificate.html
越狱后将Cydia设置为开发者身份后搜索stunnel即可找到安装。