stunnel on iphone for certificate authentication

2012年8月23日 | 分类: 手机翻墙 | 标签: , ,

Mobile Safari and the programs I have seen on the iPhone don’t understand certificate-based client authentication. This is a problem that I don’t think they will fix since most enterprises don’t have a fully functional PKI and are still stuck with just passwords or one time password tokens.

However, my employer uses certificates to authenticate users when connecting from the internet to certain messaging services like Outlook Web Access (OWA) or Communicator Web Access (CWA).

Since iDialog uses the CWA connector to access Office Communicator, the only way I can connect to my work with that program is to force client authentication through a proxy.

I hope that apple will implement native support for the client certificate authenticated SSL connections in a future revision of the OS, so that App vendors can get this functionality for free.

Warning: I don’t advise using this process. It is complex and could result in the compromise of your user certificate. This information is provided for reference only.

This is a complex and technical process that puts an copy of your private key on the file system of the iPhone.


  1. Jailbroken iPhone
  2. Client certificate in pkcs12 (export from IE or Firefox) named backup.p12
  3. Stunnel, OpenSSH, and Toggle SSH for iPhone from Cydia
  4. Change root and mobile user passwords on iPhone

Break the client cert into two parts, cert.pem and key.pem:

# convert from the pkcs12 file to pem
# use nokeys to get just the cert
openssl pkcs12 -in backup.p12 -nodes -nokeys -out cert.pem
# use nocerts to get just the key
openssl pkcs12 -in backup.p12 -nodes -nocerts -out key.pem

Create a CA file by pulling the certificate chain from your server with openssl s_client and saving the certs to a PEM file. This must be all the certs that will verify your target server. Save this file as ca.pem.

Create an stunnel.conf file with the following settings but insert your server name in the last section at the very bottom:

; Certificate/key is needed in server mode and optional in client mode
cert = cert.pem
key = key.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; PID is created in a var location
pid = /var/run/

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Authentication stuff
verify = 3
;use a CAfile based on the certs that your server presents
CAfile = ca.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log
foreground = yes
; Use it for client mode
client = yes
; Service-level configuration
accept  = 80
connect = your.ssl.server.tld:443
TIMEOUTclose = 0

Copy these four files to /usr/etc/stunnel on the iPhone with scp as the root user.

Test this configuration by running stunnel from the iPhone over SSH:

/usr/bin/stunnel /usr/etc/stunnel.conf

If this all works, then create grab the stunnel.plist file from Kurt’s Weblog and modify it to launch your stunnel in /usr/bin/.