<div class="gmail_quote">
<div>Hi.</div>
<div> </div>
<div>Two months ago, we installed our SSL certificate with stunnel succesfully. That certificate was issued by Verisign. We did not experience any issues. </div>
<div> </div>
<div>A few weeks ago, we had to renew that certficate and after doing that, we started to get 'Invalid certificate' errors form our web site users. It seems that the new certificate issued by Verisign, has changed its hierarchy, and browsers like FF that do not have one of the necessary intermediate certificate registered fail.</div>
<div> </div>
<div>This is the new hierarchy:</div>
<div>- VeriSign Class 3 Public Primary Certification Authority - G5</div>
<div> - VeriSign Class 3 Secure Server CA - G3</div>
<div> - <a href="http://www.b-kin.com/" target="_blank">www.b-kin.com</a></div>
<div> </div>
<div>It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that most FF browsers do not have registered, and so the browsers reject the request with an 'Invalid certificate' message.</div>
<div> </div>
<div>To solve this issue, we are trying to incorporate the 'VeriSign Class 3 Secure Server CA - G3' certificate in the .pem file, where our <a href="http://www.b-kin.com/" target="_blank">www.b-kin.com</a> certificate is installed. We have tried to include the Verisign certificate first and then the other one; and the other way round, first our certificate and then the Verisign one, but without success. The Verisign certificate has been directly taken from the Verisign web site.</div>
<div> </div>
<div>The .pem file has following structure:</div>
<div>Bag Attributes heading section</div>
<div>.....</div>
<div>-----BEGIN RSA PRIVATE KEY-----</div>
<div>.....</div>
<div>-----END RSA PRIVATE KEY-----</div>
<div>Bag Attributes heading section</div>
<div>-----BEGIN CERTIFICATE----- /*We have alternated to put here the <a href="http://www.b-kin.com/" target="_blank">www.b-kin.com</a> or the Verisign certificate*/</div>
<div>.....</div>
<div>-----END CERTIFICATE-----</div>
<div>
<div>Bag Attributes heading section</div>
<div>
<div>
<div>-----BEGIN CERTIFICATE----- /*We have alternated to put here the <a href="http://www.b-kin.com/" target="_blank">www.b-kin.com</a> or the Verisign certificate*/</div>.....</div></div>
<div>-----END CERTIFICATE-----</div>
<div> </div>
<div>We are running stunnel on CentOS with the following configuration:</div>
<div> </div>
<div>stunnel 4.32 on i686-pc-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008<br>Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP</div>
<div>Global options<br>debug = daemon.notice<br>pid = /usr/local/var/run/stunnel/stunnel.pid<br>RNDbytes = 64<br>RNDfile = /dev/urandom<br>RNDoverwrite = yes</div>
<div>Service-level options<br>cert = /usr/local/etc/stunnel/stunnel.pem<br>ciphers = FIPS<br>session = 300 seconds<br>stack = 65536 bytes<br>sslVersion = TLSv1<br>TIMEOUTbusy = 300 seconds<br>
TIMEOUTclose = 60 seconds<br>TIMEOUTconnect = 10 seconds<br>TIMEOUTidle = 43200 seconds<br>verify = none</div>
<div> </div>
<div>As we have seen in the documentation, it is possible to include a certificate hierarchy in a .pem file. What we do not know is the order nor the
<div>values to set int Bag Attributes heading section, for the Verisign certificate.</div>
<div> </div>
<div>Best regards,</div>
<div> </div>
<div>Carlos.</div></div></div></div>