<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Guys,<br>
<br>
I tested the "verify = 4" once again on a different server. It
works like a charm.<br>
<br>
Please make sure that the certificate provided with CAfile really
contains the peer certificate.<br>
<br>
The basic test would be:<br>
$ openssl x509 -in peer.pem -noout -text | grep -E 'Subject:|DNS:'<br>
The result should contain the FQDN of your peer.<br>
<br>
Otherwise please post your peer.pem to the list. Certificates are
public anyway (unlike private keys), so there is nothing to be
afraid of.<br>
<br>
Mike<br>
<br>
On 2013-07-08 22:38, Michal Trojnara wrote:<br>
</div>
<blockquote cite="mid:51DB2333.5060103@mirt.net" type="cite">
<pre wrap="">Hi Guys,
Thank you for your feedback. I will re-test this feature.
Best regards,
Michal Trojnara
On 2013-07-08 18:32, Thomas Eifert wrote:
</pre>
<blockquote type="cite">
<pre wrap="">You're not missing anything. I've experienced a similar issue. While
verify = 4 generally works well in most cases and will ignore the CA
chain, I've encountered a few isolated incidences in which I've had to
append or "chain" the server certificate with the certificate of the
CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I would expect that level 4 only compares locally installed
certificates, however I get the same behaviour as with level 3, stunnel
expects a CA cert.
Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting
certificate verification: depth=0,
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT:
Verification error: unable to get local issuer certificate
Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate
check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert
(read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
_______________________________________________
stunnel-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>
<a class="moz-txt-link-freetext" href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
stunnel-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a>
<a class="moz-txt-link-freetext" href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a>
</pre>
</blockquote>
<br>
</body>
</html>