In Windows 10 I have done the following:
-
Created a directory C:\Certificates\
-
From the Microsoft Management Concole (MMC) I have exported all the "Trusted Root Certificate Authorities\Certificates" as Personal Information exchange .PFX with a passcode
-
Using a Powershell environment, I change directories to C:\Certificates\ and run openssl
From the openssl prompt convert the above .PFX file to a .pem file
openssl pkcs12 -in All_Trusted.pfx -out All_Trusted.pem -nodes
-
Next I run the following openssl command
OpenSSL s_client -CApath c:\Certificates\ -connect api.gainfutures.com:9400 -CAfile All_Trusted.pem
After a bunch of output, I get the notification
Verification: OK
This tells me that the verification has passed the remote certificate.
Using this to inform my stunnel configuration, I configure:
[GainFuturesConnect]
client = yes
accept = 127.0.0.1:8080
connect = 192.111.85.171:9400
CAfile = C:\Certificates\All_Trusted.pem
CApath = C:\Certificates\
securityLevel = 1
verifyChain = yes
checkHost = api.gainfutures.com:9400
sslVersion = TLSv1.2
sslVersionMax = TLSv1.2
ciphers = DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
Although the preverification succeeds at each "depth", the verification fails at the end:
CERT: Pre-verification succeeded (**Note, this is a change from before I added the above CAfile and CApath values**)
CERT: Subject checks failed
Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com
Remove session callback
TLS alert (write): fatal: internal error
SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed
So my question becomes two parts:
-
How do I get the Subject checks to pass for CERT;
-
How do I get rid of the TLS "write" alert which is an internal error?
Thank you
-William Wood