Thank you Mike for your reply. I apologize for my lack of experience with networks. One thing that I personally did not understand in using stunnel is that my SSL traffic that I want to "wrap" needs to be directed at the "accept" port, and that the stunnel wrap THEN sends it out over the connect port with the SSL "magic" applied. With that in mind, I have amended my configuration, and I have a new problem (s?):

client = yes

accept = 127.0.0.1:8080

connect = 192.111.85.171:9400

cert = C:\Certificates\WMW_trade_csr.pem

CAfile = C:\Certificates\ca-cert1.pem

securityLevel = 0

verifyPeer = yes

checkHost = api.gainfutures.com

sslVersion = TLSv1.2

sslVersionMax = TLSv1.2

This binds the service to 127.0.0.1:8080

So far so good. When I start my program, which directs its output stream to the "accept" port, the stunnel log now responds as I send messages:

(I have pulled out just the last part before the error)

2024.07.18 12:19:45 LOG6[1150]: Peer certificate required

2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): before SSL initialization

2024.07.18 12:19:45 LOG7[1150]: Initializing application specific data for session authenticated

2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS write client hello

2024.07.18 12:19:45 LOG7[1150]: TLS state (connect): SSLv3/TLS read server hello

This looks okay to me so far

2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2

2024.07.18 12:19:45 LOG6[1150]: CERT: Pre-verification error ignored: self-signed certificate in certificate chain

2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled

2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=2: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2009 Entrust, Inc. - for authorized use only", CN=Entrust Root Certification Authority - G2

2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded

2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled

2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K

2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded

2024.07.18 12:19:45 LOG6[1150]: OCSP: Certificate chain verification disabled

2024.07.18 12:19:45 LOG6[1150]: Certificate accepted at depth=1: C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K

2024.07.18 12:19:45 LOG7[1150]: Verification started at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com

2024.07.18 12:19:45 LOG7[1150]: CERT: Pre-verification succeeded

2024.07.18 12:19:45 LOG6[1150]: CERT: Host name "api.gainfutures.com" matched with "*.gainfutures.com"

2024.07.18 12:19:45 LOG4[1150]: CERT: Certificate not found in local repository

not sure what this indicates (not found in local repository)

2024.07.18 12:19:45 LOG4[1150]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com

2024.07.18 12:19:45 LOG7[1150]: Remove session callback

2024.07.18 12:19:45 LOG7[1150]: TLS alert (write): fatal: bad certificate

2024.07.18 12:19:45 LOG3[1150]: SSL_connect: ssl/statem/statem_clnt.c:2091: error:0A000086:SSL routines::certificate verify failed

After looking on the internet, I think that the [TLS alert (write): fatal: bad certificate] may refer to the cert = (file.pem), which in this case is a certificate I had made and verified by a trusted authority. The rejected by CERT is clearly referring to the certificate which comes from the server located at the other end of the "connect" port. I have looked specifically at this certificate, and the chain is comprised of two authenticated certificates, with a self-authenticated third certificate. As an example, when I change the "checkHost =" to an IP address, the error message changes:

2024.07.18 12:40:45 LOG7[1157]: CERT: Pre-verification succeeded

*2024.07.18 12:40:45 LOG4[1157]: CERT: Subject checks failed

*2024.07.18 12:40:45 LOG4[1157]: Rejected by CERT at depth=0: C=GB, L=London, O=Gain Capital UK Limited, CN=*.gainfutures.com

2024.07.18 12:40:45 LOG7[1157]: Remove session callback

*2024.07.18 12:40:45 LOG7[1157]: TLS alert (write): fatal: unknown CA

What seems to be consistent is that the remote certificate is being rejected because there is a self-authenticated certificate as the third part of the chain.

I have tried the following:

CAfile = C:\Certificates\ca-cert.pem

(CA file which comes with openssl, I believe) which gives the same results.

CAfile = C:\Certificates\ca-cert1.pem

(Here I have added the chain certificates from file gain-futures-chain.pem) same results

CAfile = C:\Certificates\ca-cert2.pem

(Here I have added the chain certificates from file gain-futures-chainpumpbut removed the self-signed part) same results

CAfile =C:\Certificates\ca-cert3.pem

(ca-cert3.pem contains ONLY the certificates from gain-futures-chain.pem) same results

CAfile =C:\Certificates\gain-futures-chain.pem

This causes the service NOT to be bound, and throws what look like a bunch of openssl errors

So it appears that I am actually probing the certificate that the remote server is sending me. I am still not clear on the role of CAfile, because of the behavior I have outlined. Do I need somehow to find a CAfile which recognizes and validates the certificate from the remote server?

Thank you again!

-William Wood