Hi Guys,
I tested the "verify = 4" once again on a different server. It works like a charm.
Please make sure that the certificate provided with CAfile really contains the peer certificate.
The basic test would be: $ openssl x509 -in peer.pem -noout -text | grep -E 'Subject:|DNS:' The result should contain the FQDN of your peer.
Otherwise please post your peer.pem to the list. Certificates are public anyway (unlike private keys), so there is nothing to be afraid of.
Mike
On 2013-07-08 22:38, Michal Trojnara wrote:
Hi Guys,
Thank you for your feedback. I will re-test this feature.
Best regards, Michal Trojnara
On 2013-07-08 18:32, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users