Mike,
I tried your config. I had to comment out the foreground and pid statements, as they produced error messages (I'm running under Win 7). I also had to change the server address to a valid one, but in any case I'm it's producing the same error. Here's the log:
2013.10.24 17:23:28 LOG7[2824:2876]: Service [test_cli] accepted (FD=436) from 127.0.0.1:49487 2013.10.24 17:23:28 LOG7[2824:2876]: Creating a new thread 2013.10.24 17:23:28 LOG7[2824:2876]: New thread created 2013.10.24 17:23:28 LOG7[2824:3420]: Service [test_cli] started 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] accepted connection from 127.0.0.1:49487 2013.10.24 17:23:28 LOG6[2824:3420]: connect_blocking: connecting 69.16.186.7:443 2013.10.24 17:23:28 LOG7[2824:3420]: connect_blocking: s_poll_wait 69.16.186.7:443: waiting 10 seconds 2013.10.24 17:23:28 LOG5[2824:3420]: connect_blocking: connected 69.16.186.7:443 2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] connected remote server from 192.168.5.9:49488 2013.10.24 17:23:28 LOG7[2824:3420]: Remote socket (FD=608) initialized 2013.10.24 17:23:28 LOG7[2824:3420]: SNI: sending servername: news80.forteinc.com 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): before/connect initialization 2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): SSLv3 write client hello A 2013.10.24 17:23:29 LOG7[2824:3420]: SSL state (connect): SSLv3 read server hello A 2013.10.24 17:23:29 LOG7[2824:3420]: Starting certificate verification: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG4[2824:3420]: CERT: Verification error: unable to get local issuer certificate 2013.10.24 17:23:29 LOG4[2824:3420]: Certificate check failed: depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, Inc./OU=IT/CN=*.forteinc.com 2013.10.24 17:23:29 LOG7[2824:3420]: SSL alert (write): fatal: unknown CA 2013.10.24 17:23:29 LOG3[2824:3420]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2013.10.24 17:23:29 LOG5[2824:3420]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket 2013.10.24 17:23:29 LOG7[2824:3420]: Remote socket (FD=608) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Local socket (FD=436) closed 2013.10.24 17:23:29 LOG7[2824:3420]: Service [test_cli] finished (1 left)
Here's my own test configuration:
debug = 7 fips = no delay = yes output = stunnel.log
[nntps.6] client = yes cafile = peer-nntps.6.pem verify = 4 accept = 127.0.0.1:119 connect = news80.forteinc.com:443
Regards,
Thomas
On 10/24/2013 4:19 PM, Michal Trojnara wrote:
On 2013-10-24 23:07, Thomas Eifert wrote:
I'm not having your luck. Out of ten services, I have eight verfiy = 4's that work as they should, and two that need the CA certificate to be added.
I don't think it's about luck. I'm pretty sure there is something wrong with your configuration. The one I sent you works fine. I won't be able to diagnose yours, because you didn't send it. Please try to reproduce my setup first. If it doesn't help solve the problem immediately, send me your setup so I can reproduce your error.
BTW: I highly recommend reading: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html http://www.chiark.greenend.org.uk/%7Esgtatham/bugs.html
Mike
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users