dansmith,
It's my understanding that verify = 4 should, theoretically, look only for the server certificate, and this is the way I've been using it with great success over the past year or so. Recently, however, I ran into an exception to that behavior.
In my case, I only had to download and install one certificate; that of the signing CA. I simply pasted it directly below the server certificate in the associated .pem file. The CA certificate wasn't originally in .pem format, so I converted it beforehand. OpenSSL has conversion capability, and there are also online certificate tools available. Your mileage may vary.
Good luck.
Thomas
On 7/8/2013 3:01 PM, dansmith wrote:
Could you kindly break it down for me. Are you saying that I need to have two CAs A & B. A signs the certificate of B and B signs the certificate of my server? Do I understand correctly that verify=4 is supposed to simply ignore any CAs and only look at the actual certificate, comparing it to the certificate in CAfile ?
On 07/08/2013 06:32 PM, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0,
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users