On 7/26/24 3:10 PM, akos.schneemaier@gmail.com wrote:
Jul 19 00:53:08 router1 stunnel[2933]: LOG6[6]: OCSP: The root CA certificate was not found
There seem to be 3 separate issues with your device:
1. So your stunnel does not trust OCSP responses of your own certificate. Consider adding your trusted root to your CAfile. This is no an error though.
Jul 19 00:53:08 router1 stunnel[2933]: LOG5[6]: OCSP: Connecting the AIA responder"http://r10.o.lencr.org" Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: Error resolving "r10.o.lencr.org": Address family for nodename not supported (EAI_ADDRFAMILY) Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: OCSP: Failed to resolve the OCSP responder address
2. This is a more severe problem: your pfSense could not resolve the IP address of your OCSP responder. Do you have any idea that happens on your platform? Do you need to add r10.o.lencr.org to your /etc/hosts (or whatever pfSense equivalent might be)?
Jul 19 00:56:05 router1 stunnel[2933]: LOG6[6]: OCSP: No OCSP stapling response to send Jul 19 00:56:05 router1 stunnel[2933]: LOG3[6]: SSL_accept: /var/jenkins/workspace/pfSense-CE-snapshots-2_7_2-main/sources/FreeBSD-src-RELENG_2_7_2/crypto/openssl/ssl/record/rec_layer_s3.c:304: error:0A000126:SSL routines::unexpected eof while reading Jul 19 00:56:05 router1 stunnel[2933]: LOG5[6]: Connection reset/closed: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
3. So your client has disconnected before negotiating TLS. Which TLS client did you use to test it? Consider using openssl s_client, as it will provide you with useful diagnostic data.
Consider also sending your stunnel.conf next time you ask for help with your configuration. 8-)
Best regards, Mike