Mike,
Okay, here's the simple way to test it. This is repeatable in Stunnel 4.56 and 5.00:
Start with a simple stunnel.conf:
debug = 6 fips = no delay = yes output = stunnel.log
[nntps.3] client = yes accept = 127.0.0.1:119 connect = news.eternal-september.org:563
Point your favorite newsreader to 127.0.0.1/119, then connect to the server.
Having done that, open the stunnel log window. From the menu bar, choose "save peer certificate".
Save the certificate, which will now be "peer-nntps.3.pem" in the stunnel directory.
Add certificate verification to stunnel conf:
[nntps.3] client = yes cafile = peer-nntps.3.pem verify = 4 accept = 127.0.0.1:119 connect = news.eternal-september.org:563
Reload the configuration file.
Attempt to reconnect to the server. The certificate verify will fail:
2013.09.20 11:12:35 LOG4[3964]: CERT: Verification error: unable to get local issuer certificate 2013.09.20 11:12:35 LOG4[3964]: Certificate check failed: depth=0, /description=z8x2a0S5FjpJGCa7/C=DE/CN=news.eternal-september.org/emailAddress=wolfgang@weyand-hg.de 2013.09.20 11:12:35 LOG3[3964]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
If you paste the certificate for the root CA into the peer-nntps.3.pem file, then it will verify okay.
I have a feeling you'll find something wrong with the certificate that's causing this to happen. The guy that runs the server likes to "roll his own".
Best regards,
Thomas
On 9/20/2013 5:16 AM, Michal Trojnara wrote:
On 09/20/2013 10:10 AM, Thomas Eifert wrote:
Testing is the best way, for sure. In theory, L4 checks for the peer certificate only. Yet, I'm currently using at least one peer certificate that requires the top CA to be present in the .pem file. If I remove it, L4 fails. Go figure.
I wasn't able to reproduce this issue. Could you send some more details. A step-by-step procedure to would be great.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users