Hi Alexander,
How often do you receive those errors that fill your logs? I only found a single line in your email, so it is hard for me to estimate the volume.
Best regards, Mike
27 Dec 2024 13:51:44 Alexander Moisseev via stunnel-users stunnel-users@stunnel.org:
Hello,
I am experiencing an issue with stunnel versions 5.73 and above where the server logs are continuously filled with the following message: "OCSP: SSL_get_certificate"
This issue does not occur in version 5.72. I am using PSK for encryption and have not configured OCSP. Here are the details of my setup:
[.] stunnel 5.74 on amd64-portbld-freebsd14.1 platform [.] Compiled with OpenSSL 3.0.13 30 Jan 2024 [.] Running with OpenSSL 3.0.15 3 Sep 2024
- Server configuration file:
``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] accept = 6478 connect = 6378 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key
[fuzzy] accept = 6477 connect = 6377 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt cert = /usr/local/etc/stunnel/cert.pem key = /usr/local/etc/stunnel/private.key ```
- Client configuration file:
``` setuid = stunnel setgid = nogroup
pid = /var/run/stunnel/stunnel.pid
[bayes] client = yes accept = localhost:6478 connect = host.example.org:6478 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt
[fuzzy] client = yes accept = localhost:6477 connect = host.example.org:6477 ciphers = PSK PSKsecrets = /usr/local/etc/stunnel/psk.txt ```
- Relevant log entries:
``` Dec 27 09:00:10 mx stunnel[22113]: LOG3[per-minute]: OCSP: SSL_get_certificate ```
As a temporary workaround, I generated a self-signed certificate and configured stunnel to use it. This has resolved the issue with OCSP messages. However, I believe this is not the intended behavior when using PSK without configuring OCSP.
I would appreciate any help or guidance on how to properly configure stunnel to avoid this issue without requiring a self-signed certificate.
Thank you, Alexander _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org