K, error are a bit deferent this time.....
Server:
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): before/accept initialization 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 read client hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write server hello A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 write certificate request A 2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 flush data 2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read 2005.03.17 13:58:00 LOG7[13122:3086949296]: waitforsocket: ok 2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin@XXXX 2005.03.17 13:58:00 LOG7[13122:3086949296]: SSL alert (write): fatal: bad certificate 2005.03.17 13:58:00 LOG3[13122:3086949296]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 2005.03.17 13:58:00 LOG7[13122:3086949296]: school4 finished (0 left)
Client: 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #1: EWOULDBLOCK: retrying 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=write 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:46 LOG7[768:1148]: remote connect #2: EINVAL: ok 2005.03.17 13:02:46 LOG7[768:1148]: Remote FD=688 initialized 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): before/connect initialization 2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): SSLv3 write client hello A 2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=read 2005.03.17 13:02:49 LOG7[768:1148]: waitforsocket: ok 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server hello A 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin@XXXXXXX 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
What should I check next? Is it possible I screwed up making the certs?
Thanks again for you continued help.
Regards, +------------------------------------------+ | Richard Houston .^. | | R.L.H. Consulting /V\ | | E-Mail rhouston@rlhc.net /( )\ | | WWW <www.rlhc.net> ^^-^^ | +------------------------------------------+
Jan Meijer said:
On Thu, 17 Mar 2005, Richard Houston wrote:
I have replace the keys alreay. These are new keys altogether.
It's not the keys that are wrong, they're in the wrong places. The verify failure indicates just that: both server and client have problems verifying the authenticity of oneanother.
Now try this.
At the server side:
-change verify in '=2'
At the client side:
Make sure the client certificate is not commented out as it looks like in your config:
CApath=c:\stunnel #cert=c:\stunnel\traf-test.pem
Without a certificate at the client side there's no way the client will ever authenticate to your 'verify = 2' server.
Secondly; remove the 'CAPath' directive from your client configuration and add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy the cacert.pem to your client ;).
I trust you did not include the private key of your CA in cacert.pem ;).
Let me know what happens.
Jan