Hello,
I've tried to use verify = 3 with Giganews on several occasions now, but it always fails. It works fine with other servers, however. Here is the debug output for the Giganews scenario:
2012.01.12 14:05:01 LOG4[292:3840]: CERT: Verification error: unable to get local issuer certificate 2012.01.12 14:05:01 LOG4[292:3840]: Certificate check failed: depth=1, /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA 2012.01.12 14:05:01 LOG3[292:3840]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
And the following is from my stunnel.conf:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
debug = 6 delay = yes
[nntps.3] client = yes sslVersion = TLSv1 ciphers = AES256-SHA cafile = peer-nntps.3.pem verify = 3 accept = 127.0.0.1:119 connect = news.giganews.com:443
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As I have with other connections, I am saving peer-nntps3.pem from the log window menu.
Can anyone tell me why this is failing on this server only?
Regards;
Thomas
Thomas Eifert wrote:
2012.01.12 14:05:01 LOG4[292:3840]: CERT: Verification error: unable to get local issuer certificate
Unfortunately sending root CA certificate within the chain is optional. This is why root CA certificate didn't make it to your peer-nntps3.pem.
The good news is that in recent versions of stunnel I implemented a solution for it:
verify = 3
Replace it with "verify = 4". This option only checks the peer certificate, and ignores all other certificates in the chain.
Mike
Michal:
Thanks for taking the time to answer a question about a non-stunnel issue.
I saw the verify=4 in the manual, but was unsure about whether or not it validated against the locally installed certificate. I updated my stunnel.conf, and am no longer having any issues.
Thanks again; you are one of the unsung heroes.
Thomas
On 1/13/2012 11:17 AM, Michal Trojnara wrote:
Thomas Eifert wrote:
2012.01.12 14:05:01 LOG4[292:3840]: CERT: Verification error: unable to get local issuer certificate
Unfortunately sending root CA certificate within the chain is optional. This is why root CA certificate didn't make it to your peer-nntps3.pem.
The good news is that in recent versions of stunnel I implemented a solution for it:
verify = 3
Replace it with "verify = 4". This option only checks the peer certificate, and ignores all other certificates in the chain.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Thomas Eifert