Equivalence of verify=2 - stunnel-users - stunnel.org

List overview All Threads
Download

Equivalence of verify=2

Unexpected socket close while...

idea: linux stunnel mini-GUI

Yann RESCOURIO

21 Jul 2021 21 Jul '21

5:06 a.m.

Hello I would like to authenticate a server with only its CA file. What is the equivalence of verify=2 ? requireCert = yes verifyChain = no verifyPeer = yes Regards Yann

Attachments:

attachment.html (text/html — 268 bytes)

Reply

Show replies by date

Sachin Deshmukh

21 Jul 21 Jul

7:07 a.m.

New subject: Cipher ECDHE-ECDSA-AES256-GCM-SHA384

Hello,

I am facing the below difficulties while using a stunnel for CA File as TLS Server. -- TLS Server running in Windows -- Use of CA File -- Cipher use from client is: -- ciphers = ECDHE-ECDSA-AES256-GCM-SHA384

21.07.20 23:38:32 LOG7[11]: Decrypt session ticket callback 2021.07.20 23:38:32 LOG7[11]: Initializing application specific data for session authenticated 2021.07.20 23:38:32 LOG7[11]: SNI: no virtual services defined 2021.07.20 23:38:32 LOG7[11]: TLS alert (write): fatal: handshake failure 2021.07.20 23:38:32 LOG3[11]: SSL_accept: ssl/statem/statem_srvr.c:2283: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher 2021.07.20 23:38:32 LOG5[11]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2021.07.20 23:38:32 LOG7[11]: Deallocating application specific data for session connect address 2021.07.20 23:38:32 LOG7[11]: Local descriptor (FD=1000) closed 2021.07.20 23:38:32 LOG7[11]: Service [Server] finished (0 left)

If this cipher is removed, this validation is passed. Is this cipher not supported? Stunnel version is 5.59. Even if verifypeer is disabled, there is no gain.

Conf file: [Server] accept = 443 connect = 8888 sslVersion = TLSv1.2 ciphers = ECDHE-ECDSA-AES256-GCM-SHA384 verifyChain = no ;verifyPeer = no ;verify = 1 CAfile = xyz.crt cert = xyz.crt key = key.pem options = NO_SSLv2 options = NO_SSLv3 debug = 7

Reply

Małgorzata Olszówka

12:04 p.m.

New subject: Cipher ECDHE-ECDSA-AES256-GCM-SHA384

W dniu 21.07.2021 o 09:07, Sachin Deshmukh pisze:

I am facing the below difficulties while using a stunnel for CA File as TLS Server. -- TLS Server running in Windows -- Use of CA File -- Cipher use from client is: -- ciphers = ECDHE-ECDSA-AES256-GCM-SHA384

2021.07.20 23:38:32 LOG7[11]: TLS alert (write): fatal: handshake failure 2021.07.20 23:38:32 LOG3[11]: SSL_accept: ssl/statem/statem_srvr.c:2283: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher

If this cipher is removed, this validation is passed. Is this cipher not supported? Stunnel version is 5.59. Even if verifypeer is disabled, there is no gain.

Hi Sachin, Cipher suites using ECDSA for authentication (such as ECDHE-ECDSA-AES256-GCM-SHA384) require ECDSA-based certificates. Commonly used certificates are based on RSA rather than ECDSA.

Regards, Małgorzata

Reply

Małgorzata Olszówka

8:04 a.m.

I would like to authenticate a server with only its CA file. What is the equivalence of verify=2 ?

requireCert = yes

verifyChain = no

verifyPeer = yes

Regards

Yann

Hi! Take a look at this cheat sheet:

no veryfy <=> requestCert=no & requireCert=no & verifyChain=no & verifyPeer=no verify=0 <=> requestCert=yes & requireCert=no & verifyChain=no & verifyPeer=no verify=1 <=> requestCert=yes & requireCert=no & verifyChain= yes & verifyPeer=no verify=2 <=> requestCert=yes & requireCert=yes & verifyChain= yes & verifyPeer=no verify=3 <=> requestCert=yes & requireCert=yes & verifyChain= yes & verifyPeer=yes verify=4 <=> requestCert=yes & requireCert=yes & verifyChain= no & verifyPeer=yes

Regards, Małgorzata

Reply

Yann RESCOURIO

22 Jul 22 Jul

6:59 a.m.

Hello Thanks for your help Where is described the requestCert parameter ? Not found on the webpage https://www.stunnel.org/static/stunnel.html Regards Yann

Message du 21/07/21 10:05> De : "Małgorzata Olszówka via stunnel-users" > A : stunnel-users@stunnel.org> Copie à : > Objet : [stunnel-users] Re: Equivalence of verify=2> > > I would like to authenticate a server with only its CA file. What is the > > equivalence of verify=2 ?> > > > requireCert = yes> > > > verifyChain = no> > > > verifyPeer = yes> > > > Regards> > > > Yann> > > > Hi!> Take a look at this cheat sheet:> > no veryfy <=> requestCert=no & requireCert=no & verifyChain=no & > verifyPeer=no> verify=0 <=> requestCert=yes & requireCert=no & verifyChain=no & > verifyPeer=no> verify=1 <=> requestCert=yes & requireCert=no & verifyChain= yes & > verifyPeer=no> verify=2 <=> requestCert=yes & requireCert=yes & verifyChain= yes & > verifyPeer=no> verify=3 <=> requestCert=yes & requireCert=yes & verifyChain= yes & > verifyPeer=yes> verify=4 <=> requestCert=yes & requireCert=yes & verifyChain= no & > verifyPeer=yes> > > Regards,> Małgorzata> _______________________________________________ stunnel-users mailing list -- stunnel-users@stunnel.org To unsubscribe send an email to stunnel-users-leave@stunnel.org

Reply

Małgorzata Olszówka

7:36 a.m.

W dniu 22.07.2021 o 08:59, Yann RESCOURIO pisze:

Hello

Thanks for your help

Where is described the requestCert parameter ?

Not found on the webpage https://www.stunnel.org/static/stunnel.html

Hi, There is no requestCert option, but that simply highlights the difference between *no verify* and *verify = 0* option in my cheat sheet.

Regards, Małgorzata

Reply

1219

Age (days ago)

1220

Last active (days ago)

stunnel-users@stunnel.org

5 comments

3 participants

tags (0)

participants (3)

Małgorzata Olszówka
Sachin Deshmukh
Yann RESCOURIO