Hi All,
I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56 version of stunnel) and remote application server - I have merged both root and sub certificate into 1 file and it looks like it can verify them and accept them as well, but then it tries to verify it at depth=0 and says certificate not found in local repository. Am I missing anything here ? (I modified messages to not disclose details of certificates in the debug below).
Thank you! BR, Roman
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] started
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] accepted connection from 127.0.0.1:49397
2013.06.18 11:22:34 LOG6[272:2156]: connect_blocking: connecting 10.254.0.21:443
2013.06.18 11:22:34 LOG7[272:2156]: connect_blocking: s_poll_wait 10.254.0.21:443: waiting 10 seconds
2013.06.18 11:22:34 LOG5[272:2156]: connect_blocking: connected 10.254.0.21:443
2013.06.18 11:22:34 LOG5[272:2156]: Service [SZX] connected remote server from 192.168.20.23:49398
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) initialized
2013.06.18 11:22:34 LOG7[272:2156]: SNI: sending servername: 10.254.0.21
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): before/connect initialization
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 write client hello A
2013.06.18 11:22:34 LOG7[272:2156]: SSL state (connect): SSLv3 read server hello A
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=2, /CN=xxx RootCA
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=2, /CN=xxx RootCA
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=1, /CN=xxx
2013.06.18 11:22:34 LOG5[272:2156]: Certificate accepted: depth=1, /CN=xxx SubCA1
2013.06.18 11:22:34 LOG7[272:2156]: Starting certificate verification: depth=0, /C=zzz
2013.06.18 11:22:34 LOG4[272:2156]: CERT: Certificate not found in local repository
2013.06.18 11:22:34 LOG4[272:2156]: Certificate check failed: depth=0, /C=zzz
2013.06.18 11:22:34 LOG7[272:2156]: SSL alert (write): fatal: certificate unknown
2013.06.18 11:22:34 LOG3[272:2156]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2013.06.18 11:22:34 LOG5[272:2156]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
2013.06.18 11:22:34 LOG7[272:2156]: Remote socket (FD=396) closed
2013.06.18 11:22:34 LOG7[272:2156]: Local socket (FD=376) closed
2013.06.18 11:22:34 LOG7[272:2156]: Service [SZX] finished (0 left)
Hi,
Looks like you have verify = 3 (verify peer certificate with locally file) and can't find the peer certificate to verify against.
Are you sure that the CAfile contains the peer certificate too, not only the CAs?
If you use verify = 2 (it just verify the certificate against CA) and doesn't give errors there you have the proof.
I may be wrong but looks like that :)
Regards.
On 2013-06-19 14:17, Roman Tuchyna wrote:
I'm trying to create SSl tunnel between my server (Win 2008 R2, 4.56 version of stunnel) and remote application server - I have merged both root and sub certificate into 1 file and it looks like it can verify them and accept them as well, but then it tries to verify it at depth=0 and says certificate not found in local repository. Am I missing anything here ?
I didn't test it myself, but some users reported that OpenSSL requires specific order or certificates and an empty line between them.
BTW: Are you sure that CAfile contains the certificate of *your peer* (the remote application server)?
Mike
-
Javier -
Michal Trojnara -
Roman Tuchyna