I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi Guys,
Thank you for your feedback. I will re-test this feature.
Best regards, Michal Trojnara
On 2013-07-08 18:32, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Hi Guys,
I tested the "verify = 4" once again on a different server. It works like a charm.
Please make sure that the certificate provided with CAfile really contains the peer certificate.
The basic test would be: $ openssl x509 -in peer.pem -noout -text | grep -E 'Subject:|DNS:' The result should contain the FQDN of your peer.
Otherwise please post your peer.pem to the list. Certificates are public anyway (unlike private keys), so there is nothing to be afraid of.
Mike
On 2013-07-08 22:38, Michal Trojnara wrote:
Hi Guys,
Thank you for your feedback. I will re-test this feature.
Best regards, Michal Trojnara
On 2013-07-08 18:32, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
Michael,
The certificate contains the FQDN, and yes, it matches.
Thomas
On 7/10/2013 1:38 PM, Michal Trojnara wrote:
The basic test would be: $ openssl x509 -in peer.pem -noout -text | grep -E 'Subject:|DNS:' The result should contain the FQDN of your peer.
Thank you for clarifying. I generated a new self-signed certificate and verify=4 works.
However, when I generate a non-self-signed certificate signed by a third party CA, "verify=4" gives me the same error as in my initial post. It still expects to find CA's certificate together with the server's certificate in CAfile. The description in manpage is:*
level 4* Ignore CA chain and only verify peer certificate.
Apparently the description is inaccurate.
Dan,
I use verify = 4 with seven different servers, but it only misbehaves with one of them. There must be some aspect of the certificate that either OpenSSL or Stunnel is having an issue with.
Regards,
Thomas
On 7/11/2013 2:00 AM, dansmith wrote:
Thank you for clarifying. I generated a new self-signed certificate and verify=4 works.
However, when I generate a non-self-signed certificate signed by a third party CA, "verify=4" gives me the same error as in my initial post. It still expects to find CA's certificate together with the server's certificate in CAfile. The description in manpage is:*
level 4* Ignore CA chain and only verify peer certificate.
Apparently the description is inaccurate.
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
dansmith -
Michal Trojnara -
Thomas Eifert