Correction: The cert issuer is Startcom Ltd, not Startcom LLC.
--
Greetings;
Stunnel 4.56 running under Win 7 SP1 x86.
Recently, the owners of a server I regularly connect to updated their server certificate; the former had expired at the end of May.
As soon as that event occurred, I deleted the old certificate, then used the "save peer certificate" function of Stunnel to get the updated one.
However, the new certificate fails to verify, even with the verify = 4 option in Stunnel. The error message is similar to what I used to get when doing a verify = 3 with some certificates. The general error output of Stunnel is:
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
When I open the new certificate with:
openssl x509 -text -in certname.pem
and view the certificate details, I'm not seeing anything obvious. The certificate is within a valid date range, and contains the same basic elements as other certs I've viewed. The certificate appears to have been issued by Startcom LLC.
If I comment out the verify statement, I'm able to successfully negotiate an SSL connection with the server.
I realize that this may be more of an openssl issue than an issue with Stunnel. Nevertheless, I thought I'd start here and throw it out to the floor for comments.
Anyone have any ideas or have run into this issue?
Regards,
Thomas
On Sun, 2013-06-09 17:18:50 -0500, Thomas Eifert wrote:
[..]
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
I suppose it's what the error message says:
Stunnel tries to verify the new certificate by following the certificate chain down to a trusted root certificate, and fails checking the issuer of a certificate involved.
Maybe Startcom didn't only change the server certificate, but some intermediate certificates too. If this is the case, you may have to download and store the intermediate certificates so stunnel able to find them.
HTH,
Ludolf
Hi Ludolf:
I understand what you're saying. Nevertheless, I'm under the impression that level 4's purpose was to ignore the CA chain entirely. From the Stunnel manual:
"level 4
Ignore CA chain and only verify peer certificate."
Regards,
Thomas
On 6/10/2013 4:33 AM, Ludolf Holzheid wrote:
On Sun, 2013-06-09 17:18:50 -0500, Thomas Eifert wrote:
[..]
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
I suppose it's what the error message says:
Stunnel tries to verify the new certificate by following the certificate chain down to a trusted root certificate, and fails checking the issuer of a certificate involved.
Maybe Startcom didn't only change the server certificate, but some intermediate certificates too. If this is the case, you may have to download and store the intermediate certificates so stunnel able to find them.
HTH,
Ludolf
can you remove my email from stunnel list? Thank you.
On Mon, Jun 10, 2013 at 6:59 PM, Thomas Eifert kxkvi@lavabit.com wrote:
Hi Ludolf:
I understand what you're saying. Nevertheless, I'm under the impression that level 4's purpose was to ignore the CA chain entirely. From the Stunnel manual:
"level 4
Ignore CA chain and only verify peer certificate."Regards,
Thomas
On 6/10/2013 4:33 AM, Ludolf Holzheid wrote:
On Sun, 2013-06-09 17:18:50 -0500, Thomas Eifert wrote:
[..]
CERT: Verification error: unable to get local issuer certificate 2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0
I suppose it's what the error message says:
Stunnel tries to verify the new certificate by following the certificate chain down to a trusted root certificate, and fails checking the issuer of a certificate involved.
Maybe Startcom didn't only change the server certificate, but some intermediate certificates too. If this is the case, you may have to download and store the intermediate certificates so stunnel able to find them.
HTH,
Ludolf
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
______________________________**_________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-**bin/mailman/listinfo/stunnel-**usershttps://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
724live -
Ludolf Holzheid -
Thomas Eifert