On Tue, 2011-04-26 17:00:06 +0200, laurent.uk@bnpparibas.com wrote:

Hi,

I tried to configure my STUNNEL server, with my client's software test but i always have the the following error :

2011.04.26 14:23:09 LOG4[1683500:258]: VERIFY ERROR ONLY MY: no cert for /C=ww/O=swift/OU=personalid/OU=bnpafrpp/CN=crl-3skey-ebics-ts

[..]

I tried to extract the public certificate from the crl-3skey-ebics-ts and add it in the keystore and in the folder /usr/local/ssl/certs/trusted/

[..]

verify = 3 ; Don't forget to c_rehash CApath ; CApath is located inside chroot jail ;CApath = /opt/freeware/etc/stunnel/ ; It's often easier to use CAfile CAfile = /opt/freeware/etc/stunnel/ca.pem ; Don't forget to c_rehash CRLpath

Laurent,

If you specify a CAfile in 'verify=3' mode, you need to add the client's certificates to this file.

You could also store the client's certificates in PEM format files (one file per certificate) in a directory stunnel can reach at connection time. You have to specify the name of this directory as CApath then (in contrast to CAfile), and you'll have to run c_rehash on this directory.

Ludolf