Cert errors ....... need help! - stunnel-users

17 Mar 2005


      Hi all,
I have take over a stunnel install and all the clients certs have expired.
I have been trying for the past 2 days to get the new step up to work but
no such luck.
Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel 4.05:
2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started
2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from
XXX.XXX.XXX.XX:1414
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept):
before/accept initialization
2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read
client hello A
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
write server hello A
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
write certificate A
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
write certificate request A
2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
flush data
2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok
2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal:
certificate unknown
2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416:
error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
And here is the output on the client side:
005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu
WIN32 with OpenSSL 0.9.7 31 Dec2002
2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null)
2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed
2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413
2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1,
/C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX
CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX
2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for
/C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER
CERT/CN=XXXXX/emailAddress=sysadmin@XXXX
2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
I have created the certs on both server and client according to the
documents at
http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
I have the cacert.pem file on the cleint side, I have c_hashed the cert
file on the server side. Do I need to out the c_hash of the server side
cert on the client as well?
Is there something I have missed? Any ideas as to what I can check to see
where the issue is?
I am desperate, any help would be greatly appreciated.
Regards,
+------------------------------------------+
| Richard Houston                  .^.     |
| R.L.H.  Consulting               /V\     |
| E-Mail  rhouston@rlhc.net    /(   )\   |
| WWW     <www.rlhc.net>          ^^-^^    |
+------------------------------------------+