26 Mar
2007
26 Mar
'07
11:15 a.m.
Hello,
I am using stunnel 4.18 and openca-ocspd 1.5.1. The OCSPd uses a delegate certificate and the setup works when tested with openssl:
$ openssl ocsp -issuer /home/landau/ssl/cacert.pem -serial 3 -url http://localhost:2560 -CAfile /home/landau/ssl/cacert.pem Response verify OK 3: good This Update: Mar 23 18:27:37 2007 GMT Next Update: Mar 26 10:56:33 2007 GMT
But when it comes to using stunnel, I cannot figure out how to make it use properly the OCSP. I could see that stunnel 4.19 had more options for ocsp, but I am unsure this is related to my current issue.
Besides, is there a way to have stunnel fall back on local cert/crl files if the ocsp server is not available ?
Regards,
--
Samuel Landau
____________________________________________________________________________
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to which they are
addressed. Access to this e-mail by anyone else is unauthorised. If you are
not the intended recipient, any disclosure, copying, distribution or any
action taken or omitted to be taken in reliance on it, is prohibited. E-mail
messages are not necessarily secure. Archos does not accept responsibility
for any changes made to this message after it was sent.
2007.03.26 12:59:05 LOG5[29250:3083020512]: stunnel 4.18 on i486-pc-linux-gnu with OpenSSL 0.9.8c 05 Sep 2006
2007.03.26 12:59:05 LOG5[29250:3083020512]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2007.03.26 12:59:05 LOG6[29250:3083020512]: file ulimit = 1024 (can be changed with 'ulimit -n')
2007.03.26 12:59:05 LOG6[29250:3083020512]: poll() used - no FD_SETSIZE limit for file descriptors
2007.03.26 12:59:05 LOG5[29250:3083020512]: 500 clients allowed
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 4 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 5 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: FD 6 in non-blocking mode
2007.03.26 12:59:05 LOG7[29250:3083020512]: SO_REUSEADDR option set on accept socket
2007.03.26 12:59:05 LOG7[29250:3083020512]: server bound to 127.0.0.1:12345
2007.03.26 12:59:05 LOG7[29250:3083020512]: Created pid file /home/landau/stunnel4.pid
2007.03.26 12:59:12 LOG7[29250:3083020512]: server accepted FD=7 from 127.0.0.1:36200
2007.03.26 12:59:12 LOG7[29250:3082972080]: server started
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 7 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: TCP_NODELAY option set on local socket
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 9 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3083020512]: Cleaning up the signal pipe
2007.03.26 12:59:12 LOG6[29250:3083020512]: Child process 29252 finished with code 0
2007.03.26 12:59:12 LOG7[29250:3082972080]: Connection from 127.0.0.1:36200 permitted by libwrap
2007.03.26 12:59:12 LOG5[29250:3082972080]: server connected from 127.0.0.1:36200
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): before/accept initialization
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 read client hello A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write server hello A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 write certificate request A
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL state (accept): SSLv3 flush data
2007.03.26 12:59:12 LOG6[29250:3082972080]: *** starting OCSP verification ***
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: waiting 10 seconds
2007.03.26 12:59:12 LOG7[29250:3082972080]: connect_wait: connected
2007.03.26 12:59:12 LOG7[29250:3082972080]: OCSP server connected
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in blocking mode
2007.03.26 12:59:12 LOG7[29250:3082972080]: FD 8 in non-blocking mode
2007.03.26 12:59:12 LOG6[29250:3082972080]: OCSP response received
2007.03.26 12:59:12 LOG3[29250:3082972080]: OCSP_basic_verify: 27069076: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found
2007.03.26 12:59:12 LOG7[29250:3082972080]: SSL alert (write): fatal: certificate unknown
2007.03.26 12:59:12 LOG3[29250:3082972080]: SSL_accept: 140890B2: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2007.03.26 12:59:12 LOG5[29250:3082972080]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2007.03.26 12:59:12 LOG7[29250:3082972080]: server finished (0 left)
2007.03.26 12:59:16 LOG3[29250:3083020512]: Received signal 2; terminating
2007.03.26 12:59:16 LOG7[29250:3083020512]: removing pid file /home/landau/stunnel4.pid
cert = landau.pem
key = landau.key
sslVersion = SSLv3
pid =/home/landau/ssl/stunnel4.pid
socket =l:TCP_NODELAY=1
socket =r:TCP_NODELAY=1
compression =zlib
foreground =yes
verify =3
CApath =/home/landau/ssl/
CAfile =/home/landau/ssl/cacert.pem
debug =7
output =/home/landau/ssl/stunnel4.log
client =no
[server]
accept =localhost:12345
ocsp =http://localhost:2560
pty =no
exec =/bin/bash
execargs =bash
6451
Age (days ago)
6451
Last active (days ago)
0 comments
1 participants
participants (1)
-
Samuel Landau