Hi,
I just updated to version 5.57 and the config I used for ever does not work anymore. I regenerated the self certs using the "Build a Self-signed stunnel.pem" in Windows and made sure the CN was matching the hostname of the server machine.
I understand there is an issue with the self signed certificate... ...but it was working fine under 5.56.
Server configuration [Server_SyncThing] cert = stunnel.pem accept = 999 connect = 127.0.0.1:24596 ciphers = PSK PSKsecrets = psk.txt
Client configuration [SyncThing] client = yes accept = 127.0.0.1:24596 connect = 192.168.0.102:999 verifyPeer = yes CAfile = stunnel.pem PSKsecrets = psk.txt
Service [SyncThing] connected remote server from 192.168.1.44:5455 2020.10.12 14:25:06 LOG7[33]: Setting remote socket options (FD=1516) 2020.10.12 14:25:06 LOG7[33]: Option TCP_NODELAY set on remote socket 2020.10.12 14:25:06 LOG7[33]: Remote descriptor (FD=1516) initialized 2020.10.12 14:25:06 LOG6[33]: SNI: sending servername: 192.168.0.102 2020.10.12 14:25:06 LOG6[33]: Peer certificate required 2020.10.12 14:25:06 LOG7[33]: TLS state (connect): before SSL initialization 2020.10.12 14:25:06 LOG7[33]: Initializing application specific data for session authenticated 2020.10.12 14:25:06 LOG6[33]: PSK client configured for identity "user1" 2020.10.12 14:25:06 LOG7[33]: Initializing application specific data for session authenticated 2020.10.12 14:25:06 LOG7[33]: TLS state (connect): SSLv3/TLS write client hello 2020.10.12 14:25:06 LOG7[33]: TLS state (connect): SSLv3/TLS write client hello 2020.10.12 14:25:06 LOG7[33]: TLS state (connect): SSLv3/TLS read server hello 2020.10.12 14:25:06 LOG7[33]: TLS state (connect): TLSv1.3 read encrypted extensions 2020.10.12 14:25:06 LOG7[33]: Verification started at depth=0: C=FR, ST=Centre, L=Marseilles, O=CA, OU=CA, CN= TRUCK-D98J8TY 2020.10.12 14:25:06 LOG4[33]: CERT: Pre-verification error: unsupported certificate purpose 2020.10.12 14:25:06 LOG4[33]: Rejected by CERT at depth=0: C=FR, ST=Centre, L=Marseilles, O=CA, OU=CA, CN= TRUCK-D98J8TY 2020.10.12 14:25:06 LOG7[33]: TLS alert (write): fatal: unsupported certificate 2020.10.12 14:25:06 LOG3[33]: SSL_connect: ssl/statem/statem_clnt.c:1913: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 2020.10.12 14:25:06 LOG5[33]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 2020.10.12 14:25:06 LOG7[33]: Deallocating application specific data for session connect address 2020.10.12 14:25:06 LOG7[33]: Deallocating application specific data for session connect address 2020.10.12 14:25:06 LOG7[33]: Remote descriptor (FD=1516) closed
Any help would be welcome.
Thanks.
Hi,
I could be way-off-base here, but from the log it looks like the CN of the certificate has an extra leading space. Don't know if that really matters, but is the kind of thing that upgraded openssl might have tightened-up on?
-- Mike
-
Bob Bob -
Mike Spooner