dansmith,
I'd be the last to argue with you.
Purely as an experiment, I tried changing the verify level from 4 to 3, but it didn't fly. I most likely missed the entirety of the signing chain, as I only added the certificate of the *issuing* CA.
Regards,
Thomas
On 7/8/2013 7:01 PM, dansmith wrote:
Thomas, the recent exception you are describing - needing a CA sertificate and server certificate is what verify=3 does. So, I guess there is some regression in the code. When I look at stunnel's verify.c code, there is only one reference to level 4 in line 225. It seems like verify=4 functionality is missing from the code.
On 07/08/2013 11:44 PM, Thomas Eifert wrote:
dansmith,
It's my understanding that verify = 4 should, theoretically, look only for the server certificate, and this is the way I've been using it with great success over the past year or so. Recently, however, I ran into an exception to that behavior.
In my case, I only had to download and install one certificate; that of the signing CA. I simply pasted it directly below the server certificate in the associated .pem file. The CA certificate wasn't originally in .pem format, so I converted it beforehand. OpenSSL has conversion capability, and there are also online certificate tools available. Your mileage may vary.
Good luck.
Thomas
On 7/8/2013 3:01 PM, dansmith wrote:
Could you kindly break it down for me. Are you saying that I need to have two CAs A & B. A signs the certificate of B and B signs the certificate of my server? Do I understand correctly that verify=4 is supposed to simply ignore
any
CAs and only look at the actual certificate, comparing it to the certificate in CAfile ?
On 07/08/2013 06:32 PM, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3,
stunnel
expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0,
/C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-
Thomas Eifert