Re: [stunnel-users] is verify level 4 working?
dansmith, I'd be the last to argue with you. Purely as an experiment, I tried changing the verify level from 4 to 3, but it didn't fly. I most likely missed the entirety of the signing chain, as I only added the certificate of the *issuing* CA. Regards, Thomas On 7/8/2013 7:01 PM, dansmith wrote:
Thomas, the recent exception you are describing - needing a CA sertificate and server certificate is what verify=3 does. So, I guess there is some regression in the code. When I look at stunnel's verify.c code, there is only one reference to level 4 in line 225. It seems like verify=4 functionality is missing from the code.
On 07/08/2013 11:44 PM, Thomas Eifert wrote:
dansmith,
It's my understanding that verify = 4 should, theoretically, look only for the server certificate, and this is the way I've been using it with great success over the past year or so. Recently, however, I ran into an exception to that behavior.
In my case, I only had to download and install one certificate; that of the signing CA. I simply pasted it directly below the server certificate in the associated .pem file. The CA certificate wasn't originally in .pem format, so I converted it beforehand. OpenSSL has conversion capability, and there are also online certificate tools available. Your mileage may vary.
Good luck.
Thomas
On 7/8/2013 3:01 PM, dansmith wrote:
Could you kindly break it down for me. Are you saying that I need to have two CAs A & B. A signs the certificate of B and B signs the certificate of my server? Do I understand correctly that verify=4 is supposed to simply ignore any CAs and only look at the actual certificate, comparing it to the certificate in CAfile ?
On 07/08/2013 06:32 PM, Thomas Eifert wrote:
You're not missing anything. I've experienced a similar issue. While verify = 4 generally works well in most cases and will ignore the CA chain, I've encountered a few isolated incidences in which I've had to append or "chain" the server certificate with the certificate of the CA. Give it a shot and see if it resolves your issue.
Thomas
On 7/8/2013 3:02 AM, dansmith wrote:
I would expect that level 4 only compares locally installed certificates, however I get the same behaviour as with level 3, stunnel expects a CA cert. Here'e the relevant log when on level 4
Jul 6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting certificate verification: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT: Verification error: unable to get local issuer certificate Jul 6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd Jul 6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert (read): fatal: unknown CA
What am I missing in understanding verify's level 4 ?
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-- Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.
participants (1)
-
Thomas Eifert