[stunnel-users] Cert errors ....... need help!

Jan Meijer jan.meijer at surfnet.nl
Thu Mar 17 20:42:57 CET 2005


On Thu, 17 Mar 2005, Richard Houston wrote:

> I have replace the keys alreay. These are new keys altogether.

It's not the keys that are wrong, they're in the wrong places.  The verify 
failure indicates just that: both server and client have problems 
verifying the authenticity of oneanother.

Now try this.

At the server side:

-change verify in '=2'

At the client side:

Make sure the client certificate is not commented out as it looks like in 
your config:

> CApath=c:\stunnel
> #cert=c:\stunnel\traf-test.pem

Without a certificate at the client side there's no way the client will 
ever authenticate to your 'verify = 2' server.

Secondly; remove the 'CAPath' directive from your client configuration and 
add the 'CAfile = /etc/stunnel/cacert.pem' to it.  Do make sure you copy 
the cacert.pem to your client ;).

I trust you did not include the private key of your CA in cacert.pem ;).

Let me know what happens.

Jan
-- 
http://www.surfnet.nl/organisatie/jame



More information about the stunnel-users mailing list