[stunnel-users] Cert errors ....... need help!

ikeda@areabe ikeda at areabe.com
Thu Mar 17 20:22:08 CET 2005


Hi Richard

Verify=3 means stunnel server checks subject part in client certificate,  
so you need to put each client certificate file in your stunnel server  
with certain way.

Try to use verify=2, that only checks ca cert portion.

regards
taka
On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston  
<rhouston at rlhc.net> wrote:

> Update:
>
> I have turned on debugging in the client side and have fund the following
> errors:
>
> 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read  
> server
> hello A
> 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable  
> to
> get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER
> CERT/CN=XXXX/emailAddress=sysadminXXXX
> 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad  
> certificate
> 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
> verify
> failed
> 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
>
> Any ideas?
>
>
>
>
>
> Regards,
> +------------------------------------------+
> | Richard Houston                  .^.     |
> | R.L.H.  Consulting               /V\     |
> | E-Mail  <rhouston at rlhc.net>    /(   )\   |
> | WWW     <www.rlhc.net>          ^^-^^    |
> +------------------------------------------+
>
> Richard Houston said:
>> Hi all,
>>
>> I have take over a stunnel install and all the clients certs have  
>> expired.
>>
>> I have been trying for the past 2 days to get the new step up to work  
>> but
>> no such luck.
>>
>> Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel
>> 4.05:
>>
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started
>> 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from
>> XXX.XXX.XXX.XX:1414
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept):
>> before/accept initialization
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7,  
>> DIR=read
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3  
>> read
>> client hello A
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>> write server hello A
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>> write certificate A
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>> write certificate request A
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>> flush data
>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7,  
>> DIR=read
>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok
>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal:
>> certificate unknown
>> 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416:
>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown
>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
>>
>> And here is the output on the client side:
>>
>> 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu
>> WIN32 with OpenSSL 0.9.7 31 Dec2002
>> 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null)
>> 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed
>> 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from  
>> 127.0.0.1:1413
>> 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1,
>> /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX
>> CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin at XXXX
>> 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for
>> /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER
>> CERT/CN=XXXXX/emailAddress=sysadmin at XXXX
>> 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate  
>> verify
>> failed
>>
>> I have created the certs on both server and client according to the
>> documents at
>> http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
>>
>> I have the cacert.pem file on the cleint side, I have c_hashed the cert
>> file on the server side. Do I need to out the c_hash of the server side
>> cert on the client as well?
>>
>> Is there something I have missed? Any ideas as to what I can check to  
>> see
>> where the issue is?
>>
>> I am desperate, any help would be greatly appreciated.
>>
>>
>> Regards,
>> +------------------------------------------+
>> | Richard Houston                  .^.     |
>> | R.L.H.  Consulting               /V\     |
>> | E-Mail  <rhouston at rlhc.net>    /(   )\   |
>> | WWW     <www.rlhc.net>          ^^-^^    |
>> +------------------------------------------+
>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at mirt.net
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>





More information about the stunnel-users mailing list