[stunnel-users] Using externally signed certificate with stunnel 4

Tim Skirvin tskirvin at stanford.edu
Mon Jun 30 23:14:08 CEST 2008


        I've got a comodo signed SSL certificate that I'm trying to use
with stunnel4 to allow secure NNTP connections from a wide variety of
clients.  The certificate at least partially works; if I leave 'verify' 
off in the stunnel.conf file, then the service runs and users can connect,
albeit while still having to verify the cert.  But if I turn 'verify' on,
then it doesn't work on *either* side.

        I've tried playing with CAfile and CApath without much luck.  I'll
attach my configuration files, the relevant pems, and some debugging
information; is there something else I'm missing?  I've already contacted
comodo, and after several rounds of conversation they suggest I contact
the list.

        Errors from the client side (note that I'm using a debug port here):

+ openssl s_client -connect news:565 -verify -debug
verify depth is 0
CONNECTED(00000003)
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
6976:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:951:

        ...and on the server, I get this:

2008.06.30 14:08:38 LOG7[10039:47679267941088]: nntps accepted FD=7 from 171.64.19.111:56122
2008.06.30 14:08:38 LOG7[10039:1073809760]: nntps started
2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 7 in non-blocking mode
2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 8 in non-blocking mode
2008.06.30 14:08:38 LOG7[10039:1073809760]: FD 9 in non-blocking mode
2008.06.30 14:08:38 LOG7[10039:47679267941088]: Cleaning up the signal pipe
2008.06.30 14:08:38 LOG6[10039:47679267941088]: Child process 10247 finished with code 0
2008.06.30 14:08:38 LOG7[10039:1073809760]: Connection from 171.64.19.111:56122 permitted by libwrap
2008.06.30 14:08:38 LOG5[10039:1073809760]: nntps connected from 171.64.19.111:56122
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): before/accept initialization
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 read client hello A
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write server hello A
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write certificate A
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 write certificate request A
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL state (accept): SSLv3 flush data
2008.06.30 14:08:38 LOG7[10039:1073809760]: SSL alert (read): fatal: unknown CA
2008.06.30 14:08:38 LOG3[10039:1073809760]: SSL_accept: 14094418: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
2008.06.30 14:08:38 LOG5[10039:1073809760]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2008.06.30 14:08:38 LOG7[10039:1073809760]: nntps finished (0 left)
        
 
        Basic Requested Information that wasn't supplied above:

        * stunnel 4.18-2 on Debian etch (2.6.18-6-686 #1 SMP)
        * Running standalone with '/usr/bin/stunnel4 /etc/news/stunnel.conf'
        * libc6, no gcc, OpenSSL 0.9.8c-4etch3
        * The log on startup:

2008.06.30 14:00:15 LOG7[26276:3083523776]: Snagged 64 random bytes from /root/.rnd
2008.06.30 14:00:15 LOG7[26276:3083523776]: Wrote 1024 new random bytes to /root/.rnd
2008.06.30 14:00:15 LOG7[26276:3083523776]: RAND_status claims sufficient entropy for the PRNG
2008.06.30 14:00:15 LOG7[26276:3083523776]: PRNG seeded successfully
2008.06.30 14:00:15 LOG7[26276:3083523776]: Configuration SSL options: 0x01000000
2008.06.30 14:00:15 LOG7[26276:3083523776]: SSL options set: 0x01000000
2008.06.30 14:00:15 LOG7[26276:3083523776]: Certificate: /etc/ssl/certs/news-stunnel.pem
2008.06.30 14:00:15 LOG7[26276:3083523776]: Certificate loaded
2008.06.30 14:00:15 LOG7[26276:3083523776]: Key file: /etc/ssl/private/news-stunnel.key
2008.06.30 14:00:15 LOG7[26276:3083523776]: Private key loaded
2008.06.30 14:00:15 LOG7[26276:3083523776]: Loaded verify certificates from /etc/ssl/certs/comodo.cert
2008.06.30 14:00:15 LOG7[26276:3083523776]: SSL context initialized for service nntps

                            - Tim Skirvin (tskirvin at stanford.edu)
-- 
   Information Technology Services      http://www.stanford.edu/~tskirvin/
System Software Developer, Unix Team           Stanford University
-------------- next part --------------
setuid  = news
setgid  = news

foreground = yes

debug   = 7
output  = /var/log/stunnel4/stunnel-debug.log

pid     = /var/lib/news/stunnel-debug.pid
cert    = /etc/ssl/certs/news-stunnel-debug.pem
key     = /etc/ssl/private/news-stunnel-debug.key
CAfile  = /etc/ssl/certs/comodo.cert
options = NO_SSLv2
verify  = 3

[nntps]
accept   = 565
exec     = /usr/lib/news/bin/nnrpd
execargs = /usr/lib/news/bin/nnrpd -c readers-ssl.conf
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgIQDa4rcQV3Z0SjmYfBSq7yKjANBgkqhkiG9w0BAQUFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AxMYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTA4MDUxMjAwMDAwMFoXDTEw
MDcyODIzNTk1OVowggEMMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFOTQzMDUxEzAR
BgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFN0YW5mb3JkMRgwFgYDVQQJEw8z
OTcgUGFuYW1hIE1hbGwxHDAaBgNVBAoTE1N0YW5mb3JkIFVuaXZlcnNpdHkxGjAY
BgNVBAsTEVN0YW5mb3JkIE91dGRvb3JzMTkwNwYDVQQLEzBJc3N1ZWQgdGhyb3Vn
aCBTdGFuZm9yZCBVbml2ZXJzaXR5IEUtUEtJIE1hbmFnZXIxGjAYBgNVBAsTEUNv
bW9kbyBJbnN0YW50U1NMMRowGAYDVQQDExFuZXdzLnN0YW5mb3JkLmVkdTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArVXMu+O0QpfovEF/bXsVGK5FJ+1aGRPW
AUR+kn0PcITEByHac21tT9RQHEkpuq00jAjFhNhzCht+SZN4Q4w6ZfqawKhtI3eW
Wj7A2ai3cY/JQJIgLVM1oyDcA1hXp5frbmvNTJFqNlA6KfgJ0vnqlMOP8N6MuoBp
9xUCD6WIbH8CAwEAAaOCAV0wggFZMB8GA1UdIwQYMBaAFDBD3GTNGVyp8xnSNwmW
kZ4M6NY9MB0GA1UdDgQWBBQnFwTa3QBTL/6OYdxk63MA1EOcVTAOBgNVHQ8BAf8E
BAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwEQYJYIZIAYb4QgEBBAQDAgbAMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQME
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMH8G
A1UdHwR4MHYwOqA4oDaGNGh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRp
ZmljYXRlU2VydmljZXNfMi5jcmwwOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvLm5l
dC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzXzIuY3JsMA0GCSqGSIb3DQEBBQUAA4IB
AQAqSn613E1LN8BlmcUZVD+PY10MterkRqr7+piQ8+MYuN3lvrDEY5zP/JvQm8Ny
H1kT45/q3CeKYRevm8cyvr0WwJTMXfrSa73o3NXlr+2QNlX2IKTDdvleUtBM7YQi
lHHjKqaAQNR/IzpK9X1OYYUOTcDfZMiUU5bJQsv+pX4BwL0zkW3MCEwgIMb5xc9e
nV0GSXFtVL/ywKy0ShkycNf0DNxXIoKdoJL1Q5cHMOYWg8Y7hB3fIOE1lWs4wkLv
Be5/UWbreyaYoiPWC683BHh70dbedNksMGNGgTzWd+LeJfP9alx82uW9LoDq/Y3X
XTiehZy/IY7DuHhhy/O44gyr
-----END CERTIFICATE-----
-------------- next part --------------
-----BEGIN CERTIFICATE-----
MIIE+TCCBGKgAwIBAgIEQobyPTANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEw
MTkxNDM5NTFaFw0xMjEwMTkxNTA5NTFaMHsxCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoT
EUNvbW9kbyBDQSBMaW1pdGVkMSEwHwYDVQQDExhBQUEgQ2VydGlmaWNhdGUgU2Vy
dmljZXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCwTi7RP1GPN5ld
dmz44SMCk0QrTIjyUASQxtfK10D+zRfalGtz8D0KmyPdmBgHYqhuEZl4PXKQFJZx
/vqP9QOEjvuFpcXk9+3keL7fqsecx5/fId99z2DUcLvUyqZbudcObpRVdi0ZjJU6
Ji6RZ5NnJ/6UCkhinY+Y4SVjS74rkjZPEUg5ZuGxHCY1Vuk9247/H24kYw91dVMX
SFwwj9AEul7D6dsvHRgGFnH/ivaZwXlfgu3YoC9GBqTrKeaO/VKNvYNX0C9xFQ7M
C/aO+qsO+qCsaJet/Vn8GRMzewuDapBjVSbneAWKuBzvdcHCJ59OlwQp0JfBQdi8
DxPcoli5AgMBAAGjggG7MIIBtzASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUMEPcZM0ZXKnzGdI3CZaR
ngzo1j0wggEYBgNVHR8EggEPMIIBCzAooCagJIYiaHR0cDovL2NybC5lbnRydXN0
Lm5ldC9zZXJ2ZXIxLmNybDCB3qCB26CB2KSB1TCB0jELMAkGA1UEBhMCVVMxFDAS
BgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5uZXQvQ1BT
IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMcKGMpIDE5
OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5uZXQgU2Vj
dXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTENMAsGA1UEAxMEQ1JM
MTALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX8+1i0Bow
GQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADgYEAVIA4
t7BnKt3gENkLFmXzlm9BMD7f3rv4WjZRMdcvD/pdI5aYqkWgGAqCmhE2Y1hQUKXB
wyo+HeFt9n49StOZzv6orwtFwtvCuOlJxaFi7XVm5t6LW3Nw+pxLkFET10iYxlQS
1O6Jx8nPADfns9Nliyzn+D/xC+N6Bvkpfs+5FHY=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080630/45609309/attachment.sig>


More information about the stunnel-users mailing list