[stunnel-users] Problems with cert

Ross n.e.tlviv+stunnel at gmail.com
Thu Nov 25 13:02:59 CET 2010


Hello,  we  were  using  Stunnel  4.25  for  a  long  time without any
problems.

We used "verify=3". Our client config file:

service = stunnel-client
cert = client.pem
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
verify = 3
CApath = certificates
CAfile = CAcert.pem
client = yes
[rdp]
accept = 3398
connect = XX.XX.XX.XX:3398

But  after  switching  to  Stunnel  4.34 (preserving configuration) we
started to get errors:

2010.11.25 13:13:30 LOG5[8332:5336]: Service rdp-database accepted connection from 127.0.0.1:30082
2010.11.25 13:13:30 LOG5[8332:5336]: connect_blocking: connected 95.130.236.42:3398
2010.11.25  13:13:30  LOG5[8332:5336]:  Service rdp-database connected
remote server from XX.XX.XX.XX:30083
2010.11.25  13:13:30  LOG5[8332:5336]:  Certificate accepted: depth=1,
/C=UA/ST=Lviv/L=Lviv region/O=ROSS/OU=IT/emailAddress=bla at bla.com
2010.11.25 13:13:30 LOG4[8332:5336]: CERT: Certificate not found in local repository
2010.11.25   13:13:30   LOG4[8332:5336]:   Certificate  check  failed:
depth=0,                                          /C=UA/ST=Lviv/L=Lviv
region/O=ROSS/OU=IT/CN=OURSERVER/emailAddress=bala at bla.com
2010.11.25 13:13:30 LOG3[8332:5336]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2010.11.25 13:13:30 LOG5[8332:5336]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket


Main error is:
CERT: Certificate not found in local repository

Looks  like  stunnel  cannot  find  the hashed server's certificate in
C:\Program Files\stunnel\certificates (CApath = certificates)

We  tried  specifying  full  paths, but it does not help. Switching to
"verify=2"  (do  not  check server's cert) works ok. Also stunnel 4.25
(with verify=3) works ok on this configuration.

Could you help?
Ross





More information about the stunnel-users mailing list