[stunnel-users] Client certificates now required by default?

Wiest, Damian damian.wiest at apervita.com
Thu Jul 7 21:31:56 CEST 2016 

After building stunnel 5.34 from source I noticed that my old config
(5.22) was not working.

[dwiest at 716161-compute2 ~]$ sudo ./stunnel /etc/stunnel/stunnel.conf
2016.07.07 14:07:41 LOG5[ui]: stunnel 5.34 on x86_64-unknown-linux-gnu platform
2016.07.07 14:07:41 LOG5[ui]: Compiled/running with OpenSSL
1.0.1e-fips 11 Feb 2013
2016.07.07 14:07:41 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6
TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP
2016.07.07 14:07:41 LOG5[ui]: Reading configuration from file
/etc/stunnel/stunnel.conf
2016.07.07 14:07:41 LOG5[ui]: UTF-8 byte order mark not detected
2016.07.07 14:07:41 LOG5[ui]: FIPS mode disabled
2016.07.07 14:07:41 LOG5[ui]: Configuration successful
2016.07.07 14:07:41 LOG5[cron]: Updating DH parameters
2016.07.07 14:07:42 LOG5[0]: Service [rabbitmq] accepted connection
from 192.168.237.81:49535
2016.07.07 14:07:42 LOG3[0]: SSL_accept: Peer suddenly disconnected
2016.07.07 14:07:42 LOG5[0]: Connection reset: 0 byte(s) sent to SSL,
0 byte(s) sent to socket
2016.07.07 14:07:42 LOG5[1]: Service [rabbitmq] accepted connection
from 192.168.237.81:49536
2016.07.07 14:07:42 LOG3[1]: SSL_accept: 140890C7: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate

But I haven't enabled client certificate verification!

[dwiest at 716161-compute2 ~]$ sudo grep verify /etc/stunnel/stunnel.conf
; verify = 2

I have to explicitly set verify to 0 or 1 in order to connect without
a client cert.

Is this intentional?  The documentation suggests that by default no
verification should be taking place.

-Damian

-- 


Confidentiality Notice: This e-mail transmission may contain confidential 
or legally privileged information that is intended only for the individual 
or entity named in the e-mail address. If you have received this 
communication in error, please notify me by return e-mail, and destroy this 
communication and all copies thereof, including any attachments. 

Apervita ® is a registered trademark of Apervita Inc.

More information about the stunnel-users mailing list