[stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

David Faizulaev David.Faizulaev at nextnine.com
Tue May 17 15:08:33 CEST 2016


Latest update:
After further investigation, it became evident that Stunnel should run as client.
Therefore, I've converted my existing certs file (from my application) into a PEM file.
The file includes -----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----.

But I still get an error:

2016.05.17 15:57:24 LOG4[281]: CERT: Pre-verification error: self signed certificate in certificate chain
2016.05.17 15:57:24 LOG4[281]: Rejected by CERT at depth=1: CN=NextnineCA
2016.05.17 15:57:24 LOG3[281]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Here is the current configuration:

[custom]
client = yes
accept = 127.0.0.1:8449
connect = 192.168.220.62:443
verify = 2
CAfile = myapp.pem

Best Regards,
David.



David Faizulaev | PL/SQL Developer | T  +972 (3) 767 3026 | M +972 (54) 7314687

Centralized OT Security Management for Distributed SCADA/ICS Networks

 Please consider the environment before printing this e-mail

-----Original Message-----
From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Ludolf Holzheid
Sent: Tuesday, May 17, 2016 2:38 PM
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Configuring Stunnel to work between client and server - possible certificate issue

On Tue, 2016-05-17 11:13:26 +0000, David Faizulaev wrote:
> I see, I have a keystore file for the server, can it be set as KEY ? can I convert keystore to PEM?

I don't know.

Some key/certificate repositories don't allow to export private keys.
Maybe there is a PKCS11 plug-in for OpenSSL to access the keystore.
If this is the case, you don't have to export your private key.  But again, I don't know.

> Additionally, I've thought about configuring Stunnel in client mode.
> Here is the configuration:
> [..]

Running stunnel in client or server mode makes no difference w.r.t. certificate and key files.  As long as stunnel is not able to access your private key, the client mode won't work either.

HTH,

Ludolf

-- 

Ludolf Holzheid
 
Bihl+Wiedemann GmbH
Floßwörthstraße 41
68199 Mannheim, Germany
 
Tel: +49 621 33996-0
Fax: +49 621 3392239
 
mailto:lholzheid at bihl-wiedemann.de
http://www.bihl-wiedemann.de
 
Sitz der Gesellschaft: Mannheim
Geschäftsführer: Jochen Bihl, Bernhard Wiedemann Amtsgericht Mannheim, HRB 5796 _______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


More information about the stunnel-users mailing list