[stunnel-users] sslv3 alert bad certificate

marko marko at half2.nl
Wed Dec 26 16:58:54 CET 2018


Hello all,

I'm using xmas for something useful - i.e. to configure a new server. 
After an install of stunnel 5.50 and generating the .pem and .key files 
with:

openssl req -new -x509 -nodes -out /usr/local/etc/stunnel/nw_stunnel.pem 
-keyout /usr/local/etc/stunnel/nw_stunnel.key -days 1825

using this settings in the stunnel.conf:

cert = /usr/local/etc/stunnel/nw_stunnel.pem
key  = /usr/local/etc/stunnel/nw_stunnel.key
options = -NO_SSLv3
sslVersion = all

I got

LOG5[0]: Service [imaps] accepted connection from 192.168.1.3:64233
Dec LOG3[0]: SSL_accept: 14094412: error:14094412:SSL 
routines:ssl3_read_bytes:sslv3 alert bad certificate
LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

Just wondering: this is a self issued CA-Cert. Does the bad certificate 
error refer to the unsafe ssl3-standard or is it a placeholder for the 
certificate being self-generated as well?

I'm currentlty on
[.] stunnel 5.50 on amd64-portbld-freebsd12.0 platform
[.] Compiled/running with OpenSSL 1.1.1a-freebsd  20 Nov 2018
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI

This configuration works with the same install procedure:
[.] stunnel 5.49 on i386-portbld-freebsd11.2 platform
[.] Compiled/running with OpenSSL 1.0.2o-freebsd  27 Mar 2018
[.] Threading:PTHREAD Sockets:POLL,IPv4 TLS:ENGINE,OCSP,PSK,SNI

Any insights into this matter are highly welcome.

Cheers, and merry youknowwhat,

Marko



More information about the stunnel-users mailing list