[stunnel-users] OCSP problem - wrong cert validated

Mark Currie mark at ziliant.com
Thu Jul 11 14:05:27 CEST 2019


Hi,

 

I am having a problem using OCSP with Stunnel.

 

client: stunnel-5.55, server: stunnel-5.49, both using openssl-1.0.2k-fips.

 

When I use the openssl ocsp command it works fine e.g.:

 

openssl ocsp -issuer idca-rootca.pem -CAfile idca-rootca.pem -cert
server-cert.pem -url http://10.0.0.166:40040

 

Response verify OK

server-cert.pem: good

 

Wireshark: OCSP request contains the server cert serial number, and OCSP
response returns "certStatus: good(0)".

 

However, when I use Stunnel the OCSP lookup fails (Connection reset by
peer), and in the Stunnel log I get:

 

LOG3[0]: OCSP: OCSP_basic_verify: ocsp_vfy.c:166: error:27069070:OCSP
routines:OCSP_basic_verify:root ca not trusted

 

Wireshark: OCSP request now contains the issuer (idca) instead of the server
cert serial number, and the OCSP response returns "certStatus: unknown (2)".

 

I have tried various combinations of cert and CA pem files e.g. server cert
on its own, then including idca, then including both idca and rootca. I have
also tried all combinations of CA cert, even including all certs in it.

 

I am testing Stunnel using SSH over TLS and here are the configs:

 

Stunnel client config:

 

[ssh]

CAfile = idca-rootca.pem

cert = client-cert.pem

key = client-key.pem

accept=40010

connect=10.0.0.166:40010

verifyPeer = yes

OCSP = http://10.0.0.166:40040

 

Stunnel server config:

 

[sshd]

CAfile = idca-rootca.pem

cert = server-cert.pem

key = server-key.pem

accept = 10.0.0.166:40010

connect = 22

 

Appreciate any help with this problem.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190711/b69766ce/attachment.htm>


More information about the stunnel-users mailing list