Re: [stunnel-users] Cert errors ....... need help!

This is a discussion on Re: [stunnel-users] Cert errors ....... need help! within the Stunnel Users forums, part of the Networking and Network Related category; Update: I have turned on debugging in the client side and have fund the following errors: 2005.03.17 13:...


Go Back   Usenet Forums > Networking and Network Related > Stunnel Users

Reload this Page Re: [stunnel-users] Cert errors ....... need help!

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 03-17-2005
Richard Houston
 
Posts: n/a
Default Re: [stunnel-users] Cert errors ....... need help!
Update:

I have turned on debugging in the client side and have fund the following
errors:

2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server
hello A
2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to
get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER
CERT/CN=XXXX/emailAddress=sysadminXXXX
2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate
2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)

Any ideas?





Regards,
+------------------------------------------+
| Richard Houston .^. |
| R.L.H. Consulting /V\ |
| E-Mail <rhouston@rlhc.net> /( )\ |
| WWW <www.rlhc.net> ^^-^^ |
+------------------------------------------+

Richard Houston said:
> Hi all,
>
> I have take over a stunnel install and all the clients certs have expired.
>
> I have been trying for the past 2 days to get the new step up to work but
> no such luck.
>
> Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel
> 4.05:
>
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started
> 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from
> XXX.XXX.XXX.XX:1414
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept):
> before/accept initialization
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read
> client hello A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write server hello A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write certificate A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write certificate request A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> flush data
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal:
> certificate unknown
> 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
>
> And here is the output on the client side:
>
> 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu
> WIN32 with OpenSSL 0.9.7 31 Dec2002
> 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null)
> 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed
> 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413
> 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1,
> /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX
> CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX
> 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for
> /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER
> CERT/CN=XXXXX/emailAddress=sysadmin@XXXX
> 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> I have created the certs on both server and client according to the
> documents at
> http://www.stunnel.org/faq/openssl_s...ClientAuth.txt.
>
> I have the cacert.pem file on the cleint side, I have c_hashed the cert
> file on the server side. Do I need to out the c_hash of the server side
> cert on the client as well?
>
> Is there something I have missed? Any ideas as to what I can check to see
> where the issue is?
>
> I am desperate, any help would be greatly appreciated.
>
>
> Regards,
> +------------------------------------------+
> | Richard Houston .^. |
> | R.L.H. Consulting /V\ |
> | E-Mail <rhouston@rlhc.net> /( )\ |
> | WWW <www.rlhc.net> ^^-^^ |
> +------------------------------------------+
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users@mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 08:25 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0