Re: [stunnel-users] Cert errors ....... need help!
This is a discussion on Re: [stunnel-users] Cert errors ....... need help! within the Stunnel Users forums, part of the Networking and Network Related category; Hi Richard Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-17-2005
|
|||
|
|||
Re: [stunnel-users] Cert errors ....... need help!
Hi Richard
Verify=3 means stunnel server checks subject part in client certificate, so you need to put each client certificate file in your stunnel server with certain way. Try to use verify=2, that only checks ca cert portion. regards taka On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston <rhouston@rlhc.net> wrote: > Update: > > I have turned on debugging in the client side and have fund the following > errors: > > 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read > server > hello A > 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable > to > get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER > CERT/CN=XXXX/emailAddress=sysadminXXXX > 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad > certificate > 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify > failed > 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left) > > Any ideas? > > > > > > Regards, > +------------------------------------------+ > | Richard Houston .^. | > | R.L.H. Consulting /V\ | > | E-Mail <rhouston@rlhc.net> /( )\ | > | WWW <www.rlhc.net> ^^-^^ | > +------------------------------------------+ > > Richard Houston said: >> Hi all, >> >> I have take over a stunnel install and all the clients certs have >> expired. >> >> I have been trying for the past 2 days to get the new step up to work >> but >> no such luck. >> >> Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel >> 4.05: >> >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started >> 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from >> XXX.XXX.XXX.XX:1414 >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): >> before/accept initialization >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, >> DIR=read >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 >> read >> client hello A >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 >> write server hello A >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 >> write certificate A >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 >> write certificate request A >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 >> flush data >> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, >> DIR=read >> 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok >> 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal: >> certificate unknown >> 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416: >> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate >> unknown >> 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left) >> >> And here is the output on the client side: >> >> 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu >> WIN32 with OpenSSL 0.9.7 31 Dec2002 >> 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null) >> 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed >> 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from >> 127.0.0.1:1413 >> 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1, >> /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX >> CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin@XXXX >> 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for >> /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER >> CERT/CN=XXXXX/emailAddress=sysadmin@XXXX >> 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086: >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> verify >> failed >> >> I have created the certs on both server and client according to the >> documents at >> http://www.stunnel.org/faq/openssl_s...ClientAuth.txt. >> >> I have the cacert.pem file on the cleint side, I have c_hashed the cert >> file on the server side. Do I need to out the c_hash of the server side >> cert on the client as well? >> >> Is there something I have missed? Any ideas as to what I can check to >> see >> where the issue is? >> >> I am desperate, any help would be greatly appreciated. >> >> >> Regards, >> +------------------------------------------+ >> | Richard Houston .^. | >> | R.L.H. Consulting /V\ | >> | E-Mail <rhouston@rlhc.net> /( )\ | >> | WWW <www.rlhc.net> ^^-^^ | >> +------------------------------------------+ >> >> >> _______________________________________________ >> stunnel-users mailing list >> stunnel-users@mirt.net >> http://stunnel.mirt.net/mailman/listinfo/stunnel-users >> >> > > _______________________________________________ > stunnel-users mailing list > stunnel-users@mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users > _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 07:58 AM.
