[stunnel-users] Cert errors ....... need help!

• Previous message (by thread): [stunnel-users] Cert errors ....... need help!
• Next message (by thread): [stunnel-users] Cert errors ....... need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Update:

I have turned on debugging in the client side and have fund the following
errors:

2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server
hello A
2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to
get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER
CERT/CN=XXXX/emailAddress=sysadminXXXX
2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate
2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)

Any ideas?





Regards,
+------------------------------------------+
| Richard Houston                  .^.     |
| R.L.H.  Consulting               /V\     |
| E-Mail  <rhouston at rlhc.net>    /(   )\   |
| WWW     <www.rlhc.net>          ^^-^^    |
+------------------------------------------+

Richard Houston said:
> Hi all,
>
> I have take over a stunnel install and all the clients certs have expired.
>
> I have been trying for the past 2 days to get the new step up to work but
> no such luck.
>
> Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel
> 4.05:
>
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started
> 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from
> XXX.XXX.XXX.XX:1414
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept):
> before/accept initialization
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3 read
> client hello A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write server hello A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write certificate A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> write certificate request A
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
> flush data
> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7, DIR=read
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal:
> certificate unknown
> 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown
> 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
>
> And here is the output on the client side:
>
> 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu
> WIN32 with OpenSSL 0.9.7 31 Dec2002
> 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null)
> 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients allowed
> 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from 127.0.0.1:1413
> 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1,
> /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX
> CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin at XXXX
> 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for
> /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER
> CERT/CN=XXXXX/emailAddress=sysadmin at XXXX
> 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
>
> I have created the certs on both server and client according to the
> documents at
> http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
>
> I have the cacert.pem file on the cleint side, I have c_hashed the cert
> file on the server side. Do I need to out the c_hash of the server side
> cert on the client as well?
>
> Is there something I have missed? Any ideas as to what I can check to see
> where the issue is?
>
> I am desperate, any help would be greatly appreciated.
>
>
> Regards,
> +------------------------------------------+
> | Richard Houston                  .^.     |
> | R.L.H.  Consulting               /V\     |
> | E-Mail  <rhouston at rlhc.net>    /(   )\   |
> | WWW     <www.rlhc.net>          ^^-^^    |
> +------------------------------------------+
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>
>

• Previous message (by thread): [stunnel-users] Cert errors ....... need help!
• Next message (by thread): [stunnel-users] Cert errors ....... need help!
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]