[stunnel-users] Cert errors ....... need help!
Richard Houston
rhouston at rlhc.net
Thu Mar 17 20:52:39 CET 2005
K, error are a bit deferent this time.....
Server:
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept):
before/accept initialization
2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read
2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: ok
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3 read
client hello A
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3
write server hello A
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3
write certificate A
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3
write certificate request A
2005.03.17 13:57:56 LOG7[13122:3086949296]: SSL state (accept): SSLv3
flush data
2005.03.17 13:57:56 LOG7[13122:3086949296]: waitforsocket: FD=7, DIR=read
2005.03.17 13:58:00 LOG7[13122:3086949296]: waitforsocket: ok
2005.03.17 13:58:00 LOG4[13122:3086949296]: VERIFY ERROR: depth=0,
error=unable to get local issuer certificate:
/C=CA/ST=Manitoba/O=XXXX/OU=XXXX_XXXX_XXXX/CN=XXXXXXXXXX/emailAddress=sysadmin at XXXX
2005.03.17 13:58:00 LOG7[13122:3086949296]: SSL alert (write): fatal: bad
certificate
2005.03.17 13:58:00 LOG3[13122:3086949296]: SSL_accept: 140890B2:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned
2005.03.17 13:58:00 LOG7[13122:3086949296]: school4 finished (0 left)
Client:
2005.03.17 13:02:46 LOG7[768:1148]: remote connect #1: EWOULDBLOCK: retrying
2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=write
2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: ok
2005.03.17 13:02:46 LOG7[768:1148]: remote connect #2: EINVAL: ok
2005.03.17 13:02:46 LOG7[768:1148]: Remote FD=688 initialized
2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): before/connect
initialization
2005.03.17 13:02:46 LOG7[768:1148]: SSL state (connect): SSLv3 write
client hello A
2005.03.17 13:02:46 LOG7[768:1148]: waitforsocket: FD=688, DIR=read
2005.03.17 13:02:49 LOG7[768:1148]: waitforsocket: ok
2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read server
hello A
2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable to
get local issuer certificate: /C=CA/ST=Manitoba/O=XXXX/OU=STUNNEL SERVER
CERT/CN=XXXXXXXXXXX/emailAddress=sysadmin at XXXXXXX
2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad certificate
2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed
2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
What should I check next? Is it possible I screwed up making the certs?
Thanks again for you continued help.
Regards,
+------------------------------------------+
| Richard Houston .^. |
| R.L.H. Consulting /V\ |
| E-Mail <rhouston at rlhc.net> /( )\ |
| WWW <www.rlhc.net> ^^-^^ |
+------------------------------------------+
Jan Meijer said:
> On Thu, 17 Mar 2005, Richard Houston wrote:
>
>> I have replace the keys alreay. These are new keys altogether.
>
> It's not the keys that are wrong, they're in the wrong places. The verify
> failure indicates just that: both server and client have problems
> verifying the authenticity of oneanother.
>
> Now try this.
>
> At the server side:
>
> -change verify in '=2'
>
> At the client side:
>
> Make sure the client certificate is not commented out as it looks like in
> your config:
>
>> CApath=c:\stunnel
>> #cert=c:\stunnel\traf-test.pem
>
> Without a certificate at the client side there's no way the client will
> ever authenticate to your 'verify = 2' server.
>
> Secondly; remove the 'CAPath' directive from your client configuration and
> add the 'CAfile = /etc/stunnel/cacert.pem' to it. Do make sure you copy
> the cacert.pem to your client ;).
>
> I trust you did not include the private key of your CA in cacert.pem ;).
>
> Let me know what happens.
>
> Jan
> --
> http://www.surfnet.nl/organisatie/jame
>
>
More information about the stunnel-users
mailing list