[stunnel-users] I: error=certificate signature failure

Thu Nov 3 09:30:38 CET 2005

________________________________

Da: Pulcini Maddalena
Inviato: gio 03/11/2005 8.58
A: stunnel
Oggetto: I: error=certificate signature failure

________________________________

Da: Pulcini Maddalena
Inviato: mer 02/11/2005 17.14
A: stunnel
Oggetto: error=certificate signature failure

Hi All,

someone could help me to understand what happens and what my client needs to verify the peer?

Thanks&Regards

I configure stunnel in this way:

stunnel.conf
================================
client = yes
debug=7
cert = client69f.pem
key = chiave69.pem
cafile=cacert.pem
verify = 1
capath= .

[telnet]
accept = 23
connect = 10.36.3.191:4433
============================

I put all the files configured above in the same directory where stunnel-4.07.exe runs;

I have a machine in which  ssl server runs with a certificate signed by the same CA (cacert.pem).

The log file is :

======================================
2005.11.02 16:33:47 LOG5[1456:1084]: stunnel 4.07 on x86-pc-mingw32-gnu WIN32+IPv4 with OpenSSL 0.9.7f 22 Mar 2005
2005.11.02 16:33:47 LOG7[1456:1504]: Snagged 64 random bytes from C:/.rnd
2005.11.02 16:33:47 LOG7[1456:1504]: Wrote 1024 new random bytes to C:/.rnd
2005.11.02 16:33:47 LOG7[1456:1504]: RAND_status claims sufficient entropy for the PRNG
2005.11.02 16:33:47 LOG6[1456:1504]: PRNG seeded successfully
2005.11.02 16:33:47 LOG7[1456:1504]: Certificate: client69f.pem
2005.11.02 16:33:47 LOG7[1456:1504]: Key file: chiave69.pem
2005.11.02 16:33:47 LOG7[1456:1504]: Loaded verify certificates from cacert.pem
2005.11.02 16:33:47 LOG7[1456:1504]: Verify directory set to .
2005.11.02 16:33:47 LOG5[1456:1504]: No limit detected for the number of clients
2005.11.02 16:33:47 LOG7[1456:1504]: FD 156 in non-blocking mode
2005.11.02 16:33:47 LOG7[1456:1504]: SO_REUSEADDR option set on accept socket
2005.11.02 16:33:47 LOG7[1456:1504]: telnet bound to 0.0.0.0:23
2005.11.02 16:34:14 LOG7[1456:1504]: telnet accepted FD=168 from 127.0.0.1:2501
2005.11.02 16:34:14 LOG7[1456:1504]: FD 168 in non-blocking mode
2005.11.02 16:34:14 LOG7[1456:1504]: Creating a new thread
2005.11.02 16:34:14 LOG7[1456:1504]: New thread created
2005.11.02 16:34:14 LOG7[1456:1320]: telnet started
2005.11.02 16:34:14 LOG5[1456:1320]: telnet connected from 127.0.0.1:2501
2005.11.02 16:34:14 LOG7[1456:1320]: FD 192 in non-blocking mode
2005.11.02 16:34:14 LOG7[1456:1320]: telnet connecting 10.36.3.191:4433
2005.11.02 16:34:14 LOG7[1456:1320]: connect_wait: waiting 10 seconds
2005.11.02 16:34:14 LOG7[1456:1320]: connect_wait: connected
2005.11.02 16:34:14 LOG7[1456:1320]: Remote FD=192 initialized
2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): before/connect initialization
2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): SSLv3 write client hello A
2005.11.02 16:34:14 LOG7[1456:1320]: SSL state (connect): SSLv3 read server hello A
2005.11.02 16:34:14 LOG4[1456:1320]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=Siena/O=amtec/OU=elsag/CN=CERTIFICATION AUTHORITY 2.0/description=CA CERTIFICATE/L=Abbadia San Salvatore
2005.11.02 16:34:14 LOG7[1456:1320]: SSL alert (write): fatal: handshake failure
2005.11.02 16:34:14 LOG3[1456:1320]: error stack: 14090086 : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2005.11.02 16:34:14 LOG3[1456:1320]: error stack: D089006 : error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib
2005.11.02 16:34:14 LOG3[1456:1320]: SSL_connect: 4077068: error:04077068:rsa routines:RSA_verify:bad signature
2005.11.02 16:34:14 LOG7[1456:1320]: telnet finished (0 left)