[stunnel-users] Authenticate both client and server?
Ludolf Holzheid
lholzheid at bihl-wiedemann.de
Mon Nov 23 10:34:22 CET 2009
On Fri, 2009-11-20 14:17:53 +0000, Kārlis Repsons wrote:
> [..]
>
> Nov 20 13:12:35 client stunnel: LOG4[14547:140719468951888]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=LV/O=11.lv/CN=server
> Nov 20 13:12:35 client stunnel: LOG3[14547:140719468951888]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Kārlis,
This says the certificate chain cannot be followed up to the root CA.
Maybe there are intermediate certificates that are found by openssl
but not by stunnel.
I'm using self-signed certificates only, so I'm not sure, but the
stunnel man page says:
>> cert = pemfile
>> certificate chain PEM file name
>>
>> A PEM is always needed in server mode. Specifying this
>> flag in client mode will use this certificate chain as a
>> client side certificate chain. Using client side certs is
>> optional. The certificates must be in PEM format and must
>> be sorted starting with the certificate to the highest
>> level (root CA).
I think this says, the file given in the 'cert=' line in stunnel.conf
must include the whole certificate chain.
> I also tried with adding root-ca.pem to the bottom of server and
> client .pem, but the same bum. Do you have any idea at this point?
The man page says this has to be the other way 'round (starting with
CA).
> [..]
> Why doesn't stunnel man page mentions a single word 'ln' or 'link'?
It doesn't mention 'cd' and 'cp' as well. ;-)
There is no need to create _links_ to the certificate files. It is
mentioned which directory entries stunnel looks for while verifying
certificates, but it would perfectly work if you used the certificate
hash as _file_name_. However, c_rehash is convenient.
HTH,
Ludolf
--
---------------------------------------------------------------
Ludolf Holzheid Tel: +49 621 339960
Bihl+Wiedemann GmbH Fax: +49 621 3392239
Floßwörthstraße 41 e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany
---------------------------------------------------------------
More information about the stunnel-users
mailing list