Using CAStore on Android (stunnel.conf) - stunnel-users

31 Jul 2025


      I have build stunnel with a few changes to run in a QThread (Qt 6.9.1) for Android.
My Qt App starts stunnel at the start of execution and stops it when my Qt application exits.
This all works fine (I need to review and clean up my stunnel changes before I use my solution for real)
but I cannot get certification to work, here are two test runs one with verify set to 0 (works) and verify set to 2 (fails).
What needs to change in my stunnel.conf file ?
Thanks.
(obfuscated details)
stunnel.conf
foreground = yes
debug = 6
[mariadb]
CAstore = /data/misc/user/0/cacerts-added 
CApath = /data/misc/user/0/cacerts-added 
client = yes 
accept = 127.0.0.1:3307
connect = remote_server:3307
verify = 0
Works:
I/stunnel : LOG6[ui]: Initializing inetd mode configuration
I/stunnel : LOG5[ui]: stunnel 5.75 on android-mobile-device platform
I/stunnel : LOG5[ui]: Compiled/running with OpenSSL 3.1.1 30 May 2023
I/stunnel : LOG5[ui]: Threading:PTHREAD Sockets:SELECT,IPv4 TLS:ENGINE,OCSP,PSK,SNI
I/stunnel : LOG6[ui]: Initializing inetd mode configuration
I/stunnel : LOG5[ui]: Reading configuration from buffer 0x7280e409b640
I/stunnel : LOG5[ui]: UTF-8 byte order mark not detected
I/stunnel : LOG6[ui]: Compression disabled
I/stunnel : LOG6[ui]: Initializing service [mariadb]
I/stunnel : LOG6[ui]: stunnel default security level set: 2
I/stunnel : LOG6[ui]: Session resumption enabled
I/stunnel : LOG6[ui]: Configured trusted server CA: C=AU, ST=Florida, L=York, O=Home, OU=Whiskey, CN=Michael, [email protected]
W/stunnel : LOG4[ui]: Service [mariadb] needs authentication to prevent MITM attacks
I/stunnel : LOG6[ui]: DH initialization skipped: client section
I/stunnel : LOG5[ui]: Configuration successful
I/stunnel : LOG6[ui]: Service [mariadb] (FD=117) bound to 127.0.0.1:3307
I/stunnel : LOG6[ui]: Accepting new connections
I/stunnel : LOG6[per-day]: Executing per-day jobs
I/stunnel : LOG6[per-day]: Per-day jobs completed in 0 seconds
I/stunnel : LOG5[0]: Service [mariadb] accepted connection from 127.0.0.1:36802
I/stunnel : LOG6[0]: s_connect: connecting 192.168.0.1:3307
I/stunnel : LOG5[0]: s_connect: connected 192.168.0.1:3307
I/stunnel : LOG5[0]: Service [mariadb] connected remote server from 10.0.2.16:58660
I/stunnel : LOG6[0]: SNI: sending servername: remote_server
I/stunnel : LOG6[0]: Peer certificate not required
I/stunnel : LOG6[0]: Received trusted client CA: C=AU, ST=Florida, L=York, O=Home, OU=Whiskey, CN=Michael, [email protected]
I/stunnel : LOG6[0]: CERT: Certificate verification disabled
I/stunnel : LOG6[0]: CERT: Certificate verification disabled
I/stunnel : LOG6[0]: OCSP: Certificate chain verification disabled
I/stunnel : LOG6[0]: TLS connected: new session negotiated
I/stunnel : LOG6[0]: TLSv1.3 ciphersuite: TLS_AES_256_GCM_SHA384 (256-bit encryption)
I/stunnel : LOG6[0]: Peer temporary key: X25519, 253 bits
I/stunnel : LOG6[0]: Session id: 90DD6325CCBC47C3F8F560C36F76755B4959E6A8421DD97B751E37FDD1DCCAC7
I/stunnel : LOG6[0]: Session id: 24345E21753FE3B254CA089FB7621C1481B523E72EB9571DDF7A366B5E89E834
stunnel.conf
foreground = yes
debug = 6
[mariadb]
CAstore = /data/misc/user/0/cacerts-added 
CApath = /data/misc/user/0/cacerts-added 
client = yes 
accept = 127.0.0.1:3307
connect = remote_server:3307
verify = 2
Fails:
I/stunnel : LOG6[ui]: Initializing inetd mode configuration
I/stunnel : LOG5[ui]: stunnel 5.75 on android-mobile-device platform
I/stunnel : LOG5[ui]: Compiled/running with OpenSSL 3.1.1 30 May 2023
I/stunnel : LOG5[ui]: Threading:PTHREAD Sockets:SELECT,IPv4 TLS:ENGINE,OCSP,PSK,SNI
I/stunnel : LOG6[ui]: Initializing inetd mode configuration
I/stunnel : LOG5[ui]: Reading configuration from buffer 0x7280e409b0a0
I/stunnel : LOG5[ui]: UTF-8 byte order mark not detected
I/stunnel : LOG6[ui]: Compression disabled
I/stunnel : LOG6[ui]: Initializing service [mariadb]
I/stunnel : LOG6[ui]: stunnel default security level set: 2
I/stunnel : LOG6[ui]: Session resumption enabled
I/stunnel : LOG6[ui]: Configured trusted server CA: C=AU, ST=Florida, L=York, O=Home, OU=Whiskey, CN=Michael, [email protected]
W/stunnel : LOG4[ui]: Service [mariadb] uses "verifyChain" without subject checks
W/stunnel : LOG4[ui]: Use "checkHost" or "checkIP" to restrict trusted certificates
I/stunnel : LOG6[ui]: DH initialization skipped: client section
I/stunnel : LOG5[ui]: Configuration successful
I/stunnel : LOG6[ui]: Service [mariadb] (FD=114) bound to 127.0.0.1:3307
I/stunnel : LOG6[ui]: Accepting new connections
I/stunnel : LOG6[per-day]: Executing per-day jobs
I/stunnel : LOG6[per-day]: Per-day jobs completed in 0 seconds
I/stunnel : LOG5[0]: Service [mariadb] accepted connection from 127.0.0.1:39238
I/stunnel : LOG6[0]: s_connect: connecting 192.168.0.1:3307
I/stunnel : LOG5[0]: s_connect: connected 192.168.0.1:3307
I/stunnel : LOG5[0]: Service [mariadb] connected remote server from 10.0.2.16:59154
I/stunnel : LOG6[0]: SNI: sending servername: remote_server
I/stunnel : LOG6[0]: Peer certificate required
I/stunnel : LOG6[0]: Received trusted client CA: C=AU, ST=Florida, L=York, O=Home, OU=Whiskey, CN=Michael, [email protected]
W/stunnel : LOG4[0]: CERT: Pre-verification error: certificate not found in local repository: self-signed certificate
W/stunnel : LOG4[0]: Rejected by CERT at depth=0: C=PL, ST=Mazovia Province, L=Warsaw, O=Stunnel Developers, OU=Provisional CA, CN=localhost
E/stunnel : LOG3[0]: SSL_connect: tls_post_process_server_certificate@ssl/statem/statem_clnt.c:1890: error:0A000086:SSL routines::certificate verify failed
I/stunnel : LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
I/stunnel : LOG6[ui]: Child process 17669 finished with code 0