[stunnel-users] Cert errors ....... need help!

Richard Houston rhouston at rlhc.net
Thu Mar 17 20:26:57 CET 2005 

Hi there,

Tried dropping the client and server to verify=2 and still get the same
issue. Still getting this error: error=unable to get local issuer
certificate:




Regards,
+------------------------------------------+
| Richard Houston                  .^.     |
| R.L.H.  Consulting               /V\     |
| E-Mail  <rhouston at rlhc.net>    /(   )\   |
| WWW     <www.rlhc.net>          ^^-^^    |
+------------------------------------------+

ikeda at areabe said:
> Hi Richard
>
> Verify=3 means stunnel server checks subject part in client certificate,
> so you need to put each client certificate file in your stunnel server
> with certain way.
>
> Try to use verify=2, that only checks ca cert portion.
>
> regards
> taka
> On Thu, 17 Mar 2005 13:13:05 -0600 (CST), Richard Houston
> <rhouston at rlhc.net> wrote:
>
>> Update:
>>
>> I have turned on debugging in the client side and have fund the
>> following
>> errors:
>>
>> 2005.03.17 13:02:49 LOG7[768:1148]: SSL state (connect): SSLv3 read
>> server
>> hello A
>> 2005.03.17 13:02:49 LOG4[768:1148]: VERIFY ERROR: depth=0, error=unable
>> to
>> get local issuer certificate: /C=CA/ST=XXX/O=XXX/OU=STUNNEL SERVER
>> CERT/CN=XXXX/emailAddress=sysadminXXXX
>> 2005.03.17 13:02:49 LOG7[768:1148]: SSL alert (write): fatal: bad
>> certificate
>> 2005.03.17 13:02:49 LOG3[768:1148]: SSL_connect: 14090086:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify
>> failed
>> 2005.03.17 13:02:49 LOG7[768:1148]: schools finished (0 left)
>>
>> Any ideas?
>>
>>
>>
>>
>>
>> Regards,
>> +------------------------------------------+
>> | Richard Houston                  .^.     |
>> | R.L.H.  Consulting               /V\     |
>> | E-Mail  <rhouston at rlhc.net>    /(   )\   |
>> | WWW     <www.rlhc.net>          ^^-^^    |
>> +------------------------------------------+
>>
>> Richard Houston said:
>>> Hi all,
>>>
>>> I have take over a stunnel install and all the clients certs have
>>> expired.
>>>
>>> I have been trying for the past 2 days to get the new step up to work
>>> but
>>> no such luck.
>>>
>>> Here is the error I get on the sever side, Linux Fedora Core 3, Stunnel
>>> 4.05:
>>>
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: school4 started
>>> 2005.03.17 11:36:15 LOG5[12746:3086949296]: school4 connected from
>>> XXX.XXX.XXX.XX:1414
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept):
>>> before/accept initialization
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7,
>>> DIR=read
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: ok
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>>> read
>>> client hello A
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>>> write server hello A
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>>> write certificate A
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>>> write certificate request A
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: SSL state (accept): SSLv3
>>> flush data
>>> 2005.03.17 11:36:15 LOG7[12746:3086949296]: waitforsocket: FD=7,
>>> DIR=read
>>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: waitforsocket: ok
>>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: SSL alert (read): fatal:
>>> certificate unknown
>>> 2005.03.17 11:36:18 LOG3[12746:3086949296]: SSL_accept: 14094416:
>>> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown
>>> 2005.03.17 11:36:18 LOG7[12746:3086949296]: school4 finished (0 left)
>>>
>>> And here is the output on the client side:
>>>
>>> 005.03.17 11:21:02 LOG5[952:1264]: stunnel 4.04 on x86-pc-mingw32-gnu
>>> WIN32 with OpenSSL 0.9.7 31 Dec2002
>>> 2005.03.17 11:21:03 LOG5[952:896]: Peer certificate location (null)
>>> 2005.03.17 11:21:03 LOG5[952:896]: WIN32 platform: 30000 clients
>>> allowed
>>> 2005.03.17 11:21:03 LOG5[952:1152]: schools connected from
>>> 127.0.0.1:1413
>>> 2005.03.17 11:21:07 LOG5[952:1152]: VERIFY OK: depth=1,
>>> /C=CA/ST=XXX/L=XXX/O=XXX/OU=XXX
>>> CACERT/CN=sd.traf.mb.ca/emailAddress=sysadmin at XXXX
>>> 2005.03.17 11:21:07 LOG4[952:1152]: VERIFY ERROR ONLY MY: no cert for
>>> /C=CA/ST=XXX/O=XXXX/OU=STUNNEL SERVER
>>> CERT/CN=XXXXX/emailAddress=sysadmin at XXXX
>>> 2005.03.17 11:21:07 LOG3[952:1152]: SSL_connect: 14090086:
>>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>>> verify
>>> failed
>>>
>>> I have created the certs on both server and client according to the
>>> documents at
>>> http://www.stunnel.org/faq/openssl_stunnel_ServerClientAuth.txt.
>>>
>>> I have the cacert.pem file on the cleint side, I have c_hashed the cert
>>> file on the server side. Do I need to out the c_hash of the server side
>>> cert on the client as well?
>>>
>>> Is there something I have missed? Any ideas as to what I can check to
>>> see
>>> where the issue is?
>>>
>>> I am desperate, any help would be greatly appreciated.
>>>
>>>
>>> Regards,
>>> +------------------------------------------+
>>> | Richard Houston                  .^.     |
>>> | R.L.H.  Consulting               /V\     |
>>> | E-Mail  <rhouston at rlhc.net>    /(   )\   |
>>> | WWW     <www.rlhc.net>          ^^-^^    |
>>> +------------------------------------------+
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at mirt.net
>>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>>
>>>
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at mirt.net
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>>
>
>
>
>

More information about the stunnel-users mailing list