[stunnel-users] Confusion regarding part of stunnel.conf

Ludolf Holzheid lholzheid at bihl-wiedemann.de
Thu Feb 10 20:56:58 CET 2011

On Thu, 2011-02-10 12:43:15 -0600, Dave wrote:
> [..]
> So, what exactly will be looked for in the CAfile when verify is set
> to 2?


I use verify level three, so I didn't test yet.  I expect the CAfile
to be a file with one ore more certificates in PEM format concatenated
together. 'openssl verify -CAfile <ca file> <peer certificate>' should
give 'OK'.

If a connection with the peer is made, the two instances of stunnel
(one at either end of the tunnel) present their certificates to each
other. With verify level two, each instance checks the certificate
received from the peer against the CA certificate in CAfile (or
CApath, respectively) just as "openssl verify" does.

> [..]
> and while most of these changes would actually allow
> stunnel to start, connecting with a client would fail and I'd get
> this in the logs:
> SSL alert (read): warning: no certificate
> SSL alert (write): fatal: handshake failure
> SSL_accept: 140890C7: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
> Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket

I'm not sure about the first two lines, but the third one says the
peer did not present a valid certificate, i.e. it possibly presented a
certificate which could not be successfully verified.




Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: lholzheid at bihl-wiedemann.de
D-68199 Mannheim, Germany

More information about the stunnel-users mailing list