[stunnel-users] is verify level 4 working?

• Previous message (by thread): [stunnel-users] is verify level 4 working?
• Next message (by thread): [stunnel-users] is verify level 4 working?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Guys,

I tested the "verify = 4" once again on a different server.  It works
like a charm.

Please make sure that the certificate provided with CAfile really
contains the peer certificate.

The basic test would be:
$ openssl x509 -in peer.pem -noout -text | grep -E 'Subject:|DNS:'
The result should contain the FQDN of your peer.

Otherwise please post your peer.pem to the list.  Certificates are
public anyway (unlike private keys), so there is nothing to be afraid of.

Mike

On 2013-07-08 22:38, Michal Trojnara wrote:
> Hi Guys,
>
> Thank you for your feedback.  I will re-test this feature.
>
> Best regards,
>     Michal Trojnara
>
> On 2013-07-08 18:32, Thomas Eifert wrote:
>> You're not missing anything.  I've experienced a similar issue.  While
>> verify = 4 generally works well in most cases and will ignore the CA
>> chain, I've encountered a few isolated incidences in which I've had to
>> append or "chain" the server certificate with the certificate of the
>> CA. Give it a shot and see if it resolves your issue.
>>
>> Thomas
>>
>> On 7/8/2013 3:02 AM, dansmith wrote:
>>> I would expect that level 4 only compares locally installed
>>> certificates, however I get the same behaviour as with level 3, stunnel
>>> expects a CA cert.
>>> Here'e the relevant log when on level 4
>>>
>>> Jul  6 23:46:31 mmm stunnel: LOG7[7870:140491349628672]: Starting
>>> certificate verification: depth=0,
>>> /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
>>> Jul  6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: CERT:
>>> Verification error: unable to get local issuer certificate
>>> Jul  6 23:46:31 mmm stunnel: LOG4[7870:140491349628672]: Certificate
>>> check failed: depth=0, /C=qq/ST=qq/O=qqq/OU=rer/CN=redf/emailAddress=rfd
>>> Jul  6 23:46:31 mmm stunnel: LOG7[7872:140080853112576]: SSL alert
>>> (read): fatal: unknown CA
>>>
>>> What am I missing in understanding verify's level 4 ?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130710/0cd1561b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130710/0cd1561b/attachment.sig>

• Previous message (by thread): [stunnel-users] is verify level 4 working?
• Next message (by thread): [stunnel-users] is verify level 4 working?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]