[stunnel-users] Certificate failure to verify with verify = 4 option

Thomas Eifert kxkvi at lavabit.com
Mon Jun 10 00:18:50 CEST 2013

Correction: The cert issuer is Startcom Ltd, not Startcom LLC.



Stunnel 4.56 running under Win 7 SP1 x86.

Recently, the owners of a server I regularly connect to updated their
server certificate; the former had expired at the end of May.

As soon as that event occurred, I deleted the old certificate, then used
the "save peer certificate" function of Stunnel to get the updated one.

However, the new certificate fails to verify, even with the verify = 4
option in Stunnel.  The error message is similar to what I used to get
when doing a verify = 3 with some certificates.  The general error
output of Stunnel is:

CERT: Verification error: unable to get local issuer certificate
2013.06.09 16:37:46 LOG4[608:2336]: Certificate check failed: depth=0

When I open the new certificate with:

   openssl x509 -text -in certname.pem

and view the certificate details, I'm not seeing anything obvious.
The certificate is within a valid date range, and contains the same
basic elements as other certs I've viewed.  The certificate appears
to have been issued by Startcom LLC.

If I comment out the verify statement, I'm able to successfully
negotiate an SSL connection with the server.

I realize that this may be more of an openssl issue than an issue with
Stunnel.  Nevertheless, I thought I'd start here and throw it out to
the floor for comments.

Anyone have any ideas or have run into this issue?



Attention: This message and all attachments are private and may contain 
information that is confidential and privileged. If you received this 
message in error, please notify the sender by reply email and delete the 
message immediately.

stunnel-users mailing list
stunnel-users at stunnel.org

More information about the stunnel-users mailing list