[stunnel-users] Verify = 4 Fails Yet Again

Thomas Eifert kxkvi at wi.rr.com
Fri Oct 25 00:33:19 CEST 2013


Mike,

I tried your config.  I had to comment out the foreground and pid 
statements, as they produced
error messages (I'm running under Win 7).  I also had to change the 
server address to a valid one,
but in any case I'm it's producing the same error.  Here's the log:

2013.10.24 17:23:28 LOG7[2824:2876]: Service [test_cli] accepted 
(FD=436) from 127.0.0.1:49487
2013.10.24 17:23:28 LOG7[2824:2876]: Creating a new thread
2013.10.24 17:23:28 LOG7[2824:2876]: New thread created
2013.10.24 17:23:28 LOG7[2824:3420]: Service [test_cli] started
2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] accepted 
connection from 127.0.0.1:49487
2013.10.24 17:23:28 LOG6[2824:3420]: connect_blocking: connecting 
69.16.186.7:443
2013.10.24 17:23:28 LOG7[2824:3420]: connect_blocking: s_poll_wait 
69.16.186.7:443: waiting 10 seconds
2013.10.24 17:23:28 LOG5[2824:3420]: connect_blocking: connected 
69.16.186.7:443
2013.10.24 17:23:28 LOG5[2824:3420]: Service [test_cli] connected remote 
server from 192.168.5.9:49488
2013.10.24 17:23:28 LOG7[2824:3420]: Remote socket (FD=608) initialized
2013.10.24 17:23:28 LOG7[2824:3420]: SNI: sending servername: 
news80.forteinc.com
2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): before/connect 
initialization
2013.10.24 17:23:28 LOG7[2824:3420]: SSL state (connect): SSLv3 write 
client hello A
2013.10.24 17:23:29 LOG7[2824:3420]: SSL state (connect): SSLv3 read 
server hello A
2013.10.24 17:23:29 LOG7[2824:3420]: Starting certificate verification: 
depth=0, /C=US/ST=California/L=Escondido/O=Forte Internet Software, 
Inc./OU=IT/CN=*.forteinc.com
2013.10.24 17:23:29 LOG4[2824:3420]: CERT: Verification error: unable to 
get local issuer certificate
2013.10.24 17:23:29 LOG4[2824:3420]: Certificate check failed: depth=0, 
/C=US/ST=California/L=Escondido/O=Forte Internet Software, 
Inc./OU=IT/CN=*.forteinc.com
2013.10.24 17:23:29 LOG7[2824:3420]: SSL alert (write): fatal: unknown CA
2013.10.24 17:23:29 LOG3[2824:3420]: SSL_connect: 14090086: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed
2013.10.24 17:23:29 LOG5[2824:3420]: Connection reset: 0 byte(s) sent to 
SSL, 0 byte(s) sent to socket
2013.10.24 17:23:29 LOG7[2824:3420]: Remote socket (FD=608) closed
2013.10.24 17:23:29 LOG7[2824:3420]: Local socket (FD=436) closed
2013.10.24 17:23:29 LOG7[2824:3420]: Service [test_cli] finished (1 left)


Here's my own test configuration:

debug = 7
fips = no
delay = yes
output = stunnel.log

[nntps.6]
client = yes
cafile = peer-nntps.6.pem
verify = 4
accept = 127.0.0.1:119
connect = news80.forteinc.com:443

Regards,

Thomas


On 10/24/2013 4:19 PM, Michal Trojnara wrote:
> On 2013-10-24 23:07, Thomas Eifert wrote:
>> I'm not having your luck.  Out of ten services, I have eight verfiy =
>> 4's that work as they should, and
>> two that need the CA certificate to be added.
> I don't think it's about luck.  I'm pretty sure there is something wrong
> with your configuration.  The one I sent you works fine.  I won't be
> able to diagnose yours, because you didn't send it.  Please try to
> reproduce my setup first.  If it doesn't help solve the problem
> immediately, send me your setup so I can reproduce your error.
>
> BTW: I highly recommend reading:
> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> <http://www.chiark.greenend.org.uk/%7Esgtatham/bugs.html>
>
> Mike
>
>
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131024/a3492da2/attachment.html>


More information about the stunnel-users mailing list