[stunnel-users] Difference between verify=2, 3 and 4

Thomas Eifert kxkvi at wi.rr.com
Fri Sep 20 18:38:43 CEST 2013


Mike,

Okay, here's the simple way to test it.  This is repeatable in Stunnel 
4.56 and 5.00:

Start with a simple stunnel.conf:

debug = 6
fips = no
delay = yes
output = stunnel.log

[nntps.3]
client = yes
accept = 127.0.0.1:119
connect = news.eternal-september.org:563

Point your favorite newsreader to 127.0.0.1/119, then connect to the 
server.

Having done that, open the stunnel log window.  From the menu bar, 
choose "save peer certificate".

Save the certificate, which will now be "peer-nntps.3.pem" in the 
stunnel directory.

Add certificate verification to stunnel conf:

[nntps.3]
client = yes
cafile = peer-nntps.3.pem
verify = 4
accept = 127.0.0.1:119
connect = news.eternal-september.org:563

Reload the configuration file.

Attempt to reconnect to the server.  The certificate verify will fail:

2013.09.20 11:12:35 LOG4[3964]: CERT: Verification error: unable to get 
local issuer certificate
2013.09.20 11:12:35 LOG4[3964]: Certificate check failed: depth=0, 
/description=z8x2a0S5FjpJGCa7/C=DE/CN=news.eternal-september.org/emailAddress=wolfgang at weyand-hg.de
2013.09.20 11:12:35 LOG3[3964]: SSL_connect: 14090086: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

If you paste the certificate for the root CA into the peer-nntps.3.pem 
file, then it will verify okay.

I have a feeling you'll find something wrong with the certificate that's 
causing this to happen.  The guy that runs the server
likes to "roll his own".

Best regards,

Thomas


On 9/20/2013 5:16 AM, Michal Trojnara wrote:
> On 09/20/2013 10:10 AM, Thomas Eifert wrote:
>> Testing is the best way, for sure.  In theory, L4 checks for the peer 
>> certificate only.  Yet, I'm currently
>> using at least one peer certificate that requires the top CA to be 
>> present in the .pem file.  If I remove it,
>> L4 fails.  Go figure.
>
> I wasn't able to reproduce this issue.  Could you send some more details.
> A step-by-step procedure to would be great.
>
> Mike
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>

-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.



More information about the stunnel-users mailing list