[stunnel-users] Difference between verify=2, 3 and 4

Thomas Eifert kxkvi at wi.rr.com
Fri Sep 20 18:38:43 CEST 2013


Okay, here's the simple way to test it.  This is repeatable in Stunnel 
4.56 and 5.00:

Start with a simple stunnel.conf:

debug = 6
fips = no
delay = yes
output = stunnel.log

client = yes
accept =
connect = news.eternal-september.org:563

Point your favorite newsreader to, then connect to the 

Having done that, open the stunnel log window.  From the menu bar, 
choose "save peer certificate".

Save the certificate, which will now be "peer-nntps.3.pem" in the 
stunnel directory.

Add certificate verification to stunnel conf:

client = yes
cafile = peer-nntps.3.pem
verify = 4
accept =
connect = news.eternal-september.org:563

Reload the configuration file.

Attempt to reconnect to the server.  The certificate verify will fail:

2013.09.20 11:12:35 LOG4[3964]: CERT: Verification error: unable to get 
local issuer certificate
2013.09.20 11:12:35 LOG4[3964]: Certificate check failed: depth=0, 
/description=z8x2a0S5FjpJGCa7/C=DE/CN=news.eternal-september.org/emailAddress=wolfgang at weyand-hg.de
2013.09.20 11:12:35 LOG3[3964]: SSL_connect: 14090086: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed

If you paste the certificate for the root CA into the peer-nntps.3.pem 
file, then it will verify okay.

I have a feeling you'll find something wrong with the certificate that's 
causing this to happen.  The guy that runs the server
likes to "roll his own".

Best regards,


On 9/20/2013 5:16 AM, Michal Trojnara wrote:
> On 09/20/2013 10:10 AM, Thomas Eifert wrote:
>> Testing is the best way, for sure.  In theory, L4 checks for the peer 
>> certificate only.  Yet, I'm currently
>> using at least one peer certificate that requires the top CA to be 
>> present in the .pem file.  If I remove it,
>> L4 fails.  Go figure.
> I wasn't able to reproduce this issue.  Could you send some more details.
> A step-by-step procedure to would be great.
> Mike
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

More information about the stunnel-users mailing list