[stunnel-users] verify=4

oweijr oweirj stupidbea at yahoo.com
Tue Aug 12 23:26:47 CEST 2014


In the stunnel documentation, I see the following:
level 4
Ignore CA chain and only verify peer certificate.
My interpretation of level 4 was that only the server certificate had to be installed on the client in order for the cert verification to pass. No issuer/CA certificates were needed. However, when I do this, the connection fails. I see this following in the logs with verify=4:

2014.08.12 21:17:57 LOG7[26768]: Starting certificate verification: depth=0, subject=/C=US/CN=a.b.com
2014.08.12 21:17:57 LOG4[26768]: CERT: Verification error: unable to get local issuer certificate
2014.08.12 21:17:57 LOG4[26768]: Certificate check failed: depth=0, subject=/C=US/CN=a.b.com
2014.08.12 21:17:57 LOG7[26768]: SSL alert (write): fatal: unknown CA
2014.08.12 21:17:57 LOG3[26768]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

My config file contains the following:
verify = 4
CAfile = /opt/stunnel/certs/clients.pem
chroot = /opt/stunnel
setuid = stunnel
setgid = stunnel
pid = /run/stunnel.pid
debug = 7
output =  stunnel.log
options = NO_SSLv2
cert = /opt/stunnel/certs/server.pem
key  = /opt/stunnel/certs/server.pem

If I append the issuer certificate to the CAfile, after the peer certificate, then the connection is successful with verify=4.

Is this expected behavior? Is there a verify level that works as I described above: only the peer certificate needs to be present, no CA/issuer certificates at all?

Thank you for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140812/20d7b1d7/attachment.html>

More information about the stunnel-users mailing list