[stunnel-users] Using stunnel for TLS with Geotrust cert?

Jon Bogaty jbogaty at classpass.com
Mon Mar 28 18:41:14 CEST 2016 

As a follow-up:

It's definitely much happier having the cafile but it's still giving
me handshake problems regardless of the verification level. I'm using
exactly the same certificates for both server and client and on the
server-side getting:
 SSL_accept: 14094416: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

And on the client-side, things like:
 CERT: Certificate not found in local repository

Which is to me peculiar, because I'm using exactly the same
certificates, same DH, etc...

Thank you for all your help with this!

On Mon, Mar 28, 2016 at 11:04 AM, Jon Bogaty <jbogaty at classpass.com> wrote:
> Ideally what I'd love to do is enable developers to be able to connect
> their remote apps to the database proxy *without* the client-side
> handshake, but I was honestly not aware it was possible. So the ideal
> would be:
>
> Remote app connects directly via mysql driver to stunnel on port 3307
> encrypted with TLS
> stunnel forward the connection to the proxy on 3306
>
> If that is possible without maintaining a connection stunnel to
> stunnel that would be beyond awesome, I'm just totally failing to see
> how to accomplish it!
>
> One thing I did find though is the root cert for geotrust so I'm
> running tests now to see if that helps or at least generates new info.
> Based on your feedback I'm testing the following:
> cert = /etc/stunnel/stunnel.pem
> cafile = /etc/stunnel/GeoTrust_Global_CA.pem
>
> verify = 3
>
> On Mon, Mar 28, 2016 at 10:58 AM, MichaƂ Trojnara
> <Michal.Trojnara at stunnel.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> On 28.03.2016 16:27, Jon Bogaty wrote:
>>> The issue is when I setup everything on the server and try to
>>> connect with a client I either get for "verify 2" warnings about
>>> MiTM authentication problems, or for "verify 3" or "verify 4",
>>> which should disable CA checking altogether to my understanding,
>>> "Please specify CApath".
>>
>> Verify levels 3 and 4 do *not* disable certificate verification.
>> Verify level 3 requires the peer certificate in your CAfile.
>> Verify level 4 *only* requires the peer certificate.
>>
>> Are you sure you want to enable peer certificate (i.e. client
>> certificate) verification in your SSL server configuration?
>>
>> Best regards,
>>         Mike
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBCAAGBQJW+UZ4AAoJEC78f/DUFuAUQmIP/ijSfVmM/E3cgg3td/O9woOz
>> fxsmqVhQeFh44uD8TbNj/YMhH4LgtVuunE2wtzXx63ja2GJXE2CJR66kc+aIj16U
>> TjQOCRWdI2zsC4rDuO3v/xsAAuFp1ztwhMX7xNQ0uUwVuJ6emqCqSLwM4FiViMu7
>> 2gcC0em8mNfb4BemY6VwqYlITkHMOzhQZiZkP909EVbCo3yYlDN3e1CbvHbqM0Wm
>> t1qpB1KAixG8ThKGO40lXT/yFmWgOO7dFOqyNEV4JCdFSOSEDvUEtfvrR4yvLItk
>> f7nGWNfDoT1qgdHZdMG2MqexO72MvPcwOxrgFWn4bOz0fqsVzWLqH8gffy+w/L9p
>> mwS5p1WIMkHj9x+Fw1UUI+e6gJ8vgMYtMLJEdJu3yP3i13UY5tIRzCYANfv1vjHf
>> mK1afiNKyM0hM27drA1y8VJKBSjF6kJmnIAF5bh+tgVQjukr2yevxDYWb1GKg6wI
>> nqHvJv4moIGmySqA2Mqv32GDZn2GZCt5FK8AM6L+T6HKM143dKL9uBO9AdLi7Bmw
>> YfLlIvI3kgpKUCdwQ9RIirUwtThuVEqJYsl2jykseKBwuWu59vSY/np9crECWv6Z
>> b2For6WG5yqU7orPPJS8PV0JqLI4HRaTN1mquuQLFCrCttRvp8CIdpF40VXG7gdz
>> /ru7iPZfYYWG5qyvHys9
>> =1DFq
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

More information about the stunnel-users mailing list