[stunnel-users] OCSP problem - wrong cert validated
Mark Currie
mark at ziliant.com
Thu Jul 11 14:05:27 CEST 2019
Hi,
I am having a problem using OCSP with Stunnel.
client: stunnel-5.55, server: stunnel-5.49, both using openssl-1.0.2k-fips.
When I use the openssl ocsp command it works fine e.g.:
openssl ocsp -issuer idca-rootca.pem -CAfile idca-rootca.pem -cert
server-cert.pem -url http://10.0.0.166:40040
Response verify OK
server-cert.pem: good
Wireshark: OCSP request contains the server cert serial number, and OCSP
response returns "certStatus: good(0)".
However, when I use Stunnel the OCSP lookup fails (Connection reset by
peer), and in the Stunnel log I get:
LOG3[0]: OCSP: OCSP_basic_verify: ocsp_vfy.c:166: error:27069070:OCSP
routines:OCSP_basic_verify:root ca not trusted
Wireshark: OCSP request now contains the issuer (idca) instead of the server
cert serial number, and the OCSP response returns "certStatus: unknown (2)".
I have tried various combinations of cert and CA pem files e.g. server cert
on its own, then including idca, then including both idca and rootca. I have
also tried all combinations of CA cert, even including all certs in it.
I am testing Stunnel using SSH over TLS and here are the configs:
Stunnel client config:
[ssh]
CAfile = idca-rootca.pem
cert = client-cert.pem
key = client-key.pem
accept=40010
connect=10.0.0.166:40010
verifyPeer = yes
OCSP = http://10.0.0.166:40040
Stunnel server config:
[sshd]
CAfile = idca-rootca.pem
cert = server-cert.pem
key = server-key.pem
accept = 10.0.0.166:40010
connect = 22
Appreciate any help with this problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190711/b69766ce/attachment.htm>
More information about the stunnel-users
mailing list