[stunnel-users] OCSP problem - wrong cert validated

Mark Currie mark at ziliant.com
Thu Jul 11 14:05:27 CEST 2019



I am having a problem using OCSP with Stunnel.


client: stunnel-5.55, server: stunnel-5.49, both using openssl-1.0.2k-fips.


When I use the openssl ocsp command it works fine e.g.:


openssl ocsp -issuer idca-rootca.pem -CAfile idca-rootca.pem -cert
server-cert.pem -url


Response verify OK

server-cert.pem: good


Wireshark: OCSP request contains the server cert serial number, and OCSP
response returns "certStatus: good(0)".


However, when I use Stunnel the OCSP lookup fails (Connection reset by
peer), and in the Stunnel log I get:


LOG3[0]: OCSP: OCSP_basic_verify: ocsp_vfy.c:166: error:27069070:OCSP
routines:OCSP_basic_verify:root ca not trusted


Wireshark: OCSP request now contains the issuer (idca) instead of the server
cert serial number, and the OCSP response returns "certStatus: unknown (2)".


I have tried various combinations of cert and CA pem files e.g. server cert
on its own, then including idca, then including both idca and rootca. I have
also tried all combinations of CA cert, even including all certs in it.


I am testing Stunnel using SSH over TLS and here are the configs:


Stunnel client config:



CAfile = idca-rootca.pem

cert = client-cert.pem

key = client-key.pem



verifyPeer = yes



Stunnel server config:



CAfile = idca-rootca.pem

cert = server-cert.pem

key = server-key.pem

accept =

connect = 22


Appreciate any help with this problem.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190711/b69766ce/attachment.htm>

More information about the stunnel-users mailing list