Package: stunnel4 Version: 3:5.50-3 Severity: normal Dear Maintainer,
(note: I am reporting an issue which occured on a different machine, system information below is likely irrelevant) $ cat stunnel.conf setuid = stunnel4 setgid = stunnel4 pid = /var/run/stunnel4/stunnel4.pid debug = warning [client] client = yes accept = ::1:8080 verifyChain = yes CAfile = /etc/ssl/certs/local.ca.crt CRLfile = /etc/ssl/certs/local.crl.pem cert = /etc/ssl/private/local.crt.pem connect = <ip>:<port> checkHost = example.com $ cat /etc/ssl/certs/local.crl.pem -----BEGIN X509 CRL----- <snip> -----END X509 CRL----- $ cat /etc/ssl/certs/local.ca.crt -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- $ openssl crl -noout -in /etc/ssl/certs/local.crl.pem -CAfile /etc/ssl/certs/local.ca.crt verify failure Extracting the second CA certificate to a separate file (openssl stops processing CAfile on the first certificate) and the validation passes: $ openssl crl -noout -in /etc/ssl/certs/local.crl.pem -CAfile ~/only_second_cacert.ca.crt verify OK >From /var/log/daemon.log : stunnel: LOG4[115]: CERT: Pre-verification error: CRL signature failure stunnel: LOG4[115]: Rejected by CERT at depth=0: CN=example.com stunnel: LOG3[115]: error queue: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed stunnel: LOG3[115]: error queue: D0C5006: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib stunnel: LOG3[115]: error queue: 4067072: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed stunnel: LOG3[115]: SSL_connect: 407008A: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding Comenting-out CRLfile allows the client to establish the connection. The manpage entry for CAfile clearly mentions that it supports files containing multiple certificates, so I believe this is a bug. At the moment, the certificate served by <ip>:<port> is still signed by the first CA, so I do not know yet if that part has the same issue. Regards, Vincent Pelletier -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-4-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_GB Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
