Hi all, I am trying to get the client authentication working in my embedded application. The SSL implementation in my device is a openssl porting.
The server application does not implement SSL, so I am using the stunnel. When I set the verify level to 2 (which the server should ask for the client cert) I am getting the following error: -- 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): before/accept initialization 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): SSLv3 read client hello A 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): SSLv3 write server hello A 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): SSLv3 write certificate A 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): SSLv3 write certificate request A 2008.11.26 16:48:23 LOG7[5392:6100]: SSL state (accept): SSLv3 flush data 2008.11.26 16:48:25 LOG7[5392:6100]: SSL alert (read): fatal: certificate expired 2008.11.26 16:48:25 LOG3[5392:6100]: SSL_accept: 14094415: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired 2008.11.26 16:48:25 LOG5[5392:6100]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket -- In my client device I get the error: Certificate has expired. Certificate is not valid Yet 'Nov 22 19:00:09 2018 GMT'. I am not sure if the problem is my software or the stunnel. My first guess is my certificates, I am not sure if I'm creating them correctly. The following blocks show how I am creating them. Generating the CA -- SET CAreq=ca.crq SET CAcert=cacert.pem SET CAkey=cakey.pem openssl genrsa -out %CAkey% 1024 openssl req -config testecnf.cnf -new -key %CAkey% -out %CAreq% openssl ca -extensions v3_ca -config testecnf.cnf -days 3650 -keyfile %CAkey% -out %CAcert% -selfsign -infiles %CAreq% -- Generating Server Cert -- SET SKSreq=SKS.crq SET SKScert=SKScert.pem SET SKSkey=SKSkey.pem openssl genrsa -out %SKSkey% 1024 openssl req -config testecnf.cnf -new -key %SKSkey% -out %SKSreq% openssl ca -policy policy_anything -config testecnf.cnf -cert %CAcert% -days 365 -keyfile %CAkey% -out %SKScert% -infiles %SKSreq% -- Generating Client Cert -- SET SKGreq=SKG.crq SET SKGcert=SKGcert.pem SET SKGkey=SKGkey.pem openssl genrsa -out %SKGkey% 1024 openssl req -config testecnf.cnf -new -key %SKGkey% -out %SKGreq% openssl ca -policy policy_anything -config testecnf.cnf -cert %CAcert% -days 365 -keyfile %CAkey% -out %SKGcert% -infiles %SKGreq% -- Is there something wrong? Thanks in advance, Mauricio
