Re: [stunnel-users] Difference between verify=2, 3 and 4

Fri, 20 Sep 2013 09:39:45 -0700 

Mike,
Okay, here's the simple way to test it. This is repeatable in Stunnel 4.56 and 5.00: 

Start with a simple stunnel.conf:

debug = 6
fips = no
delay = yes
output = stunnel.log

[nntps.3]
client = yes
accept = 127.0.0.1:119
connect = news.eternal-september.org:563


Point your favorite newsreader to 127.0.0.1/119, then connect to the 
server.



Having done that, open the stunnel log window.  From the menu bar, 
choose "save peer certificate".



Save the certificate, which will now be "peer-nntps.3.pem" in the 
stunnel directory.


Add certificate verification to stunnel conf:

[nntps.3]
client = yes
cafile = peer-nntps.3.pem
verify = 4
accept = 127.0.0.1:119
connect = news.eternal-september.org:563

Reload the configuration file.

Attempt to reconnect to the server.  The certificate verify will fail:


2013.09.20 11:12:35 LOG4[3964]: CERT: Verification error: unable to get 
local issuer certificate
2013.09.20 11:12:35 LOG4[3964]: Certificate check failed: depth=0, 
/description=z8x2a0S5FjpJGCa7/C=DE/CN=news.eternal-september.org/[email protected]
2013.09.20 11:12:35 LOG3[3964]: SSL_connect: 14090086: 
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate 
verify failed



If you paste the certificate for the root CA into the peer-nntps.3.pem 
file, then it will verify okay.



I have a feeling you'll find something wrong with the certificate that's 
causing this to happen.  The guy that runs the server

likes to "roll his own".

Best regards,

Thomas


On 9/20/2013 5:16 AM, Michal Trojnara wrote:

On 09/20/2013 10:10 AM, Thomas Eifert wrote:

Testing is the best way, for sure.  In theory, L4 checks for the peer 
certificate only.  Yet, I'm currently
using at least one peer certificate that requires the top CA to be 
present in the .pem file.  If I remove it,

L4 fails.  Go figure.


I wasn't able to reproduce this issue.  Could you send some more details.
A step-by-step procedure to would be great.

Mike
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users



--
Attention: This message and all attachments are private and may contain 
information that is confidential and privileged. If you received this message 
in error, please notify the sender by reply email and delete the message 
immediately.

_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
























					Reply via email to